🛗Linux PrivEsc

Practice your Linux Privilege Escalation skills on an intentionally misconfigured Debian VM with multiple ways to get root! SSH is available. Credentials: user:password321

Room Attributes	Value
Subscription Required	False [Free]
Type	Walkthroughs
Difficulty	Medium
Tags	PrivEsc, Privilege Escalation, Linux, Linux Privilege Escalation

Room Attributes

Value

Subscription Required

False [Free]

Type

Walkthroughs

Difficulty

Medium

Task 1 Deploy the Vulnerable Debian VM

No answer needed

Run the "id" command. What is the result?

Reveal Flag 🚩

🚩uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

Task 2 Service Exploits

Read and follow along with the above.

No answer needed

Task 3 Weak File Permissions - Readable /etc/shadow

What is the root user's password hash?

Reveal Flag 🚩

🚩$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

What hashing algorithm was used to produce the root user's password hash?

HINT: john the ripper should automatically identify it when cracking!

Reveal Flag 🚩

🚩sha512crypt

What is the root user's password?

Reveal Flag 🚩

🚩password123

Task 4 Weak File Permissions - Writable /etc/shadow

Read and follow along with the above.

No answer needed

Task 5 Weak File Permissions - Writable /etc/passwd

Run the "id" command as the newroot user. What is the result?

Reveal Flag 🚩

🚩uid=0(root) gid=0(root) groups=0(root)

Task 6 Sudo - Shell Escape Sequences

How many programs is "user" allowed to run via sudo?

Reveal Flag 🚩

🚩11

One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?

Reveal Flag 🚩

🚩apache2

Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.

HINT: Play around with certain options the program has!

No answer needed

Task 7 Sudo - Environment Variables

Read and follow along with the above.

No answer needed

Task 8 Cron Jobs - File Permissions

Read and follow along with the above.

No answer needed

Task 9 Cron Jobs - PATH Environment Variable

What is the value of the PATH variable in /etc/crontab?

Reveal Flag 🚩

🚩/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Task 10 Cron Jobs - Wildcards

Read and follow along with the above.

No answer needed

Task 11 SUID / SGID Executables - Known Exploits

Read and follow along with the above.

No answer needed

Task 12 SUID / SGID Executables - Shared Object Injection

Read and follow along with the above.

No answer needed

Task 13 SUID / SGID Executables - Environment Variables

Read and follow along with the above.

No answer needed

Task 14 SUID / SGID Executables - Abusing Shell Features (#1)

Read and follow along with the above.

No answer needed

Task 15 SUID / SGID Executables - Abusing Shell Features (#2)

Read and follow along with the above.

No answer needed

Task 16 Passwords & Keys - History Files

What is the full mysql command the user executed?

Reveal Flag 🚩

🚩mysql -h somehost.local -uroot -ppassword123

Task 17 Passwords & Keys - Config Files

What file did you find the root user's credentials in?

Reveal Flag 🚩

🚩/etc/openvpn/auth.txt

Task 18 Passwords & Keys - SSH Keys

Read and follow along with the above.

No answer needed

Task 19 NFS

What is the name of the option that disables root squashing?

Reveal Flag 🚩

🚩no_root_squash

Task 20 Kernel Exploits

Read and follow along with the above.

No answer needed

Task 21 Privilege Escalation Scripts

Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?

No answer needed

PreviousMr Robot CTF NextLinux PrivEsc Arena [WIP]

Last updated 2 years ago

Task 1 Deploy the Vulnerable Debian VM

Deploy the machine and login to the "user" account using SSH.

Run the "id" command. What is the result?

Task 2 Service Exploits

Read and follow along with the above.

Task 3 Weak File Permissions - Readable /etc/shadow

What is the root user's password hash?

What hashing algorithm was used to produce the root user's password hash?

What is the root user's password?

Task 4 Weak File Permissions - Writable /etc/shadow

Read and follow along with the above.

Task 5 Weak File Permissions - Writable /etc/passwd

Run the "id" command as the newroot user. What is the result?

Task 6 Sudo - Shell Escape Sequences

How many programs is "user" allowed to run via sudo?

One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?

Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.

Task 7 Sudo - Environment Variables

Read and follow along with the above.

Task 8 Cron Jobs - File Permissions

Read and follow along with the above.

Task 9 Cron Jobs - PATH Environment Variable

What is the value of the PATH variable in /etc/crontab?

Task 10 Cron Jobs - Wildcards

Read and follow along with the above.

Task 11 SUID / SGID Executables - Known Exploits

Read and follow along with the above.

Task 12 SUID / SGID Executables - Shared Object Injection

Read and follow along with the above.

Task 13 SUID / SGID Executables - Environment Variables

Read and follow along with the above.

Task 14 SUID / SGID Executables - Abusing Shell Features (#1)

Read and follow along with the above.

Task 15 SUID / SGID Executables - Abusing Shell Features (#2)

Read and follow along with the above.

Task 16 Passwords & Keys - History Files

What is the full mysql command the user executed?

Task 17 Passwords & Keys - Config Files

What file did you find the root user's credentials in?

Task 18 Passwords & Keys - SSH Keys

Read and follow along with the above.

Task 19 NFS

What is the name of the option that disables root squashing?

Task 20 Kernel Exploits

Read and follow along with the above.

Task 21 Privilege Escalation Scripts

Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?