# Linux PrivEsc Arena \[WIP] {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Walkthroughs | | Difficulty | Medium | | Tags | Security, Linux, PrivEsc | ## Task 1 \[Optional] Connecting to the TryHackMe network ### Read the above. {% hint style="success" %} No answer needed {% endhint %} ## Task 2 Deploy the vulnerable machine ### Deploy the machine and log into the user account via SSH (or use the browser-based terminal). {% hint style="success" %} No answer needed {% endhint %} ## Task 3 Privilege Escalation - Kernel Exploits ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 4 Privilege Escalation - Stored Passwords (Config Files) ### What password did you find?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
### What user's credentials were exposed in the OpenVPN auth file?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 5 Privilege Escalation - Stored Passwords (History) ### What was TCM trying to log into?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
### Who was TCM trying to log in as?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
### Naughty naughty. What was the password discovered?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 6 Privilege Escalation - Weak File Permissions ### What were the file permissions on the /etc/shadow file?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 7 Privilege Escalation - SSH Keys ### What's the full file path of the sensitive file you discovered?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 8 Privilege Escalation - Sudo (Shell Escaping) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 9 Privilege Escalation - Sudo (Abusing Intended Functionality) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 10 Privilege Escalation - Sudo (LD\_PRELOAD) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 11 Privilege Escalation - SUID (Shared Object Injection) ### Click 'Completed' once you have successfully elevated the machine
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 12 Privilege Escalation - SUID (Symlinks) ### What CVE is being exploited in this task?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
### What binary is SUID enabled and assists in the attack?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 13 Privilege Escalation - SUID (Environment Variables #1) ### What is the last line of the "`strings /usr/local/bin/suid-env`" output?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 14 Privilege Escalation - SUID (Environment Variables #2) ### What is the last line of the "`strings /usr/local/bin/suid-env2`" output?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`???`
## Task 15 Privilege Escalation - Capabilities ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 16 Privilege Escalation - Cron (Path) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 17 Privilege Escalation - Cron (Wildcards) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 18 Privilege Escalation - Cron (File Overwrite) ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} ## Task 19 Privilege Escalation - NFS Root Squashing ### Click 'Completed' once you have successfully elevated the machine {% hint style="success" %} No answer needed {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-medium/linux-privesc-arena-wip.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.