Series of CTF machines Walkthrough #4 Linux Privilege Escalation (Enumeration).
Hello Hackers, Today we are not only going to solve the CTF machine along with that, we are going to learn about how to do Enumeration and different methodologies to Elevate the Privileges.
While solving the CTF machines “Privilege Escalation” is very important, escalating the user to higher privilege is not a piece of cake, some times you have to bang your head to the wall or break the keyboard, just kidding.
Jokes apart Let’s Start,
In this article we will go through Manual Enumeration and Automated Enumeration, which i learnt from TryHackMe.
What is Privilege escalation
Privilege escalation means gaining a higher authority above the assigned privilege. example escalating privilege from “User” to “Root” or “Asst Manager” to “Manager”.
Definition from TryHackMe
Different Methods or Commands for Manual Enumeration
This command will give the hostname of the target machine.
2) uname -a
This command gives the information about the system with kernel info by this you can easily find out kernel vulnerabilities.
The /proc file system (Procfs) is a virtual system created on fly. It contains the useful info about the processes that are currently running also it is called as control and info center of kernel.
The /version file contains the linux Kernel version, Distribution name, gcc version number and other info about the kernel.
The /etc directory consists of system configuration files.
The /etc/issue file contains the info about the OS which displays before the login prompt, it can be easily modified.
The “ps” stands for “Process Status”, it displays the running process on a linux system.
These are the following Information it displays
* PID — The unique Process ID.
* TTY — The terminal type using by the user.
* Time — The amount of CPU time that the process has been running.
* CMD — The command or Executable files are running.
The “env” command, list out the environment variables, which is useful to execute the privilege escalation.
Where the executable files are stored, when you type any command in the terminal it looks into environment variable directories there are particular directories which stores the value in variable names.
Ex- when you type “ls” or “echo” command in terminal the command searches in the $PATH variable and after it executes the commands.
7) sudo -l
The “sudo” gives the permission to run any files as root user. “sudo -l” is used to list all the programs that user can run using sudo.
The “ID” command gives the info about the current user and his privilleges and the group memberships.
The “/etc/passwd” file displays the info about the users present on the system.
The “history” command gives the information about the previous commands used by the user, there may be a username and password, it is a good practice to check.
The “netstat” command displays the information about current network connections, which ports are open/listening and the services which are running.
The “find” command is used to check the particular files.
Example : find -names test.txt — which gives the location/directory details where the file relies.
Useful cmd’s used for “Privilege Escalation”.
* find / -perm -o x -type d 2>/dev/null — Displays the world executable folders.
* find / -perm -u=s -type f 2>/dev/null — Displays the “suid” Bit set files.
By finding these files which are higher privileges, easily by executing these files you can escalate your privileges.
In up-coming write-ups you will learn more about the Privilege Escalations, where you will be using these above commands.
We know that doing things manually will consume more time, so by using some automated scripts you can easily find out perfect exploit to escalate the privilege.
Here are some automated scripts.
* LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
* LinEnum: https://github.com/rebootuser/LinEnum
* LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
* Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
* Linux Priv Checker: https://github.com/linted/linuxprivchecker
You will use these scripts in the up-coming write-ups.
The next article will be on “Kernel Exploit”.
Link for Procfs.
Link for TryHackMe Linux Privilege Escalation machine.
Follow Techiepedia for more such awesome write-ups