Link room: https://tryhackme.com/room/linuxprivescarena
This room very basic about PrivEsc in linux. All most task is show the ways to get root shell by tutorial very detailed. I has note some task to complete this room, maybe helpful
Task 2
Login as TCM with SSH: ssh TCM@<machine ip>
password: Hacker123
Task 4
Read credentials file: cat /etc/openvpn/auth.txt
We will see password321 as password and user as username
Task 5
#1: TCM trying to log into mysql
#2: TCM trying to log in as root
#3: Password: password123
Task 6
Run "ls -al /etc/" and -rw-rw-r-- is permissions of shadow file
Task 7
Run "find / -name id_rsa 2> /dev/null" We will get the path of id_rsa file: /backups/supersecretkeys/id_rsa
Read and save it with name id_rsa, run "chmod 400 id_rsa" to set mode permissions and we can login as root by ssh without password: ssh -i id_rsa root@<machine ip>
Task 12
Run "dpkg -l | grep nginx"
We see the version of nginx is 1.6.2-5, This version has a vulnerability allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log
#1 Answer: CVE-2016-1247
We can see the PoC in /home/user/tools/nginx/nginxed-root.sh file or exploit code at link:
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
#2: It show SUIDBIN="/usr/bin/sudo". so sudo is SUID enabled and assists in the attack
Wonderful knowledge for beginners, thanks to TCM
