4.4 Linux Privilege Escalation

Linux Privilege Escalation

While the web vulnerabilities are typically always the same, when it comes to privilege escalation, it’s hard to make a complete list of all the possible ways in which one can elevate its privileges. It all depends on the specific configuration of the remote machine. Having said that, there are still common attacks that deserve to be studied. Some (not all) of these tehcniques are listed below:

• Kernel exploitation

• PATH exploitation

• SUID binaries exploitations (https://gtfobins.github.io/)

• Weak file permissions

• cronjob enumeration (https://github.com/DominicBreuker/pspy)

• sudo -l exploitation

• wildcard expansion

Tools

As we have seen, there are tools that help us in this process:

LinEnum

Privesc vulnerabilities can be identified automatically using the LinEnum tool.

• The below labs will focus on manual Linux Privilege Escalation techniques, instead

• Linux file Permissions are important

🔬 Check

• ​Linux Privesc Labs​

• ​Linux Post Exploitation - Metasploit

The following command will look for files (and not symlinks etc) which is world writable.

find / -not -type l -perm -o+w
find / -user root -perm -4000 -exec ls -ldb {} \; #or this

if we don't find nothing of anomaly, we can try to find misconfigured sudo. Check the current sudo capabilities.

sudo -l
(root) NOPASSWD: /usr/bin/man #user has root permissions for man app

The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it.

sudo man ls
!/bin/bash

After this, escalated to root user is successful.

if file /etc/shadow is world writable, we can read its contents.

ls -l /etc/shadow
cat /etc/shadow

If root password isn't set. We can adding a known password in shadow file, one can escalate to root. Use openssl to generate a password entry.

openssl passwd -1 -salt abc password #setting new psw

LinPeas

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz

PEASS-ng/linPEAS at master · carlospolop/PEASS-ngGitHub

Bashark

It's another automatic tool to do identify vulnerabilities in Linux.

https://github.com/redcode-labs/Bashark/blob/master/bashark.sh

Linux Exploit Suggester

In addition to the last tool, Linux Exploit Suggester help us to suggest potential exploits.

​Of course we need to launch it on victim machine downloading it or transferring there (E.g. using a python SimpleHTTPServer)

GitHub - The-Z-Labs/linux-exploit-suggester: Linux privilege escalation auditing toolGitHub

linux-exploit-suggester | Kali Linux ToolsKali Linux

Linux Persistence

❗ Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.

Persistence Techniques - MITRE ATT&CK

Linux Server SSH service is typically enabled and an attacker can take advantage of it.

• If password login is disabled and key-based authentication is enabled, the attacker can copy a user's SSH private key and use it for future access.

Linux Cron is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.

🔬 Check the Linux Persistence Labs​

Dumping & Cracking Hashes

📝 Check the already covered Credential Dumping theory here:

• ​Windows Credential Dumping​

• ​Linux Credential Dumping​

After the dumping process, hashes can be cracked using:

• ​John The Ripper - Cheatsheet​
• ​Hashcat - Cheatsheet

The best thing to do in privilege escalation optical is migration of lsass process, because at difference between explorer.exe, it permits to upgrade sessions at 64 bit and access to lsass process cache.

After migration to lsass process, we can use utility as hashdump.

It will display a dump list of accounts and their hashes (usually NTLM hashes).

Of course, we can store it a file hashes.txt.

We can also load kiwi module, that's a module implementation of Mimikats for Meterpreter.

Now, using tools how John The Ripper, we can crack NTLM Hashes.

john --list=formats | grep NT
john --format=NT hashes.txt If we don't specify word list, John will use default word list, but we can use custom word list as rockyou.
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

​In alternative we can use hashcat.

hashcat --elp
hashcat -a 3 -m 1000 hashes.txt --wordlist /usr/share/wordlists/rockyou.txt #-a 3 (attack-mode brute-force), -m 1000 (NTLM)

When we gaining credentials, we can use psex python script, msf module or RDP (default port 3389) by xfreerdp.

xfreerdp /u:user /p:psw /v:IP

It's a very good method to access and maintaining legitimate persistence.

🔬 Check the Cracking Hashes Labs here​

​Pivoting​

🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold / plant, to attack other systems on its private internal network.

• Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.

🗒️ Port Forwarding consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.

• The service will be remotely available to the attacker system

🔬 Check the Pivoting Lab here​

Clearing Tracks

According to the rules of engagement, the pentester may be required to clear any changes that have been made to the target systems as a result of the exploitation and post-exploitation stages.A good practice is to store all artifacts payloads, scripts and binaries in these folders:

• Windows - C:\Temp

• Linux - /tmp

Metasploit Framework generates and stores a lot of artifacts on the target. Some modules provides removal resource scripts.

Windows

• Delete the Windows Event Log can be a good post-exploitation clearing technique.

  • ❗ Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.

Metasploit e.g.cd C:\\mkdir Tempcd Temp# Upload exploit into this C:\Temp directory

• Use the Cleanup RC File

# Cleanup Meterpreter RC File:cat /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.0454/ATTACKDEFENSE_20230429.0454.rcbackgroundsessions 1resource /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.1019/ATTACKDEFENSE_20230429.1019.rc# Clear Windows Event Log from the Meterpreter session# An attacker could potentially do thisclearev

Linux

cd /tmp# Upload exploit into this /tmp directory

• bash history logs the activity and the used commands

• To clear the bash history

history -c

• ~/.bash_history file content can be deleted too

cat /dev/null > ~/.bash_history

• When using Metasploit Framework exploits, proceed manually to clear artifacts from the /tmp directory or other used directories.