Day 44: Linux Capabilities Privilege Escalation via OpenSSL with SELinux Enabled and Enforced

int0x33
int0x33
Feb 12, 2019 · 3 min read
Image for post
Image for post

Linux Capabilities

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list). Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

Read more about the actual capabilities here: http://man7.org/linux/man-pages/man7/capabilities.7.html

There has also been some nice articles written about using capabilities for priv esc by abusing binaries that can do certain things, like read and write files etc.

Find out what capabilities are Enabled

You will get output like the following…

A classic example…

Let’s say tar has “tar = cap_dac_read_search+ep” which means tar has read access to anything. We can abuse this to read /etc/shadow by utilising the function of archiving a file.

But what is special about our output, if you look closely this should stick out…

=ep, nice! It’s blank, however unlike when most thinks are blank people think nothing, in this case if you call it from the right location, like the digital equivalent of The Hamptons, then you will immediately be entitled to the same level of privilege, aka from root dir, have everything.

How is this possible? From the man pages…

Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0.

Let’s try and use our binary that has an empty capability set (=ep)

As we can see, Permission denied. As expected, this is because we inherited our low level capabilities. Thanks Linux for protecting us, or not?!

Let’s bypass this safeguard and inherit the world, well at least some decent capabilities…

Now we will execute the same binary just from the root directory, /, this will mean we then inherit all the correct permissions to read and to write ANYWHERE!

Exploit Prep

First we need to read current /etc/shadow.

Now let’s start a server so we can read root files…

Target Host

Another Low-Priv Terminal on Same Host

We use -k to ignore ssl errors. Nice, we can now read any root or system files. Now time to write a new shadow file and profit.

First let’s encrypt our new shadow file so we can use openssl to write via decrypt method.

Now it’s time to write the new shadow file

Finally, lets su to root

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store