Linux Privilege Escalation

Written By 5h3r10ck

Synopsis: Below are my notes from the Linux Privilege Escalation for OSCP & Beyond course by Tib3rius along with any other reference material I come across. These notes are meant to be my reference for privilege escalation and if they help others out that’s great. If you find this interesting I highly suggest taking the class referenced above as they are excellent and were very informative. This will be a living document and will change as I come across new information.

  • Privilege Escalation Techniques

    • Kernel Exploits

      • Command to find the kernel “uname -a

      • Finding exploits can be found with google, exploitdb, and github

        • The command “searchsploit <kernel>“ which is native to kali can be used to locate an exploit

        • The tool Linux Exploit Suggester 2 can also be used to locate exploits based on the kernel

        • A great list of kernel exploits can be found here.

    • Service Exploits

      • Finding exploits can be found with google, exploitdb, and github

      • Enumerating program versions

        • This can generally be accomplished with the “<program> —version“ or “<program> -v“ command.

        • Debian uses a slightly different command “dpkg -l | grep <program>“

        • Systems that use rpm can use the “rpm -qa | grep <program>“ command

    • Weak File Permissions

      • User passwords are stored in the /etc/shadow file which generally only accessible by root

        • If you can write to this file you can change passwords by replacing the hash with one of you own

        • Another option is to crack the hash

      • Another place password hashs can be kept is /etc/passwd

        • If the second field of a user row in /etc/passwd contains a hash it takes precedent over /etc/shadow

        • If we can write to /etc/passwd adding a known password hash for the root user is an option

        • If we can only append to the file we can create a new user but assign them the root user ID (0)

        • The root account in /etc/passwd is structured like this “root:x:0:0:root:/root:/bin/bash“

          • the x in the second field instructs Linux to look for the password in /etc/shadow

          • In some versions of Linux you can simply delete the “x“ which Linux interprets as the user having no password “root::0:0:root:/root:/bin/bashsud“

      • In the /.ssh directory ssh private keys can be stored. If a privileged user has a private key it can be used to ssh into the machine effectively elevating privileges.

    • Sudo

      • It’s always worth seeing the low-privileged user account can use sudo. Use “sudo su“ to find out if this is possible.

        • If su isn’t allowed some alternatives are “sudo -s“, “sudo -i“, “sudo /bin/bash“, and “sudo passwd

      • Shell Escape Sequence

        • If we are restricted to running certain programs via sudo it is sometimes possible to escape the program and spawn a shell.

        • Enumerating what sequences are vulnerable can be found by running Linux smart enumeration script “./lse.sh -i | more“ or by using the command “sudo -l

        • A list of all programs with their shell escape sequences can be found at https://gtfobins.github.io/

        • If no known shell escape sequences exist for a program we can abuse it to read files we wouldn’t otherwise be able to read. When the program runs into an error it will print the first line it doesnt understand. We can read /etc/shadow or /etc/passwd with the “sudo <program> -f /etc/shadow“ command in this way.

    • Cron Jobs

      • File permissions, misconfiguration of file permissions associated with cron jobs can lead to easy privilege, escalation if we can right to a program or script which gets run as part of the current job. We can replace it with our own code.

        • Cron jobs run with the security level of the user who owns them

        • By default they are run with the /bin/sh shell

        • User crontabs are located in /var/spool/cron/ or /var/spool/cron/crontabs/

        • System crontabs are run from /etc/crontab

      • Wildcards when a wildcard character, usually an asterisk, is provided to a command as part of an argument. The show will first perform file name expansion, also known as clubbing on the wildcard. This process replaces the wild card with a space separated list of the file and directory names. In the current directory, an easy way to see this in action is to run the following command from your home directory.

    • SUID / SGUID Executables

      • SUID files get executed with the privileges of the file owner while

      • GUID files get executed with the privileges of the file group,

      • If the file is owned by ROOT, it gets executed with root privileges.

      • The linux smart enumeration script or the find command can be used to locate files with SUID GUID bits set:

        • find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

      • Shared Object Injection

        • When a program is executed, it will try to load these shared objects it requires. By using a program called Strait's, we can track these system calls and determine whether any shared objects were not found. If we can write to the location the program tries to open, we can create a shared object and spawn a root shell when it is loaded.

      • Path Environment Variable

        • The Path Environment Variable contains a list of directories where the shell should try to find programs. If a program tries to executing another program but only specifies the program name rather than its full absolute path, the shell will search the path directories until it is found. Since a user has full control over their path variable, we can tell the shell to first look for programs in a directory we can write to.

    • Passwords and Keys

      • Config Files

        • Sometimes services and programs store passwords they need to authenticate to something in a config file. On the off chance, these passwords are reused by privileged users it is worth checking user’s home directories (/root for root and /home/<user> for each individual user).

      • History Files

        • In the user’s home directory (/root for root and /home/<user> for each individual user) a history of commands is kept. Password can sometimes be revealed in these files.

      • SSH Keys

        • In the /.ssh directory ssh private keys can be stored. If a privileged user has a private key it can be used to ssh into the machine effectively elevating privileges.

    • NFS

      • NFS (Network File Share) a popular distributed file system. NFS shares are configured in these slash /etc/exports file. Remote users can mount shares, access, create and modify files by default, created files, inherits the remote users I.D. and group I.D. as owner and group, respectively, even if they don't exist on the NFS server.

      • The classic attack is to create a payload with msfvenom (example: msfvenom -p linux/x86/exec CMD=”/bin/bash -p” -f elf -o /<share>/shell.elf) as root and upload it to the NFS share and execute it on the host effectively giving yourself root.

        • To show the NFS servers export list on a remote host: showmount -e <target>

        • To mount an NFS share on a remote host: mount -o rw,vers=2 <target>:<share> <local_disrectory>

        • To show the NFS servers export list with Nmap: nmap -sV -script=nfs-showmount <target>

  • Resources

    • https://www.udemy.com/course/linux-privilege-escalation/

    • https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

    • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

    • https://www.hackingdream.net/2020/03/linux-privilege-escalation-cheatsheet-for-oscp.html

    • https://cehvietnam.com/2021/03/05/privilege-escalation-cheatsheet-vulnhub/

    • https://johnjhacking.com/blog/linux-privilege-escalation-quick-and-dirty/

    • https://gtfobins.github.io/

5h3r10ck
Previous

Hack The Box: Traverxec
Next

Hack The Box: Devel