Deep Dive into Privilege Escalation on Linux


Linux Privilege Escalation
Tryhackme Setup
PREVIEW16m 43s
PREVIEW11m 41s
Sudo List
5m 32s
15m 21s
9m 32s
7m 49s
11m 13s

The course is part of this learning path

Tryhackme Setup
2h 29m

This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!


Hi. Within this section, we're going to focus on Privilege Escalation on Linux machines. In this lecture, we're going to focus on Privilege Escalation for Windows machines as well. So, don't worry about it. For right now we're going to solve our virtual challenges or vulnerable machines in TryHackMe. So, TryHackMe is a platform that is actually created for you to solve the vulnerable machines one more time, like GitHub, but this time you're going to create a profile for you. And then the machines that you will be solving will be recorded in that profile. So, after you solve those machines you get points, you get rewards, you get credit, so that you get a ranking. So, when you apply for a job in Cybersecurity, you can actually show your profile to the employers and you can say that I have solved all these challenges. I have a good ranking in TryHackMe and so much more. So, it's a good idea to learn how this TryHackMe works for your Cybersecurity career as well. So, I have uploaded a virtual machine as vulnerable machine in this TryHackMe platform, so that we can work on that. Later on, during the course we're going to see an alternative of the TryHackMe again, which is called Hack The Box. So, let me show you what I mean. So, it's called So, this is another platform okay, we're going to do the Windows things in the Hack the Box. But there is a paid option a nd a free option in the Hack the Box and also in TryHackMe as well. For license and registration purposes, we're going to use the Windows in the Hack the Box and we're going to use the Linux in TryHackMe. So, in TryHackMe, you won't pay anything, but in the Window section for the Hack the Box section, you're going to need a VIP membership at least for the time being that you solve those challenges. Okay, I'm going to talk about that later on. For just right now, don't worry about it TryHackMe is completely free for you at least for this course, of course there is a VIP section or VIP option in TryHackMe as well. I'm going to show you what I mean once we get into that. So, first of all we're going to have to create an account and then set our machine up, so that we can communicate with the TryHackMe servers, so that we can actually run an Nmap scan or ping the target vulnerable machine that we are working on. So, as I said before, I have found a vulnerable machine and I modified it and put it in the TryHackMe, okay? So, I'm going to talk about it as well. So, if you have an account in TryHackMe, you're more than fine to use it. But if you don't, I'm going to show you how to sign up. So, all you have to do is just come over here and say Join Now, okay. And over here it will ask you to create a username, and an email, and a password. So, make sure you give your username, email, and password and choose your experience level which doesn't mean anything really. Just choose whatever you want. You can choose complete beginner, early intermediate, intermediate or advanced. It really doesn't matter. You will just see custom preferences or a custom like offerings for you but you can reach whatever you want in this whole website, okay? Just sign up from here after which you will enter your email and just confirm the account. Since I have already done that I can just come over here to Login page and say I'm not a robot and I can login with my username and password. So, once I do that it will take me to the dashboard of the TryHackMe, which I can actually see what kind of rooms that I'm in, what kind of CTF that I'm working on. So, we're going to talk about what a room is. Right now, I'm just going to click on the dashboard. And it's loading for some reason and it hasn't been completed yet, but it really doesn't matter. I'm just going to show you what to do. If you come over here, you can see the menu, like Compete, Learn, Develop, okay? And of course the images and the menu options, like icons can change over time. But first thing you should do in here when you come over here, just take a look at the dashboard to get familiarize a little bit. For example, you can see your current ranking, you can see how many users are there over here. We have more than 240,000 students or users right now, it will be more when you visit it. But if you come over here to Hacktivities, you can see a possible virtual machines, vulnerable machines, which you can work on actually. And after you complete this course, I really suggest you come back here for free versions of the vulnerable machines and just try to solve them all together, okay? Here we have some rooms, here we have some hacktivities in which we can practice some sort of skills. Here we have 267 public rooms, okay? And you can search for any term like, learn Linux, learn Windows, something like that to find a related room and you can just choose it from this list as well. So, these are the most popular ones right now. What we want to do, we want to find this open VPN, okay? We can see that from our dashboard or we can see it from here as well. Why we are looking for a VPN because that's how we actually establish a connection between TryHackMe and our Kali Linux machine. So, I'm going to show you how to set this up and if you cannot find it, you can just search for Open VPN. And just find the Open VPN from here. So, it will display different kind of instructions for different kind of operating systems, like Windows, MacOS, and Linux, okay? And they are in the form of tasks. So, we're going to see what the task is, but the task is actually when you get the question or when you get the tip like we have seen in the bandwidth when you do it, you can just say okay, I have done it and just hit 'Submit', okay? So, over here for example, I can just say completed. And if we are looking for a challenge, like a CTF, like capture the flag, it will ask you for a flag and you get the flag. You paste it over here and just say Submit, so that you get a point. So, this is how this works, okay? This is how the system confirms that you solved a virtual machine or solved a CTF. You capture the flags and just submit it from there. But in this case we don't have to capture a flag or something like that. It says that go to the Access page, okay? And download your own OpenVPN file. So, make sure you go to tryhackme/access or follow the link on the first task because you're going to have to choose a server from here. So, if you come over here you can see the regular servers and you can just choose either of them and download your configuration file. So, this configuration file belongs to you, is specific to you. For example, mine is named after my name. As you can see in fact after my username, and I'm going to save this file because that's but I will use in order to connect to the TryHackMe servers. So, you should download your own and just follow along with me, okay? After that you can come over over here to Task 4 which is the connecting with Linux. So, it says that run sudo apt install openvpn which will install the OpenVPN tool to your Linux and in Kali Linux it comes with preinstalled, so you don't need to do this step, but if for some reason if it's not installed, just do this and then you can just run the file that you have downloaded. So, I'm going to go into Downloads, and run ls -la. And I'm going to grep my name because there are a lot of files in my downloads folder I believe. Here you go, so I see my own VPN file over here, so you will see yours in your downloads folder. So, what you have to do, you have to run the OpenVPN, okay? You can just say OpenVPN and run it from here like this. So, once you do that it will just connect to this VPN and it will send your request through this VPN, so that you can communicate with the TryHackMe servers. As you can see if I ran if config, I still see the, but also I get a tun0 over here which is 10.0. And I have an IP address related to that tun0. So, for me. So, of course it will be different for you. So, once I see that license, once I see the tun0, then it means that I can connect to the TryHackMe servers, okay? So, over here it says that Get Connected, since we've done that I believe it will just show yep connected right now. So let's see, let's come over here and I'm going to search for debian privesc, okay? So, it won't show up here because I made this private, so that no one else can reach it except from the students of this course. So, I'm going to come over here. And I'm going to go into that room. So, the room is basically where our virtual machine where our vulnerable machine is located. So, it's room Debian PrivEsc for me. So, this is the link, but I believe you cannot actually reach that link by just typing in the browser. I'm going to share a link with you in the resources of this lecture, so that you can actually enroll in this room, so that you can see all these things that I'm seeing right now. So, this is the room that we will be working on. As you can see, there are a lot of tasks over here. So, each task represents a privilege escalation technique. All we have to do is just follow along with this and we can try every privilege escalation technique over here. I'm going to take you over to most of them, most popular ones, most common ones, that you're going to come across within CTFs or Pentesting. So, I'm going to show you one more time. As I said before, I found this machine online. So, I'm going to show you where I have found this and I have modified this a little bit to make this suitable for our own Pentesting course. So, I'm going to search for privilege escalation in GitHub. You don't have to do that by now. I'm just doing this, so that you know that I got this from someone and I want to credit this guy which is, Sagi Shahar or something like that. Maybe I'm mispronouncing it. But again, this guy is great because he came up with this Privilege Escalation Workshop in which he created the vulnerable Linux system, a Debian system that we are going to use in this course. So, we're basing our vulnerable machines on this guy's workshop. So, thank you for that. I don't know, I don't know even the guy, but I have actually benefited from that a lot. Thank you very much. So over here, I got these descriptions from the GitHub page as well, but I have just made it so that you can find it for each task chronologically or in a way that you can follow logically, so that it would make sense to you. And I'm not going to just follow along one by one over here, I'm just going to follow along with my own curriculum, but we're going to take you over to the most common ones as well as much as possible. So, if you run deploy, if you just hit on 'Deploy,' as you can see, our machine is deployed over here. So, it's called Debian PrivEsc, and within one minute we will see the IP address of that machine in here and it expires within 59 minutes if we don't add an additional hour from here. So, it will take us much more to solve all the questions. So, I believe it's a good idea for you to add one hour, and after you finish your job over here don't forget to click on 'Terminate,' so that you don't actually create a burden for the TryHackMe servers for no reason. So, again, so this will deploy our virtual machine and this will deploy the virtual machine that I have uploaded specifically for this course for you. And it will give you an IP address and you will be able to directly reach that IP address and ping that IP address from your Kali Linux machine because you have downloaded your own, own VPN and run it in your own Kali Linux machine. Okay, so if you have skipped that step for some reason, don't forget to do it. So, here you go, this is our IP address. So, once you just terminate this and run it one more time, it may change. But right now, it has the same subnets as I have in my turn zero as you can see. So, it's for me. So, I'm going to try and ping that one to see if I can actually reach that. And here you go. As you can see, I can go and reach that. It's very good. Now, we have established the connection between our Kali Linux and between the TryHackMe server that we have deployed. Here we see the username and password. So, we have the root password and the user password here as well. You won't need the root password because we will always login as user and try to make our way to become root, but if you need for some reason, the user password is james321 and root password is james123. So, in order to ssh into that, you have to write ssh user@ IP address. Okay, this is not the IP address, this is the password. So, let me get the IP address one more time. So, all you have to do is just run this and give james321 as password once you hit 'Enter.' And again, if you want to you can direct the ssh as root as well, but it won't make sense because all the practices that we are going to do is to become root  via using the user. So I'm going to paste this thing in and here you go. We are connected to the server. So, we are not hacking in. I already gave you the passwords because we will practice privilege escalation in this section rather than hacking in. So, we're going to stop here, and start within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.