We covered Linux enumeration to identify possible weaknesses vulnerabilities in order to achieve privilege escalation. This was part of TryHackMe Linux: Local Enumeration.
Gaining Initial Access
I started by accessing a web server on the target machine. I then used a PHP reverse shell to get a connection back to my attacker machine. On my machine, I used nc -lvnp 4545
to listen for the incoming connection, and the PHP reverse shell (copied from my notes) was executed on the target via its web interface.
Stabilizing the Shell
After getting a basic shell, I learned the importance of stabilizing it for better interaction. I used python -c 'import pty; pty.spawn("/bin/bash")'
to get a more interactive shell. The video also discussed using SSH for stabilization, which would involve generating an SSH key pair (ssh-keygen
on my attacker machine), copying the public key (id_rsa.pub
) to the target machine’s ~/.ssh/authorized_keys
file, and then logging in with my SSH private key (ssh -i /path/to/id_rsa user@target_ip
). However, this wasn’t fully executed in the video due to a missing authorized_keys
file.
Basic Enumeration
For basic system information, I used uname -a
to display all system information (OS, version, architecture) and uname -m
to display only the machine hardware name/architecture.
I checked the bash history by looking at the .bash_history
file in the user’s home directory (cat ~/.bash_history
or cat /home/manager/.bash_history
), as it stores executed commands. The .bashrc
file was also mentioned as containing command history for bash sessions, which I checked with cat ~/.bashrc
.
To check sudo privileges, I used sudo -l
to list commands the current user could run with sudo, though this typically requires the user’s password, which wasn’t available in this scenario. I also checked the sudo version with sudo -V
to see if there were any known vulnerabilities.
Enumerating /etc
Directory
I read the /etc/passwd
file using cat /etc/passwd
to get user account information. I then attempted to read /etc/shadow
with cat /etc/shadow
, which contains hashed user passwords, but it initially failed due to permissions. I checked the file permissions with ls -l /etc/shadow
and the user’s groups with groups | grep manager
to see if ‘manager’ was in the ‘shadow’ group.
Finding Interesting Files
I used the find
command to locate specific file types. I found configuration files (.conf
) using find / -type f -name "*.conf" 2>/dev/null
, which led me to flag.conf
. I then read it with cat /path/to/flag.conf
. I also looked for backup files (.bak
) with find / -type f -name "*.bak" 2>/dev/null
, which helped me find a file like /opt/passwords.bak
and revealed a password when I used cat /opt/passwords.bak
.
Enumerating SUID (Set User ID) Binaries
I learned that SUID binaries run with the permissions of the file owner (often root) and can be exploited. I found SUID binaries using find / -perm -u=s -type f 2>/dev/null
. I identified grep
as a potentially exploitable SUID binary and checked its permissions with ls -la /bin/grep
.
To exploit SUID grep
and read the previously inaccessible /etc/shadow
file, I used the payload from GTFOBins: /bin/grep '' /etc/shadow
.
Key Takeaways
I learned that local enumeration is a systematic process of gathering information. Stabilizing my shell is important for effective enumeration. Common areas to check include system information, user history, sudo privileges, sensitive files in /etc
, and SUID binaries. Tools like find
are powerful for locating specific files, and resources like GTFOBins are invaluable for finding ways to exploit misconfigured binaries or permissions.
Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding
TryHackMe Room Answers
Where can you usually find the id_rsa file? (User = user)
Is there an id_rsa file on the box? (yay/nay)
Where can you find bash history?
What’s the flag?
Did you find a flag?
What’s the payload you can use to read /etc/shadow with this SUID?