In this thread🧵, I will be discussing how you can pop a root shell by abusing SUDO rights misconfiguration and will be demonstrating this using this box: tryhackme.com/room/linuxpriv…
First things first, let’s start with theoretical concepts!!😄
What is SUDO👑?
Sudo (Superuser Do) - is a Unix and Linux based utility that gives users permissions to run commands at the `root` level (most powerful user).
The `Sudo -l` Command
This command list the programs/binaries which `sudo` allows a user to run with root privileeges and without being asked the `root` password. For long listing use `sudo -ll`
- From the above snippet you can see user `traw` can all run all the commands as root without being asked root password but only traw's password. That's a security issue because we can easily abuse this to escalate to the root user by simply issuing the following command(sudo su)
Alright let's look at another example, in this example will be using the @RealTryHackMe box. I have provided the link above.
From the above snippet you can see that the user `user` can be able to run quite a number of programs with root level permissions. We can abuse those binaries to escalate our privileges to root,
there is cool website with some instructions on how to gain root shell using the above listed programs. Visit GTFOBins(gtfobins.github.io) and search for some of the program names.
If the program is listed with `sudo` as a function, you can use it to elevate privileges, usually via an escape sequence. Let’s take a look at all binary one by one and try to gain a root shell, using the instructions from GTFOBins.
1. Using AWK from the above snippet
2. Using VIM Command
3. Using FIND command
4. Using NMAP command
5. Using MAN command
6. Using MORE/LESS commands
7. Using FTP
8 Abusing Intended Functionality
Let's say we run `sudo -l` and found that we can run apache2 or wget with root level permissions. Sadly, with these binaries you can't get `shell` and you can't also even edit system files too,
but using these binaries we abuse their functionality to view `important` systems files.
8a. Abusing Apache2
From the above snippet you can clearly see that we able to view the contents of the `/etc/shadow` file.
Sadly no Shell. But we have manage to extract root hash that means we can crack the harsh using online methods (`crackstation.net`) or some tools like hashcat, john etc
8b. Abusing WGET
With `wget` we can dump some important system files like the `/etc/shadow`, `/etc/passwd` file, root ssh keys etc. To do this you have to setup a netcat listener on the attacker machine:
That's it! Thank you for reading today's thread😇. If you have other privilege escalation vectors I have missed, feel free to add them in the comments. Would love to know them as well. And be sure to rt🔄 , like💌 and follow👨👨👧👧 me (@xtremepentest) for more future Linux content.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
13 Linux tr command practical examples you should know as a system administrator:
The tr command short for translate, is one of the most useful command for manipulating text on the command line.
It allows you to perform useful operations such as converting lowercase characters to uppercase characters, uppercase characters to lowercase characters, character replacing, and deleting characters.
It is usually used in conjunction with other commands via piping.
Linux user management - how to add users in Linux 🧵↓
The useradd command is the main tool for adding new users to a Linux system. This command allows you to quickly create a new user account and configure the user's $HOME directory structure.
The useradd command creates a user account by combining system default settings and command-line parameters.
To see the system default values on your Linux distribution, use the useradd command with the -D option:
You will regularly need to create and delete directories on the Linux system as a system administrator. The mkdir, rm, and rmdir commands make this possible.
Making Directories🐧
Creating a new directory in Linux is simple; simply use the mkdir command. The mkdir command accepts only one parameter: the name of the directory you want to create
If you want to learn bash scripting and start automating tasks, open this:
1: Intro to Linux Shell Scripting (Free course)
This mini-course is designed to help beginners quickly become proficient in Linux shell scripting in only one hour. It is ideal for those who are just starting with a bash shell.