We covered threat hunting in-depth, compared threat hunting with incident response, we covered common Linux Privilege Escalation vulnerabilities and techniques such as enumeration, crontabs, SUID/GUID files, PATH variables,etc. We used TryHackMe common priv esc room for practical demonstrations.

Offensive Security Certified Professional Study Notes

Cyber Security Study Notes

Definition of Privilege Escalation

At it’s core, Privilege Escalation usually involves going from a lower permission to a higher permission. More technically, it’s the exploitation of a vulnerability, design flaw or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.

Rarely when doing a CTF or real-world penetration test, will you be able to gain a foothold (initial access) that affords you administrator access. Privilege escalation is crucial, because it lets you gain system administrator levels of access. This allow you to do many things, including:

  •  Reset passwords
  •  Bypass access controls to compromise protected data
  •  Edit software configurations
  •  Enable persistence, so you can access the machine again later.
  •  Change privilege of users
  •  Get that cheeky root flag 😉

As well as any other administrator or super user commands that you desire.

Types of Privilege Escalation

Horizontal privilege escalation: This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user). This allows you to inherit whatever files and access that user has. This can be used, for example, to gain access to another normal privilege user, that happens to have an SUID file attached to their home directory (more on these later) which can then be used to get super user access. [Travel sideways on the tree]

Vertical privilege escalation (privilege elevation): This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges. [Travel up on the tree]

Example Linux Privilege Escalation Tools

LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root. It is important to understand what commands LinEnum executes, so that you are able to manually enumerate privesc vulnerabilities in a situation where you’re unable to use LinEnum or other like scripts. In this room, we will explain what LinEnum is showing, and what commands can be used to replicate it.

You can download a local copy of LinEnum from:

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

It’s worth keeping this somewhere you’ll remember, because LinEnum is an invaluable tool.

Below is a list of good checklists to apply to CTF or penetration test use cases.Although I encourage you to make your own using CherryTree or whatever notes application you prefer.

Room Answers | TryHackMe common priv esc

What is the target’s hostname?

polobox

WhaLook at the output of /etc/passwd how many “user[x]” are there on the system?

8

How many available shells are there on the system?

4

What is the name of the bash script that is set to run every 5 minutes by cron?

autoscript.sh

What critical file has had its permissions changed to allow some users to write to it?

/etc/passwd

Following the cmd.exe process spawned by Python, what is the command-line value of tWhat is the path of the file in user3’s directory that stands out to you?

/home/user3/shell

We know that “shell” is an SUID bit file, therefore running it will run the script as a root user! Lets run it!

We can do this by running: “./shell”

Having read the information above, what direction privilege escalation is this attack?

vertical

Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”

What is the hash created by using this command with the salt, “new” and the password “123”?

$1$new$p7ptkEKU1HnaHpRtzNizS1

Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?

new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

NOPASSWD

What is the flag to specify a payload in msfvenom?

-p

What directory is the “autoscript.sh” under?

/home/user4/Desktop

Video Walkthrough | TryHackMe common priv esc

, , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles