Your SlideShare is downloading. ×
Aide 2014 - Fundamentals of Linux Privilege Escalation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Aide 2014 - Fundamentals of Linux Privilege Escalation

3,809
views

Published on

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,809
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AIDE 2014 Fundamentals of Linux Privilege Escalation Elliott Cutright
  • 2. Introduction ❖ Elliott Cutright! ❖ Sr. Red Team for a Large Multinational Company! ❖ Professional Pen Tester for 6 years! ❖ Linux and Web Applications! ❖ Past worked in Threat Intelligence and Systems Admin! ❖ Short time working on a 24/7/365 DOD SOC
  • 3. Disclaimer The views and opinions expressed here are ! those of Elliott Cutright only and in no way ! represent the views, positions or opinions - ! expressed or implied - of my employer or ! anyone else.
  • 4. Setup ❖ This is NOT how to get in! ❖ How do we go from low privileges to high privileges! ❖ Webshells, Stolen SSH Keys, ect! ❖ We do not know the users password
  • 5. Method 1: Exploits
  • 6. Exploits ❖ Most take advantage of a flaw in the Linux Kernel! ❖ Easier because reliable exploit code is widely available! ❖ Be careful, if unreliable good chance you will crash system as you might see in the demo! ❖ Generally low skill set can achieve grand results! ❖ Additional hardening capabilities exist (GRSecurity)
  • 7. Exploits ❖ Identify OS and Kernel Version! ❖ Enumerate tools to build exploit (gcc, python, perl, ect)! ❖ Get the exploit to the system! ❖ Execute Exploit! ❖ …! ❖ ROOT
  • 8. Exploit - ID System ❖ Determine kernel version! ❖ uname -a! ❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux! ❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
  • 9. Exploit - ID System ❖ OS Release! ❖ Ubuntu - cat /etc/lsb-release! ❖ DISTRIB_ID=Ubuntu! ❖ DISTRIB_RELEASE=13.04! ❖ DISTRIB_CODENAME=raring! ❖ DISTRIB_DESCRIPTION="Ubuntu 13.04”! ❖ RedHat/CENT - cat /etc/redhat-release! ❖ CentOS release 5 (Final)
  • 10. Exploit - Get the file on the Server ❖ Any means available! ❖ curl/wget! ❖ NetCat! ❖ FTP! ❖ SCP/SFTP! ❖ SMB! ❖ TFTP! ❖ Copy/Paste - for source code! ❖ DNS TXT Records - for source code
  • 11. Exploit - Where To Hide It? ❖ Directories starting with a ‘.’ are hidden on Linux Filesystem! ❖ /tmp/.nothinghere/exploit.c! ❖ /tmp/…/exploit.c! ❖ Verify you can run commands from your directory! ❖ mount! ❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
  • 12. Exploit - ID Build System ❖ gcc -v! ❖ Using built-in specs.! ❖ COLLECT_GCC=gcc! ❖ Target: i686-linux-gnu! ❖ Configured with: ../src/configure ……..! ❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1)! ! ❖ python -V! ❖ Python 2.4.3
  • 13. Exploit - ID Build System ❖ gcc -v! ❖ -bash: gcc: command not found! ❖ Common on Servers! ❖ python -V! ❖ -bash: /usr/bin/python: No such file or directory! ❖ RARE
  • 14. Exploit - Building The Exploit ❖ Most exploits have build directions in the headers! ❖ Most common method! ❖ gcc exploit.c -o exploit! ❖ ./exploit
  • 15. Exploit - Build Local ❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic)! ❖ Once build on your local system, move the compiled exploit to your target system! ❖ WARNING: This is not the preferred method and can have unexpected results…but will work in a pinch
  • 16. CVE-2009-2692 - sock_sendpage() exploit! https://www.youtube.com/watch?v=65w7ROFbdqc Demo
  • 17. Method 2: SetUID SetGID
  • 18. SetUID and SetGID ❖ SetUID - SET User ID upon execution! ❖ SetGUID - SET Group ID upon execution! ❖ Allows you to run programs as another user upon execution! ❖ Generally executed as elevated privilege user (root)
  • 19. SetUID Risks ❖ Binaries run with elevated privileges can access privileged information! ❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to! ❖ SetUID on ‘vim’ will allow you to edit files you otherwise would’t have rights to
  • 20. SetUID Risks ❖ Buffer overflow exploits on SetUID applications will result in the attacker running code with elevated privileges
  • 21. Find SetUID ❖ ls -l /bin/ls! ❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls! ❖ dir:owner:group:world! ! ❖ ls -al /bin/ping! ❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
  • 22. Find SetUID ❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls -l {} ;! ❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
  • 23. Exploiting SetUID ❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later)! ❖ Find an application that has public exploit or start fuzzing on your own! ❖ Command Injection
  • 24. Method 3: Permissive SUDO
  • 25. SUDO ❖ su do! ❖ note: su does not mean SuperUser, its Substitute User! ! ❖ Allows you to run commands as elevated user with user password rather then root (or other privileged) password
  • 26. /etc/sudoers ❖ Config file for sudo! ❖ Limits what users and groups can run what commands! ❖ ex:! ❖ root! ALL=(ALL:ALL) ALL! ❖ %sudo ! ALL=(ALL) NOPASSWD:ALL
  • 27. /etc/sudoers ❖ Can allow for very granular configurations! ❖ User_Alias! FULLTIMERS = millert, mikef, dowdy! ❖ Host_Alias! SERVERS = master, mail, www, ns! ❖ Cmnd_Alias!SHUTDOWN = /usr/sbin/shutdown! ❖ Cmnd_Alias!REBOOT = /usr/sbin/reboot! ❖ FULLTIMERS! ALL = NOPASSWD: ALL! ❖ mikef! ! ALL, !SERVERS = ALL
  • 28. Concerns ❖ With great power come great responsibility! ❖ sudo will allow you to shoot yourself in the foot! ❖ THINK about the commands you allow via sudo
  • 29. Problems? ❖ Why are these commands an issue?! ❖ vi/vim! ❖ more/less/cat! ❖ echo! ❖ nmap
  • 30. Similar: http://www.offensive-security.com/vulndev/freepbx-exploit-phone- home/ Demo
  • 31. Method 4: PATH issues
  • 32. Linux PATH ❖ An environment variable that contains the location of executables! ❖ printenv! ❖ PATH=/usr/local/rvm/gems/ruby-1.9.3-p448/bin:/ usr/local/rvm/gems/ruby-1.9.3-p448@global/bin:/ usr/local/rvm/rubies/ruby-1.9.3-p448/bin:/usr/ local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/ sbin:/usr/bin:/sbin:/bin
  • 33. Linux PATH ❖ ruby -v! ❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-linux]! ❖ which ruby! ❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
  • 34. Linux PATH Issues ❖ What would happen if the ‘.’ was prepended to the path?! ❖ Where would it look for ruby first?! ❖ What if a script was calling ruby?! ❖ As root…….
  • 35. Attack Path Example ❖ Lazy sysadmin has ‘.’ in his path! ❖ Email and say you can’t list the files in your home dir! ❖ Admin logs in as root (He’s lazy, remember)! ❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin! ❖ Goes to your home dir and runs ls! ❖ Shellz
  • 36. ls reverse shell Demo
  • 37. AIDE 2014 Questions? e: elliott.cutright@gmail.com! t: @nullthreat