Podcast
Questions and Answers
What is the purpose of GTFOBins?
What is the purpose of GTFOBins?
Which command is used for searching exploits based on kernel version?
Which command is used for searching exploits based on kernel version?
Which of the following tools is not listed as a method for Linux privilege escalation?
Which of the following tools is not listed as a method for Linux privilege escalation?
What can be found in the /etc/passwd file in some older Linux versions?
What can be found in the /etc/passwd file in some older Linux versions?
Signup and view all the answers
What is the command for suggesting kernel version exploits for Linux?
What is the command for suggesting kernel version exploits for Linux?
Signup and view all the answers
What type of shell limits the default capabilities of a regular shell?
What type of shell limits the default capabilities of a regular shell?
Signup and view all the answers
Which of the following commands can be used to read the /etc/shadow file?
Which of the following commands can be used to read the /etc/shadow file?
Signup and view all the answers
What does editing the shadow file allow you to manipulate?
What does editing the shadow file allow you to manipulate?
Signup and view all the answers
What command can be used to enumerate the current shell being used?
What command can be used to enumerate the current shell being used?
Signup and view all the answers
Which command is used to find SUID and SGID executables in the Linux file system?
Which command is used to find SUID and SGID executables in the Linux file system?
Signup and view all the answers
To enumerate system users, which command should be executed?
To enumerate system users, which command should be executed?
Signup and view all the answers
Which command is NOT useful for enumerating services on a Linux system?
Which command is NOT useful for enumerating services on a Linux system?
Signup and view all the answers
How would you enumerate the version of a specific program on a Linux system?
How would you enumerate the version of a specific program on a Linux system?
Signup and view all the answers
What command would you use to check the version of bash installed on the system?
What command would you use to check the version of bash installed on the system?
Signup and view all the answers
Which command is used to enumerate Sudo version information?
Which command is used to enumerate Sudo version information?
Signup and view all the answers
Which command would you use to search for files that are likely backup files?
Which command would you use to search for files that are likely backup files?
Signup and view all the answers
What command allows you to enumerate the environment variables that may not have been reset?
What command allows you to enumerate the environment variables that may not have been reset?
Signup and view all the answers
Which command could be employed to find hidden files in the system?
Which command could be employed to find hidden files in the system?
Signup and view all the answers
What is the main purpose of using LD_PRELOAD in a C program execution?
What is the main purpose of using LD_PRELOAD in a C program execution?
Signup and view all the answers
What happens during the execution of a C program when LD_PRELOAD is set to a malicious library?
What happens during the execution of a C program when LD_PRELOAD is set to a malicious library?
Signup and view all the answers
In the context of LD_PRELOAD, what does the function _init() commonly signify?
In the context of LD_PRELOAD, what does the function _init() commonly signify?
Signup and view all the answers
Where can shared libraries typically be found in a Linux system?
Where can shared libraries typically be found in a Linux system?
Signup and view all the answers
Why is the environment variable LD_LIBRARY_PATH significant?
Why is the environment variable LD_LIBRARY_PATH significant?
Signup and view all the answers
Which command is used to compile a shared library in the provided context?
Which command is used to compile a shared library in the provided context?
Signup and view all the answers
What does the command 'sudo LD_PRELOAD=Malicious_lib.so' achieve?
What does the command 'sudo LD_PRELOAD=Malicious_lib.so' achieve?
Signup and view all the answers
Which security feature is related to the command 'Defaults env_reset' in the context of sudo?
Which security feature is related to the command 'Defaults env_reset' in the context of sudo?
Signup and view all the answers
What command is used to generate a password using SHA-512 hashing?
What command is used to generate a password using SHA-512 hashing?
Signup and view all the answers
Which command can be used to edit the /etc/passwd file with an empty password?
Which command can be used to edit the /etc/passwd file with an empty password?
Signup and view all the answers
What does the command 'sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh' allow a user to do?
What does the command 'sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh' allow a user to do?
Signup and view all the answers
What is a technique to leverage SUID/SGID binaries for privilege escalation?
What is a technique to leverage SUID/SGID binaries for privilege escalation?
Signup and view all the answers
In the context of credential hunting, which service is mentioned as storing credentials in configuration files?
In the context of credential hunting, which service is mentioned as storing credentials in configuration files?
Signup and view all the answers
Which of the following commands is used to search for processes related to the authenticator?
Which of the following commands is used to search for processes related to the authenticator?
Signup and view all the answers
What file format must a shared object file have to be used in object injection?
What file format must a shared object file have to be used in object injection?
Signup and view all the answers
What is the purpose of the LD_PRELOAD environment variable?
What is the purpose of the LD_PRELOAD environment variable?
Signup and view all the answers
Which command can be used to brute force a sudo password?
Which command can be used to brute force a sudo password?
Signup and view all the answers
What is the main goal of the object injection technique?
What is the main goal of the object injection technique?
Signup and view all the answers
What does utilizing gcore allow a user to do during a process dump?
What does utilizing gcore allow a user to do during a process dump?
Signup and view all the answers
Which command is used to compile a C program into a shared object?
Which command is used to compile a C program into a shared object?
Signup and view all the answers
What is a potential outcome of process memory searching techniques?
What is a potential outcome of process memory searching techniques?
Signup and view all the answers
What is the initial step in leveraging PATH manipulation for privilege escalation?
What is the initial step in leveraging PATH manipulation for privilege escalation?
Signup and view all the answers
What is the primary use of the LD_LIBRARY_PATH environment variable?
What is the primary use of the LD_LIBRARY_PATH environment variable?
Signup and view all the answers
Which command is used to enumerate the shared libraries used by a command?
Which command is used to enumerate the shared libraries used by a command?
Signup and view all the answers
What is the purpose of the function 'hijack' in the provided malicious code sample?
What is the purpose of the function 'hijack' in the provided malicious code sample?
Signup and view all the answers
What file extension do the shared libraries typically have in Linux?
What file extension do the shared libraries typically have in Linux?
Signup and view all the answers
Which command compiles a new shared library from source code?
Which command compiles a new shared library from source code?
Signup and view all the answers
What happens when you run 'sudo LD_LIBRARY_PATH=/tmp executable'?
What happens when you run 'sudo LD_LIBRARY_PATH=/tmp executable'?
Signup and view all the answers
What is a common vulnerability when dealing with Python scripts run as root?
What is a common vulnerability when dealing with Python scripts run as root?
Signup and view all the answers
What is the intended outcome of the command 'echo "/bin/bash" >> /usr/bin/rotexec'?
What is the intended outcome of the command 'echo "/bin/bash" >> /usr/bin/rotexec'?
Signup and view all the answers
Which technique is NOT mentioned for privilege escalation?
Which technique is NOT mentioned for privilege escalation?
Signup and view all the answers
What does 'CVE' stand for in the context of local privilege escalation?
What does 'CVE' stand for in the context of local privilege escalation?
Signup and view all the answers
Study Notes
Introduction
- Privilege escalation is obtaining higher-level access rights within a system.
- Linux privilege escalation requires an understanding of Linux users, file systems, and permissions.
Enumeration
-
Manual Enumeration encompasses gathering information about target systems and potential vulnerabilities.
-
Kernel version:
uname -a
-
Sudo version:
sudo -V
-
System users:
cat /etc/passwd | cut -d ":" -f 1
-
System groups:
cat /etc/group | cut -d ":" -f 1
-
Running services:
netstat -anlp
ornetstat -ano
-
Root processes:
ps aux | grep root
-
Root Crontab:
cat /etc/crontab | grep 'root'
-
Binary version:
program -v
,program --version
,program -V
, ordpkg -l | grep "program"
-
Shells:
cat /etc/shells
-
Current shell:
echo $SHELL
-
Shell version:
/bin/bash --version
-
Sudo rights:
sudo -l
-
SUID/SGID executables:
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-
Unreset environment variables:
sudo -l
-
Backup files:
find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null
-
Databases:
find / -name '.db' -o -name '.sqlite' -o -name '*.sqlite3' 2>/dev/null
-
Hidden files:
find / -type f -iname ".*" -ls 2>/dev/null
-
Programming languages:
which python
,which perl
,which ruby
,which lua0
-
Kernel version:
- Automated Enumeration tools like LinEnum, LinPeas, and linuxprivchecker can streamline the process of gathering information.
Exploitation
-
Kernel Version Exploits
- Tools like
linux-exploit-suggester.sh
orsearchsploit
locate and exploit kernel vulnerabilities. - GitHub searches can also find exploit attempts for specific kernel versions.
- Tools like
-
Sudo Version Exploits
- Use
searchsploit
or GitHub searches to identify and exploit vulnerabilities specific to installed sudo versions.
- Use
-
Weak Permissions
- Exploiting weak permissions allows an attacker to gain access to sensitive files.
- Reading
/etc/shadow
can provide password hashes, which might be crackable. - Reading
/etc/passwd
can reveal password hashes in older Linux configurations.
-
Editing Executables
- Modifying executables with sudo rights can be achieved by overriding them to spawn a shell or execute malicious code.
-
Credential Hunting
- Services can have insecure password storage practices, such as plain-text configurations.
- Analyze backup files and command history for potential password compromises.
Docker and LXD Privilege Escalation
- Docker and LXD can be vulnerable to privilege escalation by allowing an attacker to mount and edit host files within containers.
Binaries Exploitation
-
SUID/SGID Binaries:
-
chmod u+s file.sh
grants any user the ability to execute the script as the owner. -
chmod g+s file.sh
grants any user the ability to execute the script as the owner group.
-
-
Automatically Executed Binaries:
- Programs run as root, through cronjobs, or system services can be exploited.
-
Sub-executables:
- Examine the main program for strings or use
cat
to locate and exploit sub-executables.
- Examine the main program for strings or use
-
Exploiting Binaries:
- Path manipulation: Add a new path to the system search path for executables.
- Object Injection: Replace existing shared library files with malicious files.
- LD_PRELOAD: Leverage LD_PRELOAD environment variables to load malicious libraries before program execution.
- LD_LIBRARY_PATH: Use LD_LIBRARY_PATH to manipulate the shared library search path.
LD_LIBRARY_PATH
- LD_LIBRARY_PATH is a Linux environment variable used to manipulate the default path for loading shared libraries.
- Shared libraries are files with the extension ".so" that are loaded into memory when a C compiled program needs them.
- These libraries are located in system directories like
/var/lib
,/usr/x86_64-linux-gnux32/lib64/l
,/usr/lib32
,/usr/lib64
, and/usr/lib
. - By setting LD_LIBRARY_PATH, you can specify custom paths to load libraries from.
- This allows you to override system default libraries or use libraries from different locations.
- For example, you can use LD_LIBRARY_PATH to point to a directory containing a custom library with the same name as a system library, potentially creating a malicious environment.
Enumerating Called Shared Libraries
- The
ldd
command can be used to list the shared libraries a program depends on. - The command takes the path of the executable as an argument.
ldd /command_path
. -
ldd
outputs the library names and their locations on the system.
Creating Malicious Shared Libraries
- A malicious shared library can be created to hijack program execution and potentially gain privileges.
- The
hijack()
function within the library can be defined with the__attribute__((constructor))
flag to ensure it's executed when the library is loaded. - The
hijack()
function could unset theLD_LIBRARY_PATH
environment variable, and usesetresuid(0,0,0)
to elevate privileges to root. - You can create a malicious library file by compiling a C file containing this code using the
gcc
compiler with-shared
and-fPIC
flags.
Python Module Hijacking
- If you know the name of a Python module used by a vulnerable script, you can create a malicious Python file with the same name.
- By placing this file in the same directory as the script, Python will load your malicious module instead of the original one.
- In your malicious module, you can spawn a shell or perform other malicious actions.
Other Exploits
- You can use file overwriting to replace an executable with a shell script.
- Exploiting GitFoBins: search for shell spawning and privilege escalation techniques in GitFoBins.
- CVE Search: Use tools like metasploit and searchsploit to find and exploit local privilege escalation vulnerabilities.
- Manual Methods: Use techniques like reverse engineering, reading files, and using strings to identify potential privilege escalation opportunities.
- Overflow Testing: Identify and exploit buffer overflows in programs to gain control of the process.
- Code Review: Look for potential vulnerabilities like OS command injection and buffer overflows in source code.
- Executable Full Path Exploits: This could involve exploiting issues with Bash versions or using the executable's full path to manipulate the execution environment.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz focuses on the methods and commands used for Linux privilege escalation. Understand key concepts related to user permissions, file systems, and enumeration techniques crucial for obtaining higher-level access rights within a Linux system.