Linux Privilege Escalation Techniques

Questions and Answers

PDF Questions PDF Answers

What is the purpose of GTFOBins?

To collect system commands for restricted shells

To automate privilege escalation in Linux

To suggest kernel version exploits

To provide a list of Unix binaries that bypass local security restrictions (correct)

Which command is used for searching exploits based on kernel version?

LinPeas.sh

LinEnum.sh

Crack The Shadow

searchsploit kernel 5.1.0 (correct)

Which of the following tools is not listed as a method for Linux privilege escalation?

LinEnum

password-cracking tools (correct)

GitHub search

LinPeas

What can be found in the /etc/passwd file in some older Linux versions?

User accounts and password hashes

What is the command for suggesting kernel version exploits for Linux?

./linux-exploit-suggester.sh -k 5.1.0

What type of shell limits the default capabilities of a regular shell?

Restricted shell

Which of the following commands can be used to read the /etc/shadow file?

Crack The Shadow

What does editing the shadow file allow you to manipulate?

User password hashes

What command can be used to enumerate the current shell being used?

echo $SHELL

Which command is used to find SUID and SGID executables in the Linux file system?

find / -type f -a -perm -u+s -o -perm -g+s

To enumerate system users, which command should be executed?

cat /etc/passwd | cut -d ':' -f 1

Which command is NOT useful for enumerating services on a Linux system?

cat /etc/group

How would you enumerate the version of a specific program on a Linux system?

program -v

What command would you use to check the version of bash installed on the system?

/bin/bash --version

Which command is used to enumerate Sudo version information?

sudo -V

Which command would you use to search for files that are likely backup files?

find / -name 'backup'

What command allows you to enumerate the environment variables that may not have been reset?

sudo -l

Which command could be employed to find hidden files in the system?

find / -type f -iname '.*'

What is the main purpose of using LD_PRELOAD in a C program execution?

To specify which libraries should be loaded before executing an application

What happens during the execution of a C program when LD_PRELOAD is set to a malicious library?

The specified malicious function gets executed before the program's main code.

In the context of LD_PRELOAD, what does the function _init() commonly signify?

A function executed when the library is loaded.

Where can shared libraries typically be found in a Linux system?

/var/lib

Why is the environment variable LD_LIBRARY_PATH significant?

It defines the directories where shared libraries can be found.

Which command is used to compile a shared library in the provided context?

gcc -fPIC -shared -o pe.so pe.c

What does the command 'sudo LD_PRELOAD=Malicious_lib.so' achieve?

It allows execution of the command with elevated privileges while using the specified library.

Which security feature is related to the command 'Defaults env_reset' in the context of sudo?

It deletes all environment variables before command execution.

What command is used to generate a password using SHA-512 hashing?

mkpasswd -m SHA-512 hacker

Which command can be used to edit the /etc/passwd file with an empty password?

echo 'user::0:0::/root:/bin/bash' >> /etc/passwd

What does the command 'sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh' allow a user to do?

Mount the host's filesystem into the Docker container

What is a technique to leverage SUID/SGID binaries for privilege escalation?

Setting up a cron job to execute the binary

In the context of credential hunting, which service is mentioned as storing credentials in configuration files?

MySQL

Which of the following commands is used to search for processes related to the authenticator?

ps -ef | grep 'authenticator'

What file format must a shared object file have to be used in object injection?

.so

What is the purpose of the LD_PRELOAD environment variable?

To load malicious libraries before executing a command

Which command can be used to brute force a sudo password?

./suBF.sh -u root -w passwords.txt -t 0.5 -s 0.003

What is the main goal of the object injection technique?

To execute arbitrary code with elevated privileges

What does utilizing gcore allow a user to do during a process dump?

Capture the core dump of a running process

Which command is used to compile a C program into a shared object?

gcc -shared -o output.so source.c

What is a potential outcome of process memory searching techniques?

Extracting sensitive credentials from memory

What is the initial step in leveraging PATH manipulation for privilege escalation?

Exporting a new PATH

What is the primary use of the LD_LIBRARY_PATH environment variable?

To manipulate the default path to load shared libraries

Which command is used to enumerate the shared libraries used by a command?

ldd /command_path

What is the purpose of the function 'hijack' in the provided malicious code sample?

To escalate privileges and spawn a new shell

What file extension do the shared libraries typically have in Linux?

.so

Which command compiles a new shared library from source code?

gcc -o /tmp/lib.so -shared -fPIC /newpath/lib.c

What happens when you run 'sudo LD_LIBRARY_PATH=/tmp executable'?

It runs the executable using libraries from /tmp

What is a common vulnerability when dealing with Python scripts run as root?

Modules can be hijacked by creating files with the same name

What is the intended outcome of the command 'echo "/bin/bash" >> /usr/bin/rotexec'?

To append a command to execute bash from rotexec

Which technique is NOT mentioned for privilege escalation?

Using remote server exploits

What does 'CVE' stand for in the context of local privilege escalation?

Common Vulnerabilities and Exposures

Study Notes

Introduction

• Privilege escalation is obtaining higher-level access rights within a system.
• Linux privilege escalation requires an understanding of Linux users, file systems, and permissions.

Enumeration

• Manual Enumeration encompasses gathering information about target systems and potential vulnerabilities.
  • Kernel version: uname -a
  • Sudo version: sudo -V
  • System users: cat /etc/passwd | cut -d ":" -f 1
  • System groups: cat /etc/group | cut -d ":" -f 1
  • Running services: netstat -anlp or netstat -ano
  • Root processes: ps aux | grep root
  • Root Crontab: cat /etc/crontab | grep 'root'
  • Binary version: program -v, program --version, program -V, or dpkg -l | grep "program"
  • Shells: cat /etc/shells
  • Current shell: echo $SHELL
  • Shell version: /bin/bash --version
  • Sudo rights: sudo -l
  • SUID/SGID executables: find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
  • Unreset environment variables: sudo -l
  • Backup files: find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null
  • Databases: find / -name '.db' -o -name '.sqlite' -o -name '*.sqlite3' 2>/dev/null
  • Hidden files: find / -type f -iname ".*" -ls 2>/dev/null
  • Programming languages: which python, which perl, which ruby, which lua0
• Automated Enumeration tools like LinEnum, LinPeas, and linuxprivchecker can streamline the process of gathering information.

Exploitation

• Kernel Version Exploits
  • Tools like linux-exploit-suggester.sh or searchsploit locate and exploit kernel vulnerabilities.
  • GitHub searches can also find exploit attempts for specific kernel versions.
• Sudo Version Exploits
  • Use searchsploit or GitHub searches to identify and exploit vulnerabilities specific to installed sudo versions.
• Weak Permissions
  • Exploiting weak permissions allows an attacker to gain access to sensitive files.
  • Reading /etc/shadow can provide password hashes, which might be crackable.
  • Reading /etc/passwd can reveal password hashes in older Linux configurations.
• Editing Executables
  • Modifying executables with sudo rights can be achieved by overriding them to spawn a shell or execute malicious code.
• Credential Hunting
  • Services can have insecure password storage practices, such as plain-text configurations.
  • Analyze backup files and command history for potential password compromises.

Docker and LXD Privilege Escalation

• Docker and LXD can be vulnerable to privilege escalation by allowing an attacker to mount and edit host files within containers.

Binaries Exploitation

• SUID/SGID Binaries:
  • chmod u+s file.sh grants any user the ability to execute the script as the owner.
  • chmod g+s file.sh grants any user the ability to execute the script as the owner group.
• Automatically Executed Binaries:
  • Programs run as root, through cronjobs, or system services can be exploited.
• Sub-executables:
  • Examine the main program for strings or use cat to locate and exploit sub-executables.
• Exploiting Binaries:
  • Path manipulation: Add a new path to the system search path for executables.
  • Object Injection: Replace existing shared library files with malicious files.
  • LD_PRELOAD: Leverage LD_PRELOAD environment variables to load malicious libraries before program execution.
  • LD_LIBRARY_PATH: Use LD_LIBRARY_PATH to manipulate the shared library search path.

LD_LIBRARY_PATH

• LD_LIBRARY_PATH is a Linux environment variable used to manipulate the default path for loading shared libraries.
• Shared libraries are files with the extension ".so" that are loaded into memory when a C compiled program needs them.
• These libraries are located in system directories like /var/lib, /usr/x86_64-linux-gnux32/lib64/l, /usr/lib32, /usr/lib64, and /usr/lib.
• By setting LD_LIBRARY_PATH, you can specify custom paths to load libraries from.
• This allows you to override system default libraries or use libraries from different locations.
• For example, you can use LD_LIBRARY_PATH to point to a directory containing a custom library with the same name as a system library, potentially creating a malicious environment.

Enumerating Called Shared Libraries

• The ldd command can be used to list the shared libraries a program depends on.
• The command takes the path of the executable as an argument. ldd /command_path.
• ldd outputs the library names and their locations on the system.

Creating Malicious Shared Libraries

• A malicious shared library can be created to hijack program execution and potentially gain privileges.
• The hijack() function within the library can be defined with the __attribute__((constructor)) flag to ensure it's executed when the library is loaded.
• The hijack() function could unset the LD_LIBRARY_PATH environment variable, and use setresuid(0,0,0) to elevate privileges to root.
• You can create a malicious library file by compiling a C file containing this code using the gcc compiler with -shared and -fPIC flags.

Python Module Hijacking

• If you know the name of a Python module used by a vulnerable script, you can create a malicious Python file with the same name.
• By placing this file in the same directory as the script, Python will load your malicious module instead of the original one.
• In your malicious module, you can spawn a shell or perform other malicious actions.

Other Exploits

• You can use file overwriting to replace an executable with a shell script.
• Exploiting GitFoBins: search for shell spawning and privilege escalation techniques in GitFoBins.
• CVE Search: Use tools like metasploit and searchsploit to find and exploit local privilege escalation vulnerabilities.
• Manual Methods: Use techniques like reverse engineering, reading files, and using strings to identify potential privilege escalation opportunities.
• Overflow Testing: Identify and exploit buffer overflows in programs to gain control of the process.
• Code Review: Look for potential vulnerabilities like OS command injection and buffer overflows in source code.
• Executable Full Path Exploits: This could involve exploiting issues with Bash versions or using the executable's full path to manipulate the execution environment.

Description

This quiz focuses on the methods and commands used for Linux privilege escalation. Understand key concepts related to user permissions, file systems, and enumeration techniques crucial for obtaining higher-level access rights within a Linux system.