Linux PrivEsc - TryHackMe

Learn basics of Linux Privilege Escalation

This write-up is based on the Linux PrivEsc room from Try Hack Me. Please find this room here:- https://tryhackme.com/room/linuxprivesc

[Task 1] Deploy the Vulnerable Debian VM

1. Deploy the VM
2. SSH in to the VM using the credentials given and run the idcommand

Task 1

[Task 2] Service Exploit

This task is to exploit the following vulnerability in MySql:-

CVE-2005-0711 : MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when…

The exploit is available here:-

Offensive Security's Exploit Database Archive

The creator of the room has already made the exploit file - raptor_udf2.c on the VM at location:- /home/user/tools/mysql-udf . Run the following commands as asked:

Task 2

Get the root shell:

Task 2 — root shell

Learning from this task:-

• Avoid running applications as “root”
• Patch things and stay up to date.

[Task 3] Weak File Permissions — Readable /etc/shadow

1. What is the root user’s password hash?

Task 3

As we can see that hashes of root and user are exposed, which can be cracked offline!

2. What hashing algorithm was used to produce the root user’s password hash?