Aide 2014 - Fundamentals of Linux Privilege Escalation
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,552
On Slideshare
1,856
From Embeds
696
Number of Embeds
5

Actions

Shares
Downloads
24
Comments
0
Likes
2

Embeds 696

http://www.scoop.it 640
https://twitter.com 48
http://www.manfrys.info 4
http://translate.googleusercontent.com 3
http://tweetedtimes.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AIDE 2014 Fundamentals of Linux Privilege Escalation Elliott Cutright
  • 2. Introduction ❖ Elliott Cutright! ❖ Sr. Red Team for a Large Multinational Company! ❖ Professional Pen Tester for 6 years! ❖ Linux and Web Applications! ❖ Past worked in Threat Intelligence and Systems Admin! ❖ Short time working on a 24/7/365 DOD SOC
  • 3. Disclaimer The views and opinions expressed here are ! those of Elliott Cutright only and in no way ! represent the views, positions or opinions - ! expressed or implied - of my employer or ! anyone else.
  • 4. Setup ❖ This is NOT how to get in! ❖ How do we go from low privileges to high privileges! ❖ Webshells, Stolen SSH Keys, ect! ❖ We do not know the users password
  • 5. Method 1: Exploits
  • 6. Exploits ❖ Most take advantage of a flaw in the Linux Kernel! ❖ Easier because reliable exploit code is widely available! ❖ Be careful, if unreliable good chance you will crash system as you might see in the demo! ❖ Generally low skill set can achieve grand results! ❖ Additional hardening capabilities exist (GRSecurity)
  • 7. Exploits ❖ Identify OS and Kernel Version! ❖ Enumerate tools to build exploit (gcc, python, perl, ect)! ❖ Get the exploit to the system! ❖ Execute Exploit! ❖ …! ❖ ROOT
  • 8. Exploit - ID System ❖ Determine kernel version! ❖ uname -a! ❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux! ❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
  • 9. Exploit - ID System ❖ OS Release! ❖ Ubuntu - cat /etc/lsb-release! ❖ DISTRIB_ID=Ubuntu! ❖ DISTRIB_RELEASE=13.04! ❖ DISTRIB_CODENAME=raring! ❖ DISTRIB_DESCRIPTION="Ubuntu 13.04”! ❖ RedHat/CENT - cat /etc/redhat-release! ❖ CentOS release 5 (Final)
  • 10. Exploit - Get the file on the Server ❖ Any means available! ❖ curl/wget! ❖ NetCat! ❖ FTP! ❖ SCP/SFTP! ❖ SMB! ❖ TFTP! ❖ Copy/Paste - for source code! ❖ DNS TXT Records - for source code
  • 11. Exploit - Where To Hide It? ❖ Directories starting with a ‘.’ are hidden on Linux Filesystem! ❖ /tmp/.nothinghere/exploit.c! ❖ /tmp/…/exploit.c! ❖ Verify you can run commands from your directory! ❖ mount! ❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
  • 12. Exploit - ID Build System ❖ gcc -v! ❖ Using built-in specs.! ❖ COLLECT_GCC=gcc! ❖ Target: i686-linux-gnu! ❖ Configured with: ../src/configure ……..! ❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1)! ! ❖ python -V! ❖ Python 2.4.3
  • 13. Exploit - ID Build System ❖ gcc -v! ❖ -bash: gcc: command not found! ❖ Common on Servers! ❖ python -V! ❖ -bash: /usr/bin/python: No such file or directory! ❖ RARE
  • 14. Exploit - Building The Exploit ❖ Most exploits have build directions in the headers! ❖ Most common method! ❖ gcc exploit.c -o exploit! ❖ ./exploit
  • 15. Exploit - Build Local ❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic)! ❖ Once build on your local system, move the compiled exploit to your target system! ❖ WARNING: This is not the preferred method and can have unexpected results…but will work in a pinch
  • 16. CVE-2009-2692 - sock_sendpage() exploit! https://www.youtube.com/watch?v=65w7ROFbdqc Demo
  • 17. Method 2: SetUID SetGID
  • 18. SetUID and SetGID ❖ SetUID - SET User ID upon execution! ❖ SetGUID - SET Group ID upon execution! ❖ Allows you to run programs as another user upon execution! ❖ Generally executed as elevated privilege user (root)
  • 19. SetUID Risks ❖ Binaries run with elevated privileges can access privileged information! ❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to! ❖ SetUID on ‘vim’ will allow you to edit files you otherwise would’t have rights to
  • 20. SetUID Risks ❖ Buffer overflow exploits on SetUID applications will result in the attacker running code with elevated privileges
  • 21. Find SetUID ❖ ls -l /bin/ls! ❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls! ❖ dir:owner:group:world! ! ❖ ls -al /bin/ping! ❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
  • 22. Find SetUID ❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls -l {} ;! ❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
  • 23. Exploiting SetUID ❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later)! ❖ Find an application that has public exploit or start fuzzing on your own! ❖ Command Injection
  • 24. Method 3: Permissive SUDO
  • 25. SUDO ❖ su do! ❖ note: su does not mean SuperUser, its Substitute User! ! ❖ Allows you to run commands as elevated user with user password rather then root (or other privileged) password
  • 26. /etc/sudoers ❖ Config file for sudo! ❖ Limits what users and groups can run what commands! ❖ ex:! ❖ root! ALL=(ALL:ALL) ALL! ❖ %sudo ! ALL=(ALL) NOPASSWD:ALL
  • 27. /etc/sudoers ❖ Can allow for very granular configurations! ❖ User_Alias! FULLTIMERS = millert, mikef, dowdy! ❖ Host_Alias! SERVERS = master, mail, www, ns! ❖ Cmnd_Alias!SHUTDOWN = /usr/sbin/shutdown! ❖ Cmnd_Alias!REBOOT = /usr/sbin/reboot! ❖ FULLTIMERS! ALL = NOPASSWD: ALL! ❖ mikef! ! ALL, !SERVERS = ALL
  • 28. Concerns ❖ With great power come great responsibility! ❖ sudo will allow you to shoot yourself in the foot! ❖ THINK about the commands you allow via sudo
  • 29. Problems? ❖ Why are these commands an issue?! ❖ vi/vim! ❖ more/less/cat! ❖ echo! ❖ nmap
  • 30. Similar: http://www.offensive-security.com/vulndev/freepbx-exploit-phone- home/ Demo
  • 31. Method 4: PATH issues
  • 32. Linux PATH ❖ An environment variable that contains the location of executables! ❖ printenv! ❖ PATH=/usr/local/rvm/gems/ruby-1.9.3-p448/bin:/ usr/local/rvm/gems/ruby-1.9.3-p448@global/bin:/ usr/local/rvm/rubies/ruby-1.9.3-p448/bin:/usr/ local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/ sbin:/usr/bin:/sbin:/bin
  • 33. Linux PATH ❖ ruby -v! ❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-linux]! ❖ which ruby! ❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
  • 34. Linux PATH Issues ❖ What would happen if the ‘.’ was prepended to the path?! ❖ Where would it look for ruby first?! ❖ What if a script was calling ruby?! ❖ As root…….
  • 35. Attack Path Example ❖ Lazy sysadmin has ‘.’ in his path! ❖ Email and say you can’t list the files in your home dir! ❖ Admin logs in as root (He’s lazy, remember)! ❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin! ❖ Goes to your home dir and runs ls! ❖ Shellz
  • 36. ls reverse shell Demo
  • 37. AIDE 2014 Questions? e: elliott.cutright@gmail.com! t: @nullthreat