Linux Privilege Escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

It is just to understand the basic fact that a user can not access (read/write/execute) files which he is not permitted to access. However, the superuser(root) can access all the files which are present on the system. In order to change any important configuration or perform any further attack, first we need to get root access on any Linux based system.

Before starting, I would like to point out — I’m no expert. As far as I know, there isn’t a “magic” answer, in this huge area. Not every command will work for each system as Linux varies so much. “It” will not jump off the screen — you’ve to hunt for that “little thing” as **”the devil is in the detail”.**😈

(Linux) privilege escalation is all about:

  • Information Gathering, as much as you can.
  • Collect, organize and process data.
  • Look for the vulnerability and exploits.
  • Customize the exploit to work for you.
  • Try harder!!

Some common techniques used for Privilege escalation

  • Kernel exploits
  • Exploiting services which are running as root
  • Exploiting SUID Executables
  • Exploiting SUDO rights/user
  • Exploiting badly configured cron jobs
  • Exploiting users with ‘.’ in their PATH

Check out this blog by insidetrust for a not comprehensive, but a good to start list of information what an attacker might be interested in for better shot at privilege escalation.

And, here g0tmi1k has got a decent list on enumeration and some dynamites😉.

Some examples

1️⃣ Writable passwd file

If you don’t know about what are the fields in /etc/passwd file, then read it here. Basic knowledge of passwd file will be required to make sense of what you are going to see next.😜

Before the magic happens, I want to tell you about the scenario.

I am currently logged in as chotu user (just a regular user). This can be checked using id command or whoami command.

Let’s enumerate what configuration files in our system are writable by world.

(You probably won’t get the same output in your system; you can use chmod o+w /etc/passwd to get this result in next run. This is a really really ba d configuration setting. Use it carefully in your system.)

After a quick enumeration, I got to know that the /etc/passwd file is publically writable (Just look at the permission bits of the file). Time for some hacking fun.

I am going to create a new user (newuser) and give a ultimate password (ult1mat3pa$$w0rd) to it. For this, I won't use any useradd commands. Instead I'll directly write the entry to /etc/passwd file.

After adding the entry, /etc/passwd file looks something like the above. The second field, which contains some scary text is actually the password I am using to log in to user.

You can generate this password using openssl passwd your-password-here command.

The trick here is the uid and gid used for the newuser is 0. Internally, all linux mechanism uses the uid and gid to identify the user instead of using their names. So, when you are using uid=0 for newuser, system confuses it with root user and gives you a root shell whenever youo log in to newuser.

We just got a root shell. We literally own this machine now. Some different flavour of this attack are based on bad configuration for group file and shadow file. Do check them out too sometime.

2️⃣ setuid text editors

This tragedy begins when someone gave a special permission to a text editor (here, vim) binary. Hackers found that out using a simple find command.

find / -perm -u=s 2>/dev/null | xargs ls -l

Here, vim (a text editor) has got setuid bit set and is owned by root user. This gives any user on the system to execute vim binary as root user now. Any file created by any user using vim binary will eventually do something like this..

created-by-root

It creates a file with user as root and group as the group of the actual creator of file. Now any file can be created or modified with root user privileges. Imagine what a man can do with this escalated privilege.

3️⃣ the magical word — sudo

If you are using linux, then you must have already heard about the magical word. But to understand how to exploit it you need to understand the logic of sudoers file.

This is a special file that manages all the users and groups that can execute command with sudo.

Other possibility will be this.👇

Seems like we are not in sudoers file list and now we’ll need to add it. We can use our suid bit vim binary file to modify the sudoers file and give ourselves enough privileges to go supersonic.🚀

for the sake of this demo, I have configured sudoers file to add chotu user and given him super user access for /usr/bin/more binary.(Now he can use sudo more and be root user for some time.)

Let’s check what sudoers persmission are given to chotu user now.

I have also created a file with 100 lines of binod to open it with more binary.

Trick time it is. All you need to do is type :!bash and you should see something like this.👇

Now this will execute bash as a subcommand and will open a bash sub shell. But this is a regular user shell. To get a root user shell, we need to run more command with sudo to escalate privileges.

sudo more abcd.txt

And boom!!! You got a ROOT SHELL!!.

There are many more ways for privilege escalation and some are really mind blowing. There are plenty of automated scripts that can check for the common files and permissions to check for the privilege escalation and exploit suggestion. Some of the famous ones are:

Connecting the dots and rest is magic. https://ayedaemon.github.io/