Linux PrivEsc - TryHackMe Write-up
Info
- Name: Linux PrivEsc
- Description: Practice your Linux Privilege Escalation skills on an intentionally misconfigured Debian VM with multiple ways to get root! SSH is available.
- Difficulty: Medium
- Room link: https://tryhackme.com/room/linuxprivesc
Write-up
Task 1
Q: Run the "id" command. What is the result?
A: uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
Task 3
Q: What is the root user's password hash?
A: $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0
Q: What hashing algorithm was used to produce the root user's password hash?
A: sha512crypt
Q: What is the root user's password?
A: password123
Task 5
Q: Run the "id" command as the newroot user. What is the result?
A: uid=0(root) gid=0(root) groups=0(root)
Task 6
Q: How many programs is "user" allowed to run via sudo?
A: 11
Q: One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
A: apache2
Task 9
Q: What is the value of the PATH variable in /etc/crontab?
A: /home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Task 16
Q: What is the full mysql command the user executed?
A: /etc/openvpn/auth.txt
Task 17
Q: What file did you find the root user's credentials in?
A: /etc/openvpn/auth.txt
Task 19
Q: What is the name of the option that disables root squashing?
A: no_root_squash
