Capstone Challenge

TryHackme Capstone Challenge writeup by Thamizhiniyan C S

Overview

Greetings everyone,

This write-up is a walk-through of the Capstone Challenge, which is the final task of the TryHackMe room Linux Privilege Escalation.

Machine link: Linux Privilege Escalation

Difficulty Level: Easy

Let's Begin 🙌

Firstly, connect to the THM server using the OpenVPN configuration file generated by THM. Click Here to learn more about how to connect to VPN and access the boxes.

Once connected to the VPN service, click on "Start Machine" to access the machine's IP.

Upon joining the machine, you will be able to view the IP address of the target machine.


First start the machine and login via SSH with the given credentials.

Username: leonard

Password: Penny123

Command: ssh leonard@<Target_IP>

Now I started to look out for the privilege escalation vectors.

I was looking out for files with SUID permissions with the following command:

find / -type f -perm -04000 2>/dev/null and found that the /usr/bin/base64 file has SUID permission.

So I checked https://gtfobins.github.io/gtfobins/base64/, looking out for SUID privesc and got the following:

I tried the first command sudo insall -m =xs $(which base64) , but it didn’t work.

Next I tried the following command:

base64 /etc/shadow | base64 --decode

And got the contents of the /etc/shadow file.

Now I tried to crack the password hash of the user missy using johntheripper. I copied the hash and put that In a hash.txt file.

Now I used john to crack the hash.

Command: john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/hash.txt

And we got the password for the user missy. Now using the credentials, login as the user missy using the following command su missy.

Now we have logged in as the user missy . Now I searched for the flag1.txt file using the find command: find / -name flag1.txt 2>/dev/null

and found the flag at /home/missy/Documents/flag1.txt.

Next we have to find the root flag. Again I started looking out for privilege escalation vectors.

I checked the commands that the user missy can run with root privileges using the following command: sudo -l

And found that the user missy can run the find command with root privileges. So, again looking for ways to escalate privilege at https://gtfobins.github.io/gtfobins/find/ , found the following:

I tried the above command and got a shell with root privilege.

This time I used the find command to search the flag2.txt file.

Command: find / -name flag2.txt 2>/dev/null

And found the file at /home/rootflag/flag2.txt

And finally we got the root flag.

Thank you ….. See you guys with another awesome writeup….

Last updated