# Common Linux Privesc ![](/files/-Mcp-1n2prvs1SujpaCo) ## Understanding Privilege Escalation ![](/files/-Mcp-L438_OS3U4xE7oh) ## Direction of Privilege Escalation ![](/files/-Mcp-_CKFNCVpnOIxN33) ## Enumeration ![](/files/-Mcp-sjHrsCv3CdeKQ-w) ![](/files/-Mcp-wBTxhcl7ZF6iYd4) ![](/files/-Mcp04xCb8EKJaSnvuJT) Lets login as user3 as they have told us. ![](/files/-Mcp0oD5Ye-4jfvKx7wA) The hostname is polobox ![](/files/-Mcp0vRzdjH_pzVdemPg) Lets look at the /etc/passwd file ![](/files/-Mcp19GRUp2u4dwps7M4) ![](/files/-Mcp1D5zIF2FE4dgNif6) Lets look at how many shells there are on the machine ![](/files/-Mcp1cCOkWvCtJjcBOOT) ![](/files/-Mcp1fqMHvBcCKuuybSj) Lets look at the cronjobs ![](/files/-Mcp1og6nwok2v4yUtkG) ![](/files/-Mcp1vhEvrEzj_9pq_eX) The critical file that had its permissions changed is /etc/passwd ![](/files/-Mcp2QJsPmrQ28-AYS-y) ![](/files/-Mcp2TiE4vTDpLq0NB6z) ## Abusing SUID/GUID Files ![](/files/-Mcp2m3UClj6fAz6XEHn) ![](/files/-Mcp2p3O8bNO1xegY5Bn) Lets look for SUID files. ![](/files/-Mcp37rc5RmgAyiaiixE) ![](/files/-Mcp3PJdPO_hB4nQqd2x) Lets run the file ![](/files/-Mcp3KluB--NboHKK3l1) ## Exploiting Writeable /etc/passwd ![](/files/-Mcp3aKojUKySlr11fzT) ![](/files/-Mcp3dGZWul80YMADlHr) First lets switch users and create the hashed password ![](/files/-Mcp6N6z4V8m_QnXaVSx) ![](/files/-Mcp6SwK6TpznGCQTro9) Now lets edit the file and add the password ![](/files/-Mcp6gz4rcGftH2JeHTm) ![](/files/-Mcp6nq2Vcb6eZQUkSvs) Lets save the file and then login. ![](/files/-Mcp6ttvwqNnmeaAsjjs) ## Escaping Vi Editor ![](/files/-Mcp76kU0pMVwhhnGyRt) Lets follow the steps ![](/files/-Mcp7IjA3LuODY6R684P) ![](/files/-Mcp7Q4l8z-ZBjQADHG4) ![](/files/-Mcp7dQIhNqNTGXWCO4d) ## Exploiting Crontab ![](/files/-Mcp7kRtueYrxuA_GcJv) ![](/files/-Mcp7uB9OafOTAiHr6iQ) Lets follow the steps First we create the msfvenom payload on our machine ![](/files/-Mcp8g_65rjtnN_Dkn66) ![](/files/-Mcp8sN8cF0TWnr_S7tf) Now lets find where the autoscript.sh file is located ![](/files/-Mcp8w2jp-02byKARitt) ![](/files/-Mcp944UwTeed4PDPwXk) Lets echo the shell into the file and start a netcat listener ![](/files/-Mcp9PKNogjiRwSLr0nl) ![](/files/-Mcp9Rx987T8EGjvg_1r) After a while you should get a reverse shell ## Exploiting PATH variable ![](/files/-Mcp9zHWliTAsAKYMWAR) Lets follow the steps ![](/files/-McpFUrFpRHk1MG-nRJE) ![](/files/-McpG3FGcC0Q-4zoRUJy) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/common-linux-privesc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.