Linux Privilege escalation

[!TOPIC] Linux operating system hacking to gain more permision in the operating system.

[!NOTE]

WHERE TO START?

Prior to doing anything, you need to get an idea of what you are dealing with.

• Kernel information

1

uname -a 2>/dev/null

• Process information

1

cat /proc/cpuinfo 2>/dev/null

• The os version

1

cat /etc/*-release 2>/dev/nul

• Linux capabilities

1

getcap -r / 2>/dev/null

• Logged in Users and what they are doing

1
2

whom
w

• List current process

1

ps au

• Find writable directory

1
2
3
4
5

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

or

find / -writable -type f 2>/dev/null | grep -v "/proc/"

vulnerabilities that can led to Linux Privilege Escalation!_

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

-   Kernel exploits
-   Programs running as root
-   Installed software
-   Weak/reused/plaintext passwords
-   Inside service
-   Suid misconfiguration
-   Abusing sudo-rights
-   World writable scripts invoked by root
-   Bad path configuration
-   Cronjobs
-   Unmounted filesystems
-    Vulnerable Services
-    Cron Job Abuse
-    Special Permissions
-    Sudo Rights Abuse
-    Path Abuse
-    Wildcard Abuse
-    Credential Hunting
-    Shared Libraries
-    Shared Object Hijacking
-    Privileged Groups
-    Miscellaneous Techniques
-    Linux Hardening
-    Linux Local Privilege Escalation - Skills Assessment

My reference

1. Kernel Exploits

Targets linux kernel to execute malicios codes in the target system with an eleveted privileges. This is because kernel is running with higher privileges in the linux operating system.

[!Work Flow]

1. Trick the kernel to run our payload in kkernel mode
2. Manipulate kernel data, process privileges
3. Launch a shell with new privileges Get root!

[!PREVENTION]

1. Making sure kernel are patched
2. Making sure remove if not neccessary file transfer programs, like FTP,SCP,TFTP, curl,wget. Or should be run under limited privileges to some users

[!EXAMPLE] The infamous DirtyCow exploit — Linux Kernel <= 3.19.0–73.8

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

[!CAUTION]

Why you should avoid running any local privilege escalation exploit at first place?

Though, it feels very tempting to just run an exploit and get root access, but you should always keep this as your last option.

1. The remote host might crash as many of the root exploits publicly available are not very stable.
2. You might get root and then crash the box.
3. The exploit might leave traces/logs that can get you caught.

2. Exploiting services which are running as root

[!example] Exploiting any service which is running as root will give you Root!

The famous EternalBlue and SambaCry exploit, exploited smb service which generally runs as root.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA).[6] It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability

Check services that adminis run as root.

Running service have a greate security risk. Example.

1. Web servers
2. mail servers
3. database servers

It shows you all the ports open and are listening.

1

netstat -antup

[!example] Exploiting a vulnerable version of MySQL which is running as root to get root access

MySQL UDF Dynamic Library exploit lets you execute arbitrary commands from the mysql shell. If mysql is running with root privileges, the commands will be executed as root.

It shows us the services which are running as root

1

 ps -aux | grep root

Other example

1
2

select sys_exec('whoami');
select sys_eval('whoami');

[!NOTE] One of the biggest mistake web admins do, is to run a webserver with root privilege. A command injection vulnerability on the web application can lead an attacker to root shell. This is a classic example of why you should never run any service as root unless really require

3. Exploiting SUID Executables

SUID means Set User ID, A feature that allows programs to run with root privileges in the system.

1

-rwsr-xr-x–

The s Means SUID bit, the file can be run with root permision.

[!NOTE] SUID bit should not be set especially on any file editor as an attacker can overwrite any files present on the

Finding executables with a SUID bit set

1
2
3
4
5
6
7
8
9
10
11

# Find SUID
find / -perm -u=s -type f 2>/dev/null
# or 
# Find files run by root
find / -user root -perm -u=s -type f 2>/dev/null

# Find GUID
find / -perm -g=s -type f 2>/dev/null
# Find system writable files

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

5. Exploiting badly configured cron jobs

[!EXAMPLE] Cron jobs, if not configured properly can be exploited to get root privilege.

1. Any script or binaries in cron jobs which are writable?
2. Can we write over the cron file itself.
3. Is cron.d directory writable?

Looking for cronjobs

1
2
3
4
5
6
7
8
9
10
11
12

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

6. World writable scripts invoked as root

If you can find word writable files by root you can add your own malicious code in that script that when root run it, It will escalate privileges to root.

1
2
3
4
5
6
7
8
9
10
11

# World writable files directories

find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null