# Linux PrivEsc {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Walkthroughs | | Difficulty | Medium | | Tags | PrivEsc, Privilege Escalation, Linux, Linux Privilege Escalation | ## Task 1 Deploy the Vulnerable Debian VM ### Deploy the machine and login to the "user" account using SSH. {% hint style="success" %} No answer needed {% endhint %} ### Run the "id" command. What is the result?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)`
## Task 2 Service Exploits ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 3 Weak File Permissions - Readable /etc/shadow ### What is the root user's password hash?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0`
### What hashing algorithm was used to produce the root user's password hash? {% hint style="warning" %} **HINT:** john the ripper should automatically identify it when cracking! {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`sha512crypt`
### What is the root user's password?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`password123`
## Task 4 Weak File Permissions - Writable /etc/shadow ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 5 Weak File Permissions - Writable /etc/passwd ### Run the "id" command as the newroot user. What is the result?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`uid=0(root) gid=0(root) groups=0(root)`
## Task 6 Sudo - Shell Escape Sequences ### How many programs is "user" allowed to run via sudo?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`11`
### One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`apache2`
### Consider how you might use this program with sudo to gain root privileges without a shell escape sequence. {% hint style="warning" %} **HINT:** Play around with certain options the program has! {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ## Task 7 Sudo - Environment Variables ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 8 Cron Jobs - File Permissions ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 9 Cron Jobs - PATH Environment Variable ### What is the value of the PATH variable in /etc/crontab?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin`
## Task 10 Cron Jobs - Wildcards ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 11 SUID / SGID Executables - Known Exploits ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 12 SUID / SGID Executables - Shared Object Injection ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 13 SUID / SGID Executables - Environment Variables ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 14 SUID / SGID Executables - Abusing Shell Features (#1) ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 15 SUID / SGID Executables - Abusing Shell Features (#2) ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 16 Passwords & Keys - History Files ### What is the full mysql command the user executed?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`mysql -h somehost.local -uroot -ppassword123`
## Task 17 Passwords & Keys - Config Files ### What file did you find the root user's credentials in?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`/etc/openvpn/auth.txt`
## Task 18 Passwords & Keys - SSH Keys ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 19 NFS ### What is the name of the option that disables root squashing?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`no_root_squash`
## Task 20 Kernel Exploits ### Read and follow along with the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 21 Privilege Escalation Scripts ### Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room? {% hint style="success" %} No answer needed {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-medium/linux-privesc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.