Linux Privilege Escalation Techniques
50 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the purpose of GTFOBins?

  • To collect system commands for restricted shells
  • To automate privilege escalation in Linux
  • To suggest kernel version exploits
  • To provide a list of Unix binaries that bypass local security restrictions (correct)
  • Which command is used for searching exploits based on kernel version?

  • LinPeas.sh
  • LinEnum.sh
  • Crack The Shadow
  • searchsploit kernel 5.1.0 (correct)
  • Which of the following tools is not listed as a method for Linux privilege escalation?

  • LinEnum
  • password-cracking tools (correct)
  • GitHub search
  • LinPeas
  • What can be found in the /etc/passwd file in some older Linux versions?

    <p>User accounts and password hashes</p> Signup and view all the answers

    What is the command for suggesting kernel version exploits for Linux?

    <p>./linux-exploit-suggester.sh -k 5.1.0</p> Signup and view all the answers

    What type of shell limits the default capabilities of a regular shell?

    <p>Restricted shell</p> Signup and view all the answers

    Which of the following commands can be used to read the /etc/shadow file?

    <p>Crack The Shadow</p> Signup and view all the answers

    What does editing the shadow file allow you to manipulate?

    <p>User password hashes</p> Signup and view all the answers

    What command can be used to enumerate the current shell being used?

    <p>echo $SHELL</p> Signup and view all the answers

    Which command is used to find SUID and SGID executables in the Linux file system?

    <p>find / -type f -a -perm -u+s -o -perm -g+s</p> Signup and view all the answers

    To enumerate system users, which command should be executed?

    <p>cat /etc/passwd | cut -d ':' -f 1</p> Signup and view all the answers

    Which command is NOT useful for enumerating services on a Linux system?

    <p>cat /etc/group</p> Signup and view all the answers

    How would you enumerate the version of a specific program on a Linux system?

    <p>program -v</p> Signup and view all the answers

    What command would you use to check the version of bash installed on the system?

    <p>/bin/bash --version</p> Signup and view all the answers

    Which command is used to enumerate Sudo version information?

    <p>sudo -V</p> Signup and view all the answers

    Which command would you use to search for files that are likely backup files?

    <p>find / -name '<em>backup</em>'</p> Signup and view all the answers

    What command allows you to enumerate the environment variables that may not have been reset?

    <p>sudo -l</p> Signup and view all the answers

    Which command could be employed to find hidden files in the system?

    <p>find / -type f -iname '.*'</p> Signup and view all the answers

    What is the main purpose of using LD_PRELOAD in a C program execution?

    <p>To specify which libraries should be loaded before executing an application</p> Signup and view all the answers

    What happens during the execution of a C program when LD_PRELOAD is set to a malicious library?

    <p>The specified malicious function gets executed before the program's main code.</p> Signup and view all the answers

    In the context of LD_PRELOAD, what does the function _init() commonly signify?

    <p>A function executed when the library is loaded.</p> Signup and view all the answers

    Where can shared libraries typically be found in a Linux system?

    <p>/var/lib</p> Signup and view all the answers

    Why is the environment variable LD_LIBRARY_PATH significant?

    <p>It defines the directories where shared libraries can be found.</p> Signup and view all the answers

    Which command is used to compile a shared library in the provided context?

    <p>gcc -fPIC -shared -o pe.so pe.c</p> Signup and view all the answers

    What does the command 'sudo LD_PRELOAD=Malicious_lib.so' achieve?

    <p>It allows execution of the command with elevated privileges while using the specified library.</p> Signup and view all the answers

    Which security feature is related to the command 'Defaults env_reset' in the context of sudo?

    <p>It deletes all environment variables before command execution.</p> Signup and view all the answers

    What command is used to generate a password using SHA-512 hashing?

    <p>mkpasswd -m SHA-512 hacker</p> Signup and view all the answers

    Which command can be used to edit the /etc/passwd file with an empty password?

    <p>echo 'user::0:0::/root:/bin/bash' &gt;&gt; /etc/passwd</p> Signup and view all the answers

    What does the command 'sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh' allow a user to do?

    <p>Mount the host's filesystem into the Docker container</p> Signup and view all the answers

    What is a technique to leverage SUID/SGID binaries for privilege escalation?

    <p>Setting up a cron job to execute the binary</p> Signup and view all the answers

    In the context of credential hunting, which service is mentioned as storing credentials in configuration files?

    <p>MySQL</p> Signup and view all the answers

    Which of the following commands is used to search for processes related to the authenticator?

    <p>ps -ef | grep 'authenticator'</p> Signup and view all the answers

    What file format must a shared object file have to be used in object injection?

    <p>.so</p> Signup and view all the answers

    What is the purpose of the LD_PRELOAD environment variable?

    <p>To load malicious libraries before executing a command</p> Signup and view all the answers

    Which command can be used to brute force a sudo password?

    <p>./suBF.sh -u root -w passwords.txt -t 0.5 -s 0.003</p> Signup and view all the answers

    What is the main goal of the object injection technique?

    <p>To execute arbitrary code with elevated privileges</p> Signup and view all the answers

    What does utilizing gcore allow a user to do during a process dump?

    <p>Capture the core dump of a running process</p> Signup and view all the answers

    Which command is used to compile a C program into a shared object?

    <p>gcc -shared -o output.so source.c</p> Signup and view all the answers

    What is a potential outcome of process memory searching techniques?

    <p>Extracting sensitive credentials from memory</p> Signup and view all the answers

    What is the initial step in leveraging PATH manipulation for privilege escalation?

    <p>Exporting a new PATH</p> Signup and view all the answers

    What is the primary use of the LD_LIBRARY_PATH environment variable?

    <p>To manipulate the default path to load shared libraries</p> Signup and view all the answers

    Which command is used to enumerate the shared libraries used by a command?

    <p>ldd /command_path</p> Signup and view all the answers

    What is the purpose of the function 'hijack' in the provided malicious code sample?

    <p>To escalate privileges and spawn a new shell</p> Signup and view all the answers

    What file extension do the shared libraries typically have in Linux?

    <p>.so</p> Signup and view all the answers

    Which command compiles a new shared library from source code?

    <p>gcc -o /tmp/lib.so -shared -fPIC /newpath/lib.c</p> Signup and view all the answers

    What happens when you run 'sudo LD_LIBRARY_PATH=/tmp executable'?

    <p>It runs the executable using libraries from /tmp</p> Signup and view all the answers

    What is a common vulnerability when dealing with Python scripts run as root?

    <p>Modules can be hijacked by creating files with the same name</p> Signup and view all the answers

    What is the intended outcome of the command 'echo "/bin/bash" >> /usr/bin/rotexec'?

    <p>To append a command to execute bash from rotexec</p> Signup and view all the answers

    Which technique is NOT mentioned for privilege escalation?

    <p>Using remote server exploits</p> Signup and view all the answers

    What does 'CVE' stand for in the context of local privilege escalation?

    <p>Common Vulnerabilities and Exposures</p> Signup and view all the answers

    Study Notes

    Introduction

    • Privilege escalation is obtaining higher-level access rights within a system.
    • Linux privilege escalation requires an understanding of Linux users, file systems, and permissions.

    Enumeration

    • Manual Enumeration encompasses gathering information about target systems and potential vulnerabilities.
      • Kernel version: uname -a
      • Sudo version: sudo -V
      • System users: cat /etc/passwd | cut -d ":" -f 1
      • System groups: cat /etc/group | cut -d ":" -f 1
      • Running services: netstat -anlp or netstat -ano
      • Root processes: ps aux | grep root
      • Root Crontab: cat /etc/crontab | grep 'root'
      • Binary version: program -v, program --version, program -V, or dpkg -l | grep "program"
      • Shells: cat /etc/shells
      • Current shell: echo $SHELL
      • Shell version: /bin/bash --version
      • Sudo rights: sudo -l
      • SUID/SGID executables: find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
      • Unreset environment variables: sudo -l
      • Backup files: find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null
      • Databases: find / -name '.db' -o -name '.sqlite' -o -name '*.sqlite3' 2>/dev/null
      • Hidden files: find / -type f -iname ".*" -ls 2>/dev/null
      • Programming languages: which python, which perl, which ruby, which lua0
    • Automated Enumeration tools like LinEnum, LinPeas, and linuxprivchecker can streamline the process of gathering information.

    Exploitation

    • Kernel Version Exploits
      • Tools like linux-exploit-suggester.sh or searchsploit locate and exploit kernel vulnerabilities.
      • GitHub searches can also find exploit attempts for specific kernel versions.
    • Sudo Version Exploits
      • Use searchsploit or GitHub searches to identify and exploit vulnerabilities specific to installed sudo versions.
    • Weak Permissions
      • Exploiting weak permissions allows an attacker to gain access to sensitive files.
      • Reading /etc/shadow can provide password hashes, which might be crackable.
      • Reading /etc/passwd can reveal password hashes in older Linux configurations.
    • Editing Executables
      • Modifying executables with sudo rights can be achieved by overriding them to spawn a shell or execute malicious code.
    • Credential Hunting
      • Services can have insecure password storage practices, such as plain-text configurations.
      • Analyze backup files and command history for potential password compromises.

    Docker and LXD Privilege Escalation

    • Docker and LXD can be vulnerable to privilege escalation by allowing an attacker to mount and edit host files within containers.

    Binaries Exploitation

    • SUID/SGID Binaries:
      • chmod u+s file.sh grants any user the ability to execute the script as the owner.
      • chmod g+s file.sh grants any user the ability to execute the script as the owner group.
    • Automatically Executed Binaries:
      • Programs run as root, through cronjobs, or system services can be exploited.
    • Sub-executables:
      • Examine the main program for strings or use cat to locate and exploit sub-executables.
    • Exploiting Binaries:
      • Path manipulation: Add a new path to the system search path for executables.
      • Object Injection: Replace existing shared library files with malicious files.
      • LD_PRELOAD: Leverage LD_PRELOAD environment variables to load malicious libraries before program execution.
      • LD_LIBRARY_PATH: Use LD_LIBRARY_PATH to manipulate the shared library search path.

    LD_LIBRARY_PATH

    • LD_LIBRARY_PATH is a Linux environment variable used to manipulate the default path for loading shared libraries.
    • Shared libraries are files with the extension ".so" that are loaded into memory when a C compiled program needs them.
    • These libraries are located in system directories like /var/lib, /usr/x86_64-linux-gnux32/lib64/l, /usr/lib32, /usr/lib64, and /usr/lib.
    • By setting LD_LIBRARY_PATH, you can specify custom paths to load libraries from.
    • This allows you to override system default libraries or use libraries from different locations.
    • For example, you can use LD_LIBRARY_PATH to point to a directory containing a custom library with the same name as a system library, potentially creating a malicious environment.

    Enumerating Called Shared Libraries

    • The ldd command can be used to list the shared libraries a program depends on.
    • The command takes the path of the executable as an argument. ldd /command_path.
    • ldd outputs the library names and their locations on the system.

    Creating Malicious Shared Libraries

    • A malicious shared library can be created to hijack program execution and potentially gain privileges.
    • The hijack() function within the library can be defined with the __attribute__((constructor)) flag to ensure it's executed when the library is loaded.
    • The hijack() function could unset the LD_LIBRARY_PATH environment variable, and use setresuid(0,0,0) to elevate privileges to root.
    • You can create a malicious library file by compiling a C file containing this code using the gcc compiler with -shared and -fPIC flags.

    Python Module Hijacking

    • If you know the name of a Python module used by a vulnerable script, you can create a malicious Python file with the same name.
    • By placing this file in the same directory as the script, Python will load your malicious module instead of the original one.
    • In your malicious module, you can spawn a shell or perform other malicious actions.

    Other Exploits

    • You can use file overwriting to replace an executable with a shell script.
    • Exploiting GitFoBins: search for shell spawning and privilege escalation techniques in GitFoBins.
    • CVE Search: Use tools like metasploit and searchsploit to find and exploit local privilege escalation vulnerabilities.
    • Manual Methods: Use techniques like reverse engineering, reading files, and using strings to identify potential privilege escalation opportunities.
    • Overflow Testing: Identify and exploit buffer overflows in programs to gain control of the process.
    • Code Review: Look for potential vulnerabilities like OS command injection and buffer overflows in source code.
    • Executable Full Path Exploits: This could involve exploiting issues with Bash versions or using the executable's full path to manipulate the execution environment.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Linux Privilege Escalation PDF

    Description

    This quiz focuses on the methods and commands used for Linux privilege escalation. Understand key concepts related to user permissions, file systems, and enumeration techniques crucial for obtaining higher-level access rights within a Linux system.

    More Like This

    Linux的目录结构
    31 questions
    Linux Shell Flashcards
    39 questions

    Linux Shell Flashcards

    MarvelousPascal avatar
    MarvelousPascal
    Use Quizgecko on...
    Browser
    Browser