Linux Privilege Escalation for Beginners

Why this Course?

• To gain a better understanding of privilege escalation techniques.

• To Improve Capture the Flag skill-set.

• To prepare for certification courses.

The goal is to learn how to enumerate Linux machines manually, and with automated tools so that we can discover how to elevate our privileges.

Initial Enumeration

System Enumeration

We want to find out the kernel version we are running on, whether its vulnerable to anything, and also the CPU architecture.

hostname

uname -a

cat /proc/version

cat /etc/issue

Sys enum

View CPU Architecture: lscpu

View services running (Task Manager in Windows):

ps aux

We can grep to filter for certain services e.g. cron, apache, etc. We can also filter services by the user running them.

ps aux | grep TCM

User Enumeration

We do this to find out:

• Who we are

• The permissions we have.

• What we are capable of doing.

Some commands to find out which user we are:

whoami

id

We can use the sudo command to find out which privileges we have.

sudo -l

By viewing the /etc/passwd file, we can discover other users of the machine.

/etc/passwd file

To view users only, we can use the command below:

cat /etc/passwd | cut -d : --f 1

It's also important to check if we can view the /etc/shadow and /etc/group files.

We can use the history command to have a look at the last few commands run. We might find something interesting e.g, passwords :)

History Command

Can we escalate into another user?

sudo su -

No we cannot :)

Network Enumeration

Helps us understand:

• What our IP architecture is.

• See what ports may be open internally but not externally.

• See what we are interacting with.

ifconfig

ip a

route

ip route

arp -a

ip neigh

netstat -ano

Password Hunting

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null

Locate the word password in a file name

locate password | more

We can replace 'password' with 'pass', 'pwd', 'passwd', 'api', etc.

It's also a good idea t search for ssh keys.

find / -name id_rsa 2> /dev/null

or

find / -name authorized_keys 2> /dev/null

Exploring Automated Tools

• LinPEAS - Linux Privilege Escalation Awesome Script: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

• LinEnum: https://github.com/rebootuser/LinEnum

• Linux-Exploit-Suggester: https://github.com/mzet-/linux-exploit-suggester

• Linuxprivchecker.py: https://github.com/sleventyeleven/linuxprivchecker

Escalation Paths

Kernel Exploits

Kernel Exploits - https://github.com/lucyoa/kernel-exploits

Kernel Overview

The kernel is a computer program that controls everything in the system. It facilitates interactions between hardware and software components. It acts as a translator.

Let us use the dirtycow exploit to escalate our privileges.

Dirty Cow Exploit

We are now root.

Passwords & File Permissions

Escalation via Stored Passwords

We can use the history command to find out if any passwords were input in the terminal.

MySQL username and password

We can also view .bash_history using nano .bash_history.

.bash_history

We can use:

PayloadsAllTheThings/Methodology and Resources/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Escalation via Weak File Permissions

Do we have access to a file we "shouldn't"? Can we modify it? Can we execute it?

As a regular user, we should NOT have read access to the /etc/shadow file. Why? We can view the hashes and take them offline to attempt to crack them.

File Permissions

Assuming we had read write privileges, we could delete the 'x' placeholder for the root user in the /etc/passwd file file. This will remove the password for the root user and we could switch to them.

Alternatively, we could delete the root hash in the /etc/shadow file and replace it with a hash that we know its password. This would allow us to login with a password we set.

We could also change the group of our user in the /etc/passwd file to that of 0 (which is root).

Group ID

Escalation via SSH Keys

Use the commands in Payloads All the Things.

PayloadsAllTheThings/Methodology and Resources/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

SSH Private Key Discovered

find / -name authorized_keys 2> /dev/nullwhere public key is stored

find / -name id_rsa 2> /dev/nullwhere private key is stored

We can take the ssh private key and attempt to ssh to other machines in the network (make sure to make it executable on our attacking machine).

(On our kali machine), let us ssh to the same machine.

ssh -i id_rsa root@192.168.4.67

Sudo

Escalation via Sudo Shell Escaping

Let's type in sudo -l to find out which commands we can run as root, and figure out how to abuse them to escalate our privileges.

Commands that we can run as root

We will use the /usr/bin/vim command. Let us refer to GTFOBins below:

GTFOBinsgtfobins.github.io

The sudo command looks interesting.

Let's try it out.

Success

We are now root.

Let us attempt using the /usr/bin/awk command.

GTFOBins

Success

That one works as well.

Escalation via Intended Functionality

The /usr/bin/apache2 command is not available in GTFOBins. However, a quick google search reveals we can view system files using it.

Abusing SUDO (Linux Privilege Escalation) - Touhid's BlogTouhid's Blog

apache Command

Let us try it out

Password Hash

Sadly no shell. But we have managed to extract the root hash which we can attempt to crack offline.

The resource below highlights how you can use abuse the functionality of wget to read system files.

HomeVetSec

Just because GTFOBins does not have a solution does not mean there aren't creative ways of abusing system functionality to escalate our privileges.

Escalation via LD_PRELOAD

Let us create a nano file named shell.c and type out some code.

C Code

Let us compile it and run it using any of the commands we can run as root.

We are now root.

CVE-2019-14287

Find the exploit code below.

sudo 1.8.27 - Security BypassExploit Database

We will practice using a room in Try Hack Me known as Sudo Security Bypass.

Sudo Security BypassTryHackMe

After using ssh to login to the server, we run sudo -l to find out which commands we can run as root.

We cannot run bash as root.

Enter CVE-2019-14287 which affects sudo versions < 1.8.28. From the image below, we see that our sudo version is 1.8.21p2 so it is probably vulnerable to the exploit.

Let us exploit it to escalate our privileges.

sudo -u#-1 /bin/bash

We are root

And success! We are now root.

CVE-2019-18634

Find below the exploit code. This vulnerability affects versions of sudo earlier than 1.8.26.

GitHub - saleemrashid/sudo-cve-2019-18634: Proof of Concept for CVE-2019-18634GitHub

We will use the "Sudo Buffer Overflow" room in Try Hack Me to practise this exploit.

Sudo Buffer OverflowTryHackMe

It is helpful in situations where we cannot run 'sudo'.

After downloading the exploit code and compiling it, let us run it to escalate our privileges.

CVE-2019-18634

Success. We are now root.

Set Owner User ID (SUID)

We can use the command below to find files with SUID.

find / -perm -u=s -type f 2>/dev/null

Files with SUID

We can see the SUID in the files e.g.

SUID

We can then go to GTFOBins to search if there are any binaries we can use to bypass local security restrictions in misconfigured systems.

Other SUID Escalation

Escalation via Shared Object Injection

We are looking for somewhere that we can inject.

find / -type f -perm -04000 -ls 2>/dev/null

Something happens when we run the binary

We will use a tool called strace to figure out what the binary is doing.

strace /usr/local/bin/suid-so 2>&1

strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

We will overwrite libcalc.so and put something malicious in it so that when the binary suid-so runs, we can elevate our privileges.

We have read-write access on /home/user.

Let us create our malicious code, and save it us libcalc.c

libcal.c

Now we just need to run /usr/local/bin/suid-so

And we are root!!!

Escalation via Binary Symlinks

This is a vulnerability on nginx. It has to do with the permissions of the logs created by Nginx. Because of how the permissions are set, attackers can escalate their privileges from a www-data user to root.

The exploit can be found below:

Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247legalhackers.com

Linux Exploit Suggester indicates that the box is vulnerable.

For the exploit to work, the SUID bit has to be set on sudo.

We will use a symlink to replace the log files with a malicious executable.

Once we execute the exploit, we get root.

For more details and clarification, refer to TCM's video on academy.tcm-sec.com

Escalation via Environmental Variables

Escalation via Environmental Variablesacademy.tcm-sec.com

Course Tips and Resources

• Linux Privilege Escalation Cheatsheet: https://github.com/Ignitetechnologies/Linux-Privilege-Escalation?s=08

• Linux-Privilege-Escalation-Resources: https://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources

• Basic Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

• Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

• Checklist - Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-esanding of escalation-checklist

• Sushant 747's Guide (Country dependent - may need VPN: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

• Windows / Linux Local Privilege Escalation Workshop: https://github.com/sagishahar/lpeworkshop

• Linux Privesc (Try Hack Me): https://tryhackme.com/room/linuxprivesc

• GTFOBins: https://gtfobins.github.io/