Linux Privilege Escalation
Basic Manual Enumeration
See what is listening internally
OS, Kernel & Hostname
To remove DoS exploits by adding -exclude=”/dos/”
Binaries Owned by the root user
Always run with
-p
so it preserves permissions for the root user!!!!
Something Weird
Check to see if youre in a docker container with
No hashes in
/etc/shadow
is another pretty good indicator
Database files
Make sure to look for any passwords for the root user in .php files in web root!
Quick SUID
The following command can be used to find all SUID programs on a given system:
Find files that the users group can edit
In the above example users is the name of the group he is in.
Sudo -l
If you have the password, on of the first checks should be
If there is an entry like:
Means you can
sudo /usr/bin/perl /home/itguy/backup.pl
with no passwordHowever you cannot
sudo perl /home/itguy/backup.pl
with no passwordNeed to use the absolute paths if they are specified that way!!!
Taking advantage of SUID files
Some administrators will set the SUID bit manually to allow certain programs to be run as them.
Lets say you're a system administrator and a non-privileged user wants to program that requires it to be run with higher privileges.
They can set the SUID bit, then the non-privileged user can execute the program without having any extra account permissions set.
See who a command is running as:
Custom Binarys
Cross reference a list of standard binaries on a linux system with the ones you see, admins will add their own sometimes
File Systems
Use the following command to check for unmounted file systems
World Writeable
Files on the system with permissions that can be modifiled by any user on the system
World writable directories for root
World writable files
Weak File Permissions
Readable shadow
A users password hash (if they have one) can be found between the first and second (:) of each line.
Save the root user's hash to a file called hash.txt on your kali machine and use john to crack it.
Switch to the root user
Unshadow method
Transfer both back to attack box
Writeable shadow
Generate a new password hash
Edit /etc/shadow and replace origional root user's password hash with the one that you just created
Switch to the root user
Writable passwd
The /etc/passwd file contained user password hashes, and some versions of Linux still allow password hashes to be stored there
The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user.
Generate a new password hash with a password of your choice:
Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").
Switch to the root user, using the new password:
Alternatively, copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hash between the first and second colon (replacing the "x").
Now switch to the newroot user, using the new password:
Passwords and Keys
History Files
If a user accidentally types their password on the command line instead of into a password prompt, it may get recorded in a history file.
View the contents of all the hidden history files in the user's home directory:
Note that the user has tried to connect to a MySQL server at some point, using the "root" username and a password submitted via the command line.
Note that there is no space between the -p option and the password!
Config Files
Config files often contain passwords in plaintext or other reversible formats.
List the contents of the user's home directory:
Note the presence of a myvpn.ovpn config file. View the contents of the file:
The file should contain a reference to another location where the root user's credentials can be found. Switch to the root user, using the credentials:
SSH Keys
Sometimes users make backups of important files but fail to secure them with the correct permissions.
Look for hidden files & directories in the system root:
Old sudo version
CVE-2019-14287
Looking for the
(ALL, !root) NOPASSWD:
, and Sudo (versions < 1.8.28). Easy priv esc.
Sudo-Shell escape Sequences
List the programs which sudo allows your user to run:
Visit GTFOBins (https://gtfobins.github.io) and search for some of the program names. If the program is listed with "sudo" as a function, you can use it to elevate privileges, usually via an escape sequence.
Zip
npm
journalctl
iftop
find
nano
vim
Method 2
vi
man
awk
less
FTP
nmap
Method 1
Method 2
Method 3
more
Apache2
Copy hash to attacker box and crack with john
Sudo -l LD_PRELOAD
Sudo can be configured to inherit certain environment variables from the user's environment.
Check which environment variables are inherited (look for the env_keep+=LD_PRELOAD options):
Output you're looking for
LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment.
LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c:
preload.c code in another file in this repo:
Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object:
A root shell should spawn.
Run ldd against the apache2 program file to see which shared libraries are used by the program:
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:
Run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):
A root shell should spawn.
Errors: Try renaming /tmp/libcrypt.so.1 to the name of another library used by apache2 and re-run apache2 using sudo again.
Did it work? If not, try to figure out why not, and how the library_path.c code could be changed to make it work.
Sudo -l LD_PRELOAD Method 2
In command prompt type: sudo -l
From the output, notice that the LD_PRELOAD environment variable is intact.
Exploitation
Open a text editor and type:
Save the file as x.c
In command prompt type:
In command prompt type:
In command prompt type:
id
Sudo -l Service Takeover
We have write access to
vulnnet-auto.timer
andvulnnet.job.service
which are custom services on the hostFirst we modify the
OnCalandar=*:0/30
line toOnCalandar=*0/1
to make it run every minute versus every 30 minutesCan see that the system executes the
/bin/df
commandWe can modify this to spawn a reverse shell via our script
Can also call a reverse shell on the box
We then use our
sudo -l
privlages to restart the service
SUID SYMLINKS CVE-2016-1247
Detection
Looking for installed nginx version is below 1.6.2-5+deb8u3
Required you to be the www-data user!
Run:
System will wait for logrotate to execute, become root user
Cron Jobs File permissions
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.
Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at
/etc/crontab
.View the contents of the system-wide crontab:
There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.
Locate the full path of the overwrite.sh file:
Note that the file is world-writable:
Replace the contents of the overwrite.sh file with the following after changing the IP address to that of your Kali box.
Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run. A root shell should connect back to your netcat listener.
Cron Jobs File permissions Method 2
Wait the defined period of time
Cron Jobs Path Environment Variable
View the contents of the system-wide crontab:
Note that the PATH variable starts with /home/user which is our user's home directory.
Create a file called overwrite.sh in your home directory with the following contents:
Make sure that the file is executable:
Wait for the cron job to run. Run the
/tmp/rootbash
command with-p
to gain a shell running with root privileges:
CronJobs - Wildcards
View the contents of the other cron job script:
Note that the tar command is being run with a wildcard (*) in your home directory.
Take a look at the GTFOBins page for tar. Note that tar has command line options that let you run other commands as part of a checkpoint feature.
Use msfvenom on your Kali box to generate a reverse shell ELF binary. Update the LHOST IP address accordingly:
Transfer the shell.elf file to /home/user/ on the Debian VM.
Create these two files in /home/user:
When the tar command in the cron job runs, the wildcard (*) will expand to include these files.
Since their filenames are valid tar command line options, tar will recognize them as such and treat them as command line options rather than filenames.
Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run. A root shell should connect back to your netcat listener.
CronJobs - Wildcards No msfvenom
Wait the 1 minute or time defined by cron settings
Once the cronjob hits run:
SUID and SGID Executables --GTFO Bins
Find all the SUID/SGID executables on the Debian VM:
Note that /usr/sbin/exim-4.84-3 appears in the results. Exploit is in this repo.
Exploit-DB, Google, and GitHub are good places to search!
Check GTFO Bins and Google for SUID/SGID!!!
SUID-Shared Object Injection
Detection
Make note of all the SUID binaries
The /usr/local/bin/suid-so SUID executable is vulnerable to shared object injection.
First, execute the file and note that currently it displays a progress bar before exiting:
Run strace on the file and search the output for open/access calls and for "no such file" errors:
Output Looking for
Note that the executable tries to load the /home/user/.config/libcalc.so shared object within our home directory, but it cannot be found.
Create the .config directory for the
libcalc.so
file:
Example shared object code can be found at
/home/user/tools/suid/libcalc.c
. It simply spawns a Bash shell. Compile the code into a shared object at the location the suid-so executable was looking for it:
Execute the suid-so executable again, and note that this time, instead of a progress bar, we get a root shell.
It will be an euid=0 not a uid=0!!!
SUID and SGID Environment Variables
Detection
The /usr/local/bin/suid-env executable can be exploited due to it inheriting the user's PATH environment variable and attempting to execute programs without specifying an absolute path.
First, execute the file and note that it seems to be trying to start the apache2 webserver:
Run strings on the file to look for strings of printable characters:
One line
service apache2 start
suggests that the service executable is being called to start the webserver, however the full path of the executable/usr/sbin/service
is not being used.
Compile the code
service.c
into an executable called service. This code simply spawns a Bash shell:
Prepend the current directory (or where the new service executable is located) to the PATH variable, and run the suid-env executable to gain a root shell:
Rin the executable with an absolute path
SUID and SGID Executables-Abusing Shell Features 1
Detection
Make note of all the SUID binaries
The
/usr/local/bin/suid-env2
executable is identical to/usr/local/bin/suid-env
except that it uses the absolute path of the service executable/usr/sbin/service
to start the apache2 webserver. Verify this with strings:
In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.
Verify the version of Bash installed on the Debian VM is less than 4.2-048:
Create a Bash function with the name /usr/sbin/service
that executes a new Bash shell (using -p so permissions are preserved) and export the function:
Run the suid-env2 executable to gain a root shell:
SUID and SGID Executables-Abusing Shell Features 2
Note: This will not work on Bash versions 4.4 and above.
When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.
Run the
/usr/local/bin/suid-env2
executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of/bin/bash
:
Run the /tmp/rootbash
executable with -p to gain a shell running with root privileges:
OR One liner
NFS
Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
Check the NFS share configuration:
Note that the /tmp share has root squashing disabled.
On your Kali box, switch to your root user if you are not already running as root:
Using Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly):
Alternative command
Still using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash):
Still using Kali's root user, make the file executable and set the SUID permission:
Back on the Debian VM, as the low privileged user account, execute the file to gain a root shell:
NFS Method 2
NFS Errors
When we try to mount with the alternative command above, we fail to get any response and connection times out.
To double check use the command:
Means there is a share on the host but only reachable on the remote machine locally.
Can forward the port on our machine to the target machine
Need to check the ports on the target with:
Confirms nfs is running on 2049 the default port
Now port forward:
When a shell on the remote machine authenticates we are successful
Now create the mount with elevated permissions
Now to get to root
On your attackbox run
Now on the target box as your non elevated user
Service Exploits
https://www.exploit-db.com/exploits/1518
The mysql service is running as root and the 'root' user for the service does not have a password assigned or the password is known.
This exploit takes advantage of the User Defined Functions (UFDs) to run system commands as root via the mysql service.
Change into the
/home/user/tools/mysql-udf
directory.
Compile the raptor_udf2.c exploit code using the following
Connect to the mysql service as the root user with a blank or known password.
Execute the following commands on the mysql shell to create a udf "do_system" using the compiled exploit
Use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission
Exit out of the mysql shell
Run /tmp/rootbash with -p to gain a root shell
/tmp/rootbash -p
Docker Linux Local PE
Check to see if the user is in the docker group
Check to see if docker is installed and working correctly
-v
specifies a volume to mount, in this case the /root directory on the house was mounted to the /mnt directory on the container. Because docker has SUID we were able to mount a root owned directory in our container
Roots the host with docker because we used chroot on the /mnt directory. This allowed us to use the host operating system.
Optional: Run an ubuntu container with docker
lxd Group Priv Esc
The best example of how to do this
https://0xdf.gitlab.io/2020/11/07/htb-tabby.html
Exploit without internet connection
Change to the root user on attack box
Install Requirements on your attack box
Clone the repo (attack box)
Make distrobuilder (attack box)
Prepare the creation of Alpine (attack box)
Create the container (attack box)
-If that fails, run it adding -o image.release=3.8
at the end
Upload
lxd.tar.xz
androotfs.squashfs
to the vulnerable serverAdd the image on the vulnerable server
Second command is only if you want to confim the imported image is present
Create a container and add the root path
Execute the container
/mnt/root
is where the file system is mounted.
Errors-on the vulnerable server
If you recieve an
Failed container creation: No storage pool found. Please create a new storage pool.
You need to initialize lxd before using it
Read the options and use the defaults
Capabilities
Search your whole file-system recursively with the following command:
Python
Looking for:
Escalate Privlages
Perl
Check for Perl:
Looking for:
Escalate
Tar
Check for tar:
Looking For:
Tar the shadow:
Untar to review:
Python Library Hijacking
From
sudo -l
output we seeSETENV
(means we can set the env variables when it is run as root) in addition to the python script that can be run as rootWe see the
import hashlib
statement at the top, can hijack the libraryPython will look in the current directory or a specified path that we list due to the
SETENV
permission.The paths that come configured out of the box on Ubuntu 16.04, in order of priority, are:
Directory of the script being executed
For other distributions, run the command below to get an ordered list of directories:
Can also use
locate hashlib.py
to figure out where the library is being executed fromOnce the libary is located
Copy the
hashlib.py
file to/tmp or /dev/shm
Can either try adding a python reverse shell to the file or:
To conduct the priv esc now run:
Manual Polkit Priv Esc Checks
POC:
Target needs to have
accountservice
andgnome-control-center
installed
Must have
polkit
version 0.113 or later OR0-105-26
(Debian fork ofpolkit
Works with
Ubuntu 20.04
andCentos 8
,RHEL 8
,Fedora 21
,Debian Bullseye
Usually need to run the POC multiple times
For exploitation dispite checks saying not vulnerable:
./polkit.sh -f=y
If run with no options, user
secnigma
will be added to/etc/passwd
and the password for that user issecnigmaftw
To get your root shell
su - secnigma
Enter password
sudo bash
Profit
Universal RCE deserialization gadget chain for Ruby 2.x.
This works for both
YAML.load
andMarshal.load
See Ruby script using this syntax on a seperate local file that you cannot write to however if the first script is executing through cron or
sudo -l
permissions you can create another file with the same name that the origional is calling i.e.dependencies.yml
Payload:
MOTD Hijacking
Detection:
Can see root processes like cron jobs without root permissions with
pspy
look for the
motd
to be owned by root but set to a group that we are in, can echo:
now log out and re-ssh in to kick it off and then execute bash with
bash -p
Last updated