Introduction to Linux Privilege Escalation

Learn the fundamentals of Linux privilege escalation. From enumeration to exploitation, get hands-on with over 8 different privilege escalation techniques.

In this video walk-through, we covered linux privilege escalation challenge or linux privesc room as part of TryHackMe Junior Penetration Tester pathway.

Privilege escalation is a journey. There are no silver bullets, and much depends on the specific configuration of the target system. The kernel version, installed applications, supported programming languages, other users’ passwords are a few key elements that will affect your road to the root shell.

This room was designed to cover the main privilege escalation vectors and give you a better understanding of the process. This new skill will be an essential part of your arsenal whether you are participating in CTFs, taking certification exams, or working as a penetration tester.

Get OSCP Certificate Notes

 Task Overview and Machine Setup:

  • The user is instructed to switch between different virtual machines for each task.
  • Each task involves discovering details about the system, such as the host name, Linux kernel version, Python version, and vulnerabilities.

System Enumeration:

  • The process begins with enumerating information on the target system using commands like hostname, cat /etc/issue, and checking the kernel version.
  • Enumeration helps identify vulnerabilities in the Linux system, such as finding the appropriate kernel exploit.

Exploiting Kernel Vulnerabilities:

  • Once vulnerabilities are identified, tools like searchsploit are used to find relevant exploits.
  • The user is shown how to download, compile, and run an exploit using commands like GCC to escalate privileges to root.

Flag Discovery:

  • After exploiting the vulnerability, the user is instructed to navigate to certain directories (e.g., /home) and find specific “flag” files that mark the completion of the task.

Automated Tools and Manual Privilege Escalation:

  • The video briefly introduces automated tools that simplify privilege escalation tasks, though the focus is on manually exploiting vulnerabilities.
  • It shows the use of tools like sudo to find programs a user can run with root privileges, such as nano, find, and less, and how to leverage these programs for privilege escalation.

Escalating Privileges Using Specific Programs:

  • The process of escalating privileges using specific programs like nano and nmap is demonstrated.
  • For nmap, the interactive mode is used to spawn a root shell.

User and Password Discovery:

  • Tasks involve finding specific users on the system, like a comic book writer-themed user, and extracting password hashes from the /etc/shadow file.
  • The video explains how to crack password hashes using tools like John the Ripper.

Exploiting SUID Programs:

  • The video explains how to find and exploit SUID (Set Owner User ID) programs, which run with the privileges of their owner (often root).
  • A tool like base64 is used to read sensitive files like /etc/shadow by exploiting this SUID privilege.

Task Finalization:

The video encourages using manual methods for learning but hints at faster automated approaches for experienced users.

Each task concludes by extracting the necessary information, such as password hashes, flags, and ensuring root access.

Room Link

Linux PrivEsc

Room Answers

What is the hostname of the target system?
 

What is the Linux kernel version of the target system?

 

What Linux is this?

 

What version of the Python language is installed on the system?

 

What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

 

What is the content of the flag1.txt file?

How many programs can the user “karen” run on the target system with sudo rights?
 

What is the content of the flag2.txt file?

 

How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

 

What is the hash of frank’s password?

Which user shares the name of a great comic book writer?

 

What is the password of user2?

 

What is the content of the flag3.txt file?

 

How many binaries have set capabilities?

 

What other binary can be used through its capabilities?

 

What is the content of the flag4.txt file?

How many cron jobs can you see on the target system?
 
What is the content of the flag5.txt file?
 

What is Matt’s password?

 

What is the odd folder you have write access for?

 

Exploit the $PATH vulnerability to read the content of the flag6.txt file.

 

What is the content of the flag6.txt file?

 
How many mountable shares can you identify on the target system?
 
How many shares have the “no_root_squash” option enabled?
 

Gain a root shell on the target system

 

What is the content of the flag7.txt file?

 
What is the content of the flag1.txt file?
 

What is the content of the flag2.txt file?

 

Video Walkthrough

Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles