Linux Local PE

Linux Boot Order

• MBR
  • Master Boot Record
• GRUB
  • GRand Unified Bootloader
• Kernel
  • System core
• Init
  • First process
• Run level
  • After boot

Grand Unified Boot Loader

• GRUB is the Linux boot loader package.
• Executed as part of the boot sequence
• Allows the user to choose which OS to load

Local PE via GRUB

• Interrupt GRUB by pressing E or Enter. Enter edit mode by pressing E.
• Change: ro to rw and append init=/bin/bash at the end of the line.
• Boot the system by pressing Ctrl+X. A root level /bin/bash shell will load.

Encrypting GRUB

• grub -mkpasswd -pbkdf2 prompts and encrypts a new password.
• Configure the 40_custom to allow a specific user, set superusers=“root” and prompt a password using password_pbkdf2 root [hash]
• grub -mkconfig –o /boot/grub/grub.cfg applies the changes.

Cracking Linux Hash via JTR

• Brute-forcing Linux hashes can be done via John the Ripper (JTR).
• Use unshadow to combine passwd and shadow files.
• Results are saved in the /.john/john.pot hidden directory.

Linux Remote PE

Known CVEs

• Common vulnerabilities and exposures
• Pre-written code that exploits specific vulnerabilities
• Used for privilege escalation

Kernel Exploitation Flow

• System
  • Kernel Version
• ExploitDB
  • Find Matching CVE
• Remote Upload
  • Upload to the system
• Compile
  • Compile the code file
• Execute
  • ./exploit

DirtyCow Kernel Exploit

• An exploit that takes advantage of Race Condition
• Allows writing to a file without the write privilege
• Download the DirtyCow exploit from ExploitDB.