0x00 Why Privilege Escalation
After gaining a simple command-line interactive interface, our operations are often restricted due to non-root privileges. Privilege escalation aims to further expand our execution privileges and operational space. (This article mainly analyzes the countermeasures for privilege escalation, and the specific operations can be self-learned)
0x01 Kernel Privilege Escalation
In real-world scenarios, kernel privilege escalation is the most commonly used method for gaining privileges. Universal kernel privilege escalation is difficult to find, but targeted strategies can be developed for different systems
Kernel privilege escalation refers to exploiting vulnerabilities in the Linux kernel to gain elevated privileges. Generally, kernel vulnerability privilege escalation includes three stages:
1. Conduct information collection on the target system to obtain system kernel information and version information;
2. Obtain the corresponding vulnerability and EXP based on the kernel version
3. Use the found EXP to launch an attack on the target system and complete the privilege escalation operation
1. Information collection
whoami # View the current user permissions, if the user is the root user, no privilege escalation is needed;
uname -a # View the Linux operating system kernel information
uname -r # View the kernel version
cat /proc/version # View the current Linux system operating system version information
cat /etc/issue # View the current Linux operating system distribution information
cat /etc/redhat-releas # View the current Linux operating system distribution information
cat /etc/*-release # View the current Linux operating system distribution information
2. Use SearchSploit (a tool included in Kali)
Entersearchsploit -m 9479.cit will automatically copy the file to the current directory
3. Upload the file to the attacked machine for compilation and execution
0x02 sudo privilege escalation
In Linux/Unix, the /etc/sudoers file is the configuration file for sudo permissions, where some commands that users or groups can use with root privileges are stored.
Affected versions:
sudo: 1.8.2 - 1.8.31p2
sudo: 1.9.0 - 1.9.5p1
Detection method:
Log in to the system as a non-root user and run the following command:
sudoedit -s /
- If an error message starts withsudoedit:It indicates that there is a vulnerability.
- If an error message starts withusage:If there is an error at the beginning, it indicates that the patch has taken effect.
cat /etc/sudoers
Viewroot ALL=(ALL:ALL)ALLWhether there are any new user traces nearby
0x03 SUID privilege escalation
SUID (Set UID) is a special permission in Linux, which allows the user to run a program. If the program has SUID permission, when the program runs as a process, the owner of the process is not the starter, but the owner of the program file. However, the setting of SUID permission is only for binary executable files, and setting SUID for non-executable files has no meaning at all.
During the execution process, the caller will temporarily obtain the owner's permissions of the file, and this permission is only valid during the execution of the program. In simple terms, suppose we currently have an executable filels, whose owner is root, when we log in as a non-root user, iflsWith SUID permissions set, we can run this binary executable file as a non-root user, and the permissions of the process executing the file will be root permissions
Find files with SUID permission bits
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;0x04 Plain text root password privilege escalation
[Username]:[Password]:[User ID]:[Group ID]:[Username]:[User Home Directory]:[Command Interpreter]
/etc/passwd
Linux systems use a special file to match the user's login name to the corresponding UID value. We can use the command sudo nvim /etc/passwd to view it, which contains some information related to users.
root:x:0:0::/root:/bin/bash
kato:x:1000:1000:kato:/home/kato:/usr/bin/zsh
In fact, this file contains many pieces of information, but I only list these two separately. It is clear to see that each piece of information consists of 7 fields, separated by:. The fields include the following information: 1️⃣ Login username 2️⃣ User password (processed differently, represented by x here, and stored in the /etc/shadow file after encryption) 3️⃣ User account UID (in numeric form) 4️⃣ User account GID (Group ID) (in numeric form) 5️⃣ User account text description (known as the remark field) 6️⃣ User HOME directory location 7️⃣ User's default shell
Most Linux system passwords are closely related to the two configuration files /etc/passwd and /etc/shadow. The passwd file stores users, while the shadow file contains the password hashes. For security reasons, passwd is readable by all users and writable by root. The shadow file is only readable and writable by root, and improper permission configuration of the administrator's passwd and shadow files can lead to privilege escalation.
When the shadow is readable, use the tool john
john --wordlist=dictionary file + shadow file
0x05 Scheduled task privilege escalation
The general idea is, for the possible incorrect permission configuration ofrootPrivileged task permissions, so that ordinary users also have the right to modify, we modify the content ofbash, less, moregrantedSUIDPermissions, withSUIDPrivilege escalation combined to make the privilege escalation successful.
There may be some scheduled tasks running in the system, generally these tasks are managed by crontab and have the permissions of the owner user. Users without root permissions cannot list the scheduled tasks of the root user. However, the scheduled tasks in /etc/ can be listed.
The following commands can list some scheduled tasks.
ls -l /etc/cron*
cat /etc/crontab
Here, if we encounter a permission configuration as777that is-rwxrwxrwxThe plan task, we can modify the file content, perform privilege escalation.cp /bin/bash /tmp/bash; chmod u+s /tmp/bash;tobashgrantedSUIDPermissions. Of course, if you havevim, less, findAll commands with privileges can do thiscp /bin/vim /tmp/vim ; chmod u+s /tmp/vim; // Assign privileges to vimWait for the task to execute next.
0x06 Third-party service privilege escalation
0x07 rbash
1. What is rbash
The difference from the general shell is that it restricts some behaviors, preventing some commands from being executed
2. How to set up a rbash
cp /bin/bash /bin/rbash # Copy a bash and rename it to rbash
useradd -s /bin/rbash test # Set the shell for the test user to rbash
mkdir -p /home/test/.bin # Create a .bin directory under the test user to store executable commands
rbash escape
评论已关闭