Help with Linux Local Privilege Escalation - Skills Assessment

Any one do academy module Linux Privilege escalation? Currently on the skills assessment section at the end.

Stuck at getting flag 4.

Ive searched the internet some for help and seems supposed to exploit tomcat application. But other than that im stuck.

Some things ive done

-got accesss to box as the “barry” user

-Ive searched /var/log files trying to read them. All ive discerned so far is an existence of either admin or tomcatadm account.

-ive tried some default login credentials for tomcat and tried them by accessing it using web browser on the port 8080

  • tried a couple metasploit modules that are made for tomcat none of them worked
1 Like

Got some help on discord chats and finished the module if anyone is stuck at a particular place on this module and wants some clues. You can ask on this forum

Hi truthreaper,
I’m stuck right to second flag, to be precise, I’ve found flag2 and flag3 but I can’t look inside. I can’t find any hook to escalate, can you please show only the direction, I don’t want the solution, just tell me where to look :wink:
Thanks in advance.

Oh hi are you still working on this? I forgotten some details already but to read the next flags you will need to login as “barry” user. look around in some of the files in that users home directory actually I think it was in the bash history files it allows you to see all the previous commands someone typed. Guess that user likes to reuse passwords for different applications.

Just in case you don’t know you switch users in Linux using the command

su [user]

then it will prompt you for a password. You gotta find the password for the “barry” user that account has higher privileges.

Hi truthreaper,
thanks for the hint, with your help I got flag2 and 3, just looking on bash_history on barry user.
Now I’m going ahead with the challenge, thanks again. If you know where to look is very simple.
Have a nice day!


1 Like

Cool ya if anyone else wants some tips and hints on this module ask away.

Hey, I was wondering if you could give me any pointers for flag 4, I’ve found the hidden credentials for tomcatadm, but I cannot figure out where to go from there. I tried metasploit exploits, but the one I think should have worked does not establish a shell.

Yes if you managed to login to the tomcat manager you can upload a .WAR reverse shell that will allow you to continue the assessment.

You can also create a WAR reverse shell using msvenom.

Thank you! I think I was configuring the Metasploit module incorrectly, but I got it figured out.

1 Like

Hey, Im stuck on flag 5. I cant find a way to exploit the sudo permission that the tomcat user has.
Any hint?

been a little while but if I remember correctly you gotta find out what commands the tomcat user can execute as sudo. Then figure out how to use that command to escalate privileges. GTFO bins will be useful there.

That’s what I did, I used what it says on GTFObins but it didn’t work…
Did you use msfconsole for the exploit on tomcat? Maybe the shell makes the problems? It just prints the --show-system info and says that !/bin/sh not found

Think you will need to use a shell upgrading technique with python3 to make the shell usable for the gtfobin privledge escalation. THe technique will not work in the unupgraded netcat shell

1 Like

use python3 though instead of python

Yep, it worked.
Thank a lot man

1 Like

i am stuck at getting flag 4. I already found the credentials for the tomcat login. If I understood it correctly, I need to login into the tomcat manager in the web. I tried the domain http://localhost:8080/manager/html but it says:

Unable to connect. Firefox can’t establish a connection to the server at localhost:8080

  • The site could be temporarily unavailable or too busy. Try again in a few moments.
  • If you are unable to load any pages, check your computer’s network connection.
  • If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web

I tried it with Vpn and with the pwnbox itself. All I need to know is the way to log into the manger to exploit privileges.

Any help is very welcome.
Thanks in advance

I can easily get the flag 5 use metasploit, also I already lost a day to try to escalate to the root user manually but I totally failed, don’t know how to deal with the b***tl service, any advices?

Edit: I can privilege escalate without msf now.

try looking in /etc/tomcat9 for tomcat credentials.