Difference between revisions of "Linux Priv Esc Notes"

m
m (What requires some work)
 
(3 intermediate revisions by the same user not shown)
Line 22: Line 22:
 
*** MySql - try logging in as root or another user. Try obvious credentials. use ''sqlmap'' to extract user's credentials. Once logged in, escalate privs (select sys_exec(<command>))
 
*** MySql - try logging in as root or another user. Try obvious credentials. use ''sqlmap'' to extract user's credentials. Once logged in, escalate privs (select sys_exec(<command>))
 
*** Web Server - if running as root or another user, look for ''RCE'', ''RFI'' opportunities.
 
*** Web Server - if running as root or another user, look for ''RCE'', ''RFI'' opportunities.
 +
*** What other ways can I connect to the process? What interfaces does it offer? (e.g. Injecting commands via UDP shadowsocks-libev 3.1.0 exploit - https://www.exploit-db.com/exploits/43006/)
 
* What processes will eventually run as another user?  
 
* What processes will eventually run as another user?  
 
** Check crontabs (cron.d)? Any entries point to a script or a file I can modify?
 
** Check crontabs (cron.d)? Any entries point to a script or a file I can modify?
Line 32: Line 33:
 
** Kernel Exploits? Check kernel version. Check release version
 
** Kernel Exploits? Check kernel version. Check release version
 
** Outdated / unpatched / vulnerable packages? (rpm -qa |grep <pkg>, dpkg -al |grep <pkg>)
 
** Outdated / unpatched / vulnerable packages? (rpm -qa |grep <pkg>, dpkg -al |grep <pkg>)
* Any source code available locally?
+
* Any source code available locally I can modify and compile? And not just to modify the runtime but even something like loading a configs from a custom location?
 
* Any ready-to-use exploits available on the internet? (site:exploit-db.com <keyword>)
 
* Any ready-to-use exploits available on the internet? (site:exploit-db.com <keyword>)
  
 
= Inspired by =
 
= Inspired by =
 
https://github.com/rebootuser/LinEnum
 
https://github.com/rebootuser/LinEnum
 +
 
http://pentestmonkey.net/tools/audit/unix-privesc-check
 
http://pentestmonkey.net/tools/audit/unix-privesc-check
 +
 
https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py
 
https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py
 +
 
https://blog.g0tmi1k.com
 
https://blog.g0tmi1k.com
 +
 
https://chryzsh.gitbooks.io/pentestbook
 
https://chryzsh.gitbooks.io/pentestbook
 +
 
https://www.thegeekstuff.com/2011/08/linux-var-log-files
 
https://www.thegeekstuff.com/2011/08/linux-var-log-files
https://stackoverflow.com/questions/34032651/searching-an-entire-drive-for-plaintext-
+
 
passwords
+
https://stackoverflow.com/questions/34032651/searching-an-entire-drive-for-plaintext-passwords

Latest revision as of 09:13, 26 July 2018

A collection of notes on Linux Privilege Escalation. Some will lead to r00t, some will help moving laterally, all depends on the end-goal. Trying to avoid the 'How to do it' steps, focusing on 'What to do' instead. Like most of the content on this site, these are put together for personal use but feel free to grab and share because sharing is caring. I'll try to update this as often as I can as this is my go-to

What's available to me immediately

  • sudo roles to run programs as another user? root?
  • What other users on the system (cat /etc/passwd, cat /etc/shadow, ls /home, ls $HOME/../)
    • Try obvious passwords, blank passwords. Try fuzzing
    • Have password hash? Google it. Try john
    • Look for passwords in command line history (~/{bash,nano,mysql}_history)
    • Look for hard coded passwords in config files (/etc/my.conf)
    • Look for passwords in database dumps (.sql files) or other text extensions (.txt, .csv)
    • Look for hidden private keys
  • SUID/GUID executables (find ./ -perm 2000 -o -perm 4000 -type f -print 2>/dev/null)
    • Can I escape to a shell? interactive feature? (nmap -i, vim :!sh, less, more, cp, mv, find)
    • Can I execute another command
      • As command parameter
      • Modifying PATH (e.g. if command calls 'date', 'cp /bin/bash > $HOME/date' and modifying $PATH)
    • Can I use Buffer Overflow to load arbitrary shell code?

What can I tap into

  • What processes are running? As root?
    • Connect to the process, escape to an escalated shell?
      • MySql - try logging in as root or another user. Try obvious credentials. use sqlmap to extract user's credentials. Once logged in, escalate privs (select sys_exec(<command>))
      • Web Server - if running as root or another user, look for RCE, RFI opportunities.
      • What other ways can I connect to the process? What interfaces does it offer? (e.g. Injecting commands via UDP shadowsocks-libev 3.1.0 exploit - https://www.exploit-db.com/exploits/43006/)
  • What processes will eventually run as another user?
    • Check crontabs (cron.d)? Any entries point to a script or a file I can modify?

What requires some work

Exploits

  • Can I download an exploit? Do I have tools? (wget, curl, links)? Can I access outside world? Internet?
  • Can I build one locally? What compilers area available? (C++? C? Python? Java?)
  • What can be exploited?
    • Kernel Exploits? Check kernel version. Check release version
    • Outdated / unpatched / vulnerable packages? (rpm -qa |grep <pkg>, dpkg -al |grep <pkg>)
  • Any source code available locally I can modify and compile? And not just to modify the runtime but even something like loading a configs from a custom location?
  • Any ready-to-use exploits available on the internet? (site:exploit-db.com <keyword>)

Inspired by

https://github.com/rebootuser/LinEnum

http://pentestmonkey.net/tools/audit/unix-privesc-check

https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py

https://blog.g0tmi1k.com

https://chryzsh.gitbooks.io/pentestbook

https://www.thegeekstuff.com/2011/08/linux-var-log-files

https://stackoverflow.com/questions/34032651/searching-an-entire-drive-for-plaintext-passwords