Advent of Cyber day 20 | Cronjob Privilege Escalation | cron

tryhackme, Day 20 of the TryHackMe advent challenge introduces us to cronjobs, but otherwise expects us to break into the machine by ourselves. As with Day 13, today we have no supporting materials. We’re going to start by enumerating the machine, then breaking into Sam’s account (as we already know the username), then we’ll start to look at the privilege escalation.

In this video, CyberWorldSec shows you how to solve tryhackme Advent of Cyber CTF

Capture The Flags, or CTFs, are a kind of computer security competition. Teams of competitors (or just individuals) are pitted against each other in a test of computer security skill.

🆘🆘NEED HELP?? Join the Discord Server: https://discord.gg/W5vJaaBw

FOLLOW ME EVERYWHERE

Instagram : https://www.instagram.com/bug_bunty Telegram group : https://t.me/ethical_hacker_learn Discord: https://discord.gg/W5vJaaBw Twitter: https://twitter.com/cyberworlds3c

Disclaimer :

These materials are for educational and research purposes only.

These videos teach you cyber secuirty and all the practicals are conducted on a safe to test labs provided by tryhackme .

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers, encorporating guides and challenges to cater for different learning styles. To know more go to https://tryhackme.com/about

SUBSCRIBE for more videos! Thanks for watching! Cheers!

We’ll begin by enumerating the machine with nmap, just as we normally would. We can infer from the first question a) that SSH is open, and b) that it’s going to be running on some unusual port, so let’s get nmap up and running:

sudo nmap -sV -p- -vv -oN output-file remote-ip

nmap ports results

Nice and simple, we have our SSH port, which is also the answer to question one.

Having said that, there are no other publicly visible services running on this machine, so our only option is to focus on the one service that is open — SSH.

It’s time to put hydra to work again:

hydra -l sam -P path-to-rockyou ssh://remote-machine-ip -s port-number

Password Successfully Bruteforced

Beautiful — creds to login over SSH. Let’s put ’em to good use!

Once we’re logged in as Sam it’s very easy to find the answer to question two: flag1.txt

Now for question three. Usually we would check our cronjobs with the crontab -l command, but if you try that you’ll find that we have no cronjobs open. We’re not root, so we can’t access any cronjobs running as other users. We could try using cat on the /etc/cron ... https://www.youtube.com/watch?v=_4xZKSHskpM