We covered Linux enumeration to identify possible weaknesses vulnerabilities in order to achieve privilege escalation. This was part of TryHackMe Linux: Local Enumeration.
Gaining Initial Access
I started by accessing a web server on the target machine. I then used a PHP reverse shell to get a connection back to my attacker machine. On my machine, I used nc -lvnp 4545 to listen for the incoming connection, and the PHP reverse shell (copied from my notes) was executed on the target via its web interface.
Stabilizing the Shell
After getting a basic shell, I learned the importance of stabilizing it for better interaction. I used python -c 'import pty; pty.spawn("/bin/bash")' to get a more interactive shell. The video also discussed using SSH for stabilization, which would involve generating an SSH key pair (ssh-keygen on my attacker machine), copying the public key (id_rsa.pub) to the target machine’s ~/.ssh/authorized_keys file, and then logging in with my SSH private key (ssh -i /path/to/id_rsa user@target_ip). However, this wasn’t fully executed in the video due to a missing authorized_keys file.
Basic Enumeration
For basic system information, I used uname -a to display all system information (OS, version, architecture) and uname -m to display only the machine hardware name/architecture.
I checked the bash history by looking at the .bash_history file in the user’s home directory (cat ~/.bash_history or cat /home/manager/.bash_history), as it stores executed commands. The .bashrc file was also mentioned as containing command history for bash sessions, which I checked with cat ~/.bashrc.
To check sudo privileges, I used sudo -l to list commands the current user could run with sudo, though this typically requires the user’s password, which wasn’t available in this scenario. I also checked the sudo version with sudo -V to see if there were any known vulnerabilities.
Enumerating /etc Directory
I read the /etc/passwd file using cat /etc/passwd to get user account information. I then attempted to read /etc/shadow with cat /etc/shadow, which contains hashed user passwords, but it initially failed due to permissions. I checked the file permissions with ls -l /etc/shadow and the user’s groups with groups | grep manager to see if ‘manager’ was in the ‘shadow’ group.
Finding Interesting Files
I used the find command to locate specific file types. I found configuration files (.conf) using find / -type f -name "*.conf" 2>/dev/null, which led me to flag.conf. I then read it with cat /path/to/flag.conf. I also looked for backup files (.bak) with find / -type f -name "*.bak" 2>/dev/null, which helped me find a file like /opt/passwords.bak and revealed a password when I used cat /opt/passwords.bak.
Enumerating SUID (Set User ID) Binaries
I learned that SUID binaries run with the permissions of the file owner (often root) and can be exploited. I found SUID binaries using find / -perm -u=s -type f 2>/dev/null. I identified grep as a potentially exploitable SUID binary and checked its permissions with ls -la /bin/grep.
To exploit SUID grep and read the previously inaccessible /etc/shadow file, I used the payload from GTFOBins: /bin/grep '' /etc/shadow.
Key Takeaways
I learned that local enumeration is a systematic process of gathering information. Stabilizing my shell is important for effective enumeration. Common areas to check include system information, user history, sudo privileges, sensitive files in /etc, and SUID binaries. Tools like find are powerful for locating specific files, and resources like GTFOBins are invaluable for finding ways to exploit misconfigured binaries or permissions.
Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding
TryHackMe Room Answers
Where can you usually find the id_rsa file? (User = user)
Is there an id_rsa file on the box? (yay/nay)
Where can you find bash history?
What’s the flag?
Did you find a flag?
What’s the payload you can use to read /etc/shadow with this SUID?
