Aide 2014 - Fundamentals of Linux Privilege Escalation

12,170 views

Published on

Published in: Technology
  • Be the first to comment

Aide 2014 - Fundamentals of Linux Privilege Escalation

  1. 1. AIDE 2014 Fundamentals of Linux Privilege Escalation Elliott Cutright
  2. 2. Introduction ❖ Elliott Cutright! ❖ Sr. Red Team for a Large Multinational Company! ❖ Professional Pen Tester for 6 years! ❖ Linux and Web Applications! ❖ Past worked in Threat Intelligence and Systems Admin! ❖ Short time working on a 24/7/365 DOD SOC
  3. 3. Disclaimer The views and opinions expressed here are ! those of Elliott Cutright only and in no way ! represent the views, positions or opinions - ! expressed or implied - of my employer or ! anyone else.
  4. 4. Setup ❖ This is NOT how to get in! ❖ How do we go from low privileges to high privileges! ❖ Webshells, Stolen SSH Keys, ect! ❖ We do not know the users password
  5. 5. Method 1: Exploits
  6. 6. Exploits ❖ Most take advantage of a flaw in the Linux Kernel! ❖ Easier because reliable exploit code is widely available! ❖ Be careful, if unreliable good chance you will crash system as you might see in the demo! ❖ Generally low skill set can achieve grand results! ❖ Additional hardening capabilities exist (GRSecurity)
  7. 7. Exploits ❖ Identify OS and Kernel Version! ❖ Enumerate tools to build exploit (gcc, python, perl, ect)! ❖ Get the exploit to the system! ❖ Execute Exploit! ❖ …! ❖ ROOT
  8. 8. Exploit - ID System ❖ Determine kernel version! ❖ uname -a! ❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux! ❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
  9. 9. Exploit - ID System ❖ OS Release! ❖ Ubuntu - cat /etc/lsb-release! ❖ DISTRIB_ID=Ubuntu! ❖ DISTRIB_RELEASE=13.04! ❖ DISTRIB_CODENAME=raring! ❖ DISTRIB_DESCRIPTION="Ubuntu 13.04”! ❖ RedHat/CENT - cat /etc/redhat-release! ❖ CentOS release 5 (Final)
  10. 10. Exploit - Get the file on the Server ❖ Any means available! ❖ curl/wget! ❖ NetCat! ❖ FTP! ❖ SCP/SFTP! ❖ SMB! ❖ TFTP! ❖ Copy/Paste - for source code! ❖ DNS TXT Records - for source code
  11. 11. Exploit - Where To Hide It? ❖ Directories starting with a ‘.’ are hidden on Linux Filesystem! ❖ /tmp/.nothinghere/exploit.c! ❖ /tmp/…/exploit.c! ❖ Verify you can run commands from your directory! ❖ mount! ❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
  12. 12. Exploit - ID Build System ❖ gcc -v! ❖ Using built-in specs.! ❖ COLLECT_GCC=gcc! ❖ Target: i686-linux-gnu! ❖ Configured with: ../src/configure ……..! ❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1)! ! ❖ python -V! ❖ Python 2.4.3
  13. 13. Exploit - ID Build System ❖ gcc -v! ❖ -bash: gcc: command not found! ❖ Common on Servers! ❖ python -V! ❖ -bash: /usr/bin/python: No such file or directory! ❖ RARE
  14. 14. Exploit - Building The Exploit ❖ Most exploits have build directions in the headers! ❖ Most common method! ❖ gcc exploit.c -o exploit! ❖ ./exploit
  15. 15. Exploit - Build Local ❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic)! ❖ Once build on your local system, move the compiled exploit to your target system! ❖ WARNING: This is not the preferred method and can have unexpected results…but will work in a pinch
  16. 16. CVE-2009-2692 - sock_sendpage() exploit! https://www.youtube.com/watch?v=65w7ROFbdqc Demo
  17. 17. Method 2: SetUID SetGID
  18. 18. SetUID and SetGID ❖ SetUID - SET User ID upon execution! ❖ SetGUID - SET Group ID upon execution! ❖ Allows you to run programs as another user upon execution! ❖ Generally executed as elevated privilege user (root)
  19. 19. SetUID Risks ❖ Binaries run with elevated privileges can access privileged information! ❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to! ❖ SetUID on ‘vim’ will allow you to edit files you otherwise would’t have rights to
  20. 20. SetUID Risks ❖ Buffer overflow exploits on SetUID applications will result in the attacker running code with elevated privileges
  21. 21. Find SetUID ❖ ls -l /bin/ls! ❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls! ❖ dir:owner:group:world! ! ❖ ls -al /bin/ping! ❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
  22. 22. Find SetUID ❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls -l {} ;! ❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
  23. 23. Exploiting SetUID ❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later)! ❖ Find an application that has public exploit or start fuzzing on your own! ❖ Command Injection
  24. 24. Method 3: Permissive SUDO
  25. 25. SUDO ❖ su do! ❖ note: su does not mean SuperUser, its Substitute User! ! ❖ Allows you to run commands as elevated user with user password rather then root (or other privileged) password
  26. 26. /etc/sudoers ❖ Config file for sudo! ❖ Limits what users and groups can run what commands! ❖ ex:! ❖ root! ALL=(ALL:ALL) ALL! ❖ %sudo ! ALL=(ALL) NOPASSWD:ALL
  27. 27. /etc/sudoers ❖ Can allow for very granular configurations! ❖ User_Alias! FULLTIMERS = millert, mikef, dowdy! ❖ Host_Alias! SERVERS = master, mail, www, ns! ❖ Cmnd_Alias!SHUTDOWN = /usr/sbin/shutdown! ❖ Cmnd_Alias!REBOOT = /usr/sbin/reboot! ❖ FULLTIMERS! ALL = NOPASSWD: ALL! ❖ mikef! ! ALL, !SERVERS = ALL
  28. 28. Concerns ❖ With great power come great responsibility! ❖ sudo will allow you to shoot yourself in the foot! ❖ THINK about the commands you allow via sudo
  29. 29. Problems? ❖ Why are these commands an issue?! ❖ vi/vim! ❖ more/less/cat! ❖ echo! ❖ nmap
  30. 30. Similar: http://www.offensive-security.com/vulndev/freepbx-exploit-phone- home/ Demo
  31. 31. Method 4: PATH issues
  32. 32. Linux PATH ❖ An environment variable that contains the location of executables! ❖ printenv! ❖ PATH=/usr/local/rvm/gems/ruby-1.9.3-p448/bin:/ usr/local/rvm/gems/ruby-1.9.3-p448@global/bin:/ usr/local/rvm/rubies/ruby-1.9.3-p448/bin:/usr/ local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/ sbin:/usr/bin:/sbin:/bin
  33. 33. Linux PATH ❖ ruby -v! ❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-linux]! ❖ which ruby! ❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
  34. 34. Linux PATH Issues ❖ What would happen if the ‘.’ was prepended to the path?! ❖ Where would it look for ruby first?! ❖ What if a script was calling ruby?! ❖ As root…….
  35. 35. Attack Path Example ❖ Lazy sysadmin has ‘.’ in his path! ❖ Email and say you can’t list the files in your home dir! ❖ Admin logs in as root (He’s lazy, remember)! ❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin! ❖ Goes to your home dir and runs ls! ❖ Shellz
  36. 36. ls reverse shell Demo
  37. 37. AIDE 2014 Questions? e: elliott.cutright@gmail.com! t: @nullthreat

×