4SAK3N@4sak3n.com:[~] $
RECENT WRITE-UPS
TryHackMe "Professor Chaos" Room Write-Up
This is a simple privilege escalation room I set up to mimic the "Production" King of the Hill privilege escalation technique.
Goal: Intro to Privilege Escalation! Can you help Butters "GTFO"?
Description:
Get into Butter's account via SSH and break out to get root! See if you can find all of the flags on the machine!
Butter's Username is: butters and his Password is: ProfessorChaos1
(YOU WILL NEED TO BE CONNECTED TO THE TRYHACKME VPN OR USE AN ATTACKBOX TO COMPLETE THIS)
(ALSO MAKE SURE ALL EXTERNAL VPN's ARE DISCONNECTED i.e NordVPN)
Step 1: Get into Butter's Account:
The first step is to get inital access into Butters' account via SSH. To do this we need to connect using his username with the IP of the TryHackMe Machine we generated. In my case, this is 10.10.233.174.
ssh butters@10.10.233.174
After we type this command, we will be prompted for his password, which has already been given to us. Use ProfessorChaos1 for the password.
Step 2: What can we do on the system?
Since we now have access to Butters' account, we need to try and find a way to gain root.
First, we'll use the command ls -la to list all of the files in Butters' home directory.
We can see there isnt really anything of interest upon looking at the files, so let's try another command.
Lets use the command sudo -l , to list what kind of sudo permissions we have on the account. You will be prompted for the password again upon typing this command.
We can see here that Butters is allowed to run the sudo command "sudo su eric", which will switch the user to eric.
Upon running the command, we can use the id command to see that we are switched to Eric's account. However, we are still in butters' home directory, so we will do the following command:
cd /home/eric
The ls command will then display the first flag, we then use cat flag1.txt to display the first flag
{THM}GETTINGCLOSE
now that we are on Eric's account, the command id can be used to confirm that we are eric. That said, we still aren't root.
Let's repeat the same process again to see what we can do.
a sudo -l reveals that eric has sudo permissions for the nano command, but what can we do with this?
We'll go to GTFO bins to see if there is anything we can do to breakout of the user shell and gain root using certain commands
In a browser, go to https://gtfobins.github.io
searching "nano" in the search bar on GTFO bins yields the following results:
We will click "sudo" to reveal what command we will need to run in order to break out of the user shell into a root shell.
The command is as follows:
sudo nano
Ctrl R Ctrl X
reset; sh 1>&0 2>&0
First, we sudo nano to open up the text editor, then use CTRL R to open the "read file" function of nano.
Then we will Ctrl X to execute a command.
Finally, type in reset; sh 1>&0 2>&0
You will see a # appear in the box around the area that reads "executing", press enter a few times to get a legible shell.
After typing in the commands, your screen should look something like this:
After running the "id" command, we can now see that we are now root on the system. SUCCESS!
There are still two flags on the system that we should be able to get to now; Let's see if there's one in the root folder!
cd /root
A quick ls reveals flag2.txt:
{THM}ROOTED
There is still one more flag on the system, but where?
There is a user Jimmy on the machine that we did not have access to before, lets see what's in there:
cd /home/jimmy
And a quick ls reveals flag3.txt
{THM}JIMMYVALMER
After this, we have all the flags and the room is complete!
Thanks for reading my write-up and trying out my room!
-4SAK3N