☎️
Contrxl
  • 🏡Home
  • ❓Anonymity Tools
  • ⌨️Cisco
    • Networking Basics
      • Communication in a Connected World
      • Network Components, Types and Connections
      • Wireless and Mobile Networks
      • Home Networking Technologies
      • Communication Protocols
      • Network Media
      • The Access Layer
      • The Internet Protocol
      • IPv4 and Network Segmentation
  • 💾Intune
    • ADMX Configuration
    • App Deployment
    • App Updating/Patching
    • File Deployment
    • Remediations
  • 🎓Learning Links
  • 💻Microsoft
    • 📘Microsoft Portal Links
    • Configure SIEM Security Operations using Microsoft Sentinel
      • Create and Manage Microsoft Sentinel Workspaces
        • Introduction
        • Plan for the Microsoft Sentinel Workspace
        • Create a Microsoft Sentinel Workspace
        • Manage Workspaces Across Tenants Using Azure Lighthouse
        • Understand Microsoft Sentinel Permissions and Roles
        • Manage Microsoft Sentinel Settings
        • Configure Logs
  • 📰News & Information
  • 💡OSINT
    • IP & Domain OSINT
    • Email & Username OSINT
    • Vulnerability OSINT
  • 📚Projects
    • ‼️A Simulation Study of DDoS
  • ⚒️Tools
    • Burp Suite
      • Repeater
      • Intruder
      • Other Modules
    • GoPhish
    • Hydra
    • John the Ripper
    • Metasploit
      • Exploitation
      • Meterpreter
    • NMAP
    • Wireshark
  • 🖥️TryHackMe
    • Learning Paths
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
Powered by GitBook
On this page
  1. TryHackMe
  2. Learning Paths
  3. Complete Beginner

11. More Linux Privesc

Eleventh section in Complete Beginner learning path.

Introduction

A variety of examples of potential Linux privilege escalation techniques.

Service Exploits

If MySQL service is running as root and the "root" user for the service does not have a password assigned, this exploit can be used to run system commands as root via MySQL. Once this is downloaded to the target, follow the instructions in the comments of the exploit code to run it & achieve root.

Readable /etc/shadow

If /etc/shadow is world-readable, you can cat this out and send the password hashes to John the Ripper to attempt to crack them & access root/super users.

Writeable /etc/shadow

If /etc/shadow is world-writeable, we can generate a new password hash using:

mkpasswd -m sha-512 [password]

Then we simply edit /etc/shadow and replace the root users password hash with our new one.

Writeable /etc/passwd

If /etc/passwd is writeable we can create a new root user by copying the current root user's row and changing the username to something like "root2" and replacing the "x" password. To generate a useable password we can use:

openssl passwd [password]

Sudo - Shell Escapes

GTFOBins can be used to find shell escapes for various programs that run on Linux machines.

History Files

History files can be viewed using cat ~/.*history | less, you may be able to see failed commands with password contents here.

Last updated 11 months ago

🖥️
  • Introduction
  • Service Exploits
  • Readable /etc/shadow
  • Writeable /etc/shadow
  • Writeable /etc/passwd
  • Sudo - Shell Escapes
  • History Files