Information Technology | Softwares - Graphics - Programming - Hacking - Security

Jun 29, 2020

TryHackMe - Linux PrivEsc Arena

Link room:
This room very basic about PrivEsc in linux. All most task is show the ways to get root shell by tutorial very detailed. I has note some task to complete this room, maybe helpful

Task 2
Login as TCM with SSH: ssh TCM@<machine ip>
password: Hacker123

Task 4

Read credentials file: cat /etc/openvpn/auth.txt
We will see password321 as password and user as username

Task 5
#1: TCM trying to log into mysql
#2: TCM trying to log in as root
#3: Password: password123

Task 6
Run "ls -al /etc/" and -rw-rw-r-- is permissions of shadow file

Task 7
Run "find / -name id_rsa 2> /dev/null" We will get the path of id_rsa file: /backups/supersecretkeys/id_rsa
Read and save it with name id_rsa, run "chmod 400 id_rsa" to set mode permissions and we can login as root by ssh without password: ssh -i id_rsa root@<machine ip>

Task 12
Run "dpkg -l | grep nginx"
We see the version of nginx is 1.6.2-5, This version has a vulnerability allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log
#1 Answer: CVE-2016-1247
We can see the PoC in /home/user/tools/nginx/ file or exploit code at link:


#2: It show SUIDBIN="/usr/bin/sudo". so sudo is SUID enabled and assists in the attack

Wonderful knowledge for beginners, thanks to TCM

About Us