We all know that, after
compromising the victim’s machine we have a low-privileges shell that we want
to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this
article we will discuss what comes under privilege escalation and how an
attacker can identify that low-privileges shell can be escalated to
higher-privileged shell. But apart from it, there are some scripts for Linux
that may come in useful when trying to escalate privileges on a target system.
This is generally aimed at enumeration rather than specific
vulnerabilities/exploits. This type of script could save your much time.
Table of Content
·
Introduction
·
Vectors of
Privilege Escalation
·
LinuEnum
·
Linuxprivchecker
·
Linux Exploit
Suggester 2
·
Bashark
·
BeRoot
Introduction
Basically privilege
escalation is a phase that comes after the attacker has compromised the
victim’s machine where he try to gather critical information related to system
such as hidden password and weak configured services or applications and etc.
All these information helps the attacker to make the post exploit against
machine for getting higher-privileged shell.
Vectors of Privilege Escalation
§
OS Detail & Kernel Version
§
Any Vulnerable package installed or running
§
Files and Folders with Full Control or Modify
Access
§
File with SUID Permissions
§
Mapped Drives (NFS)
§
Potentially Interesting Files
§
Environment Variable Path
§
Network Information (interfaces, arp, netstat)
§
Running Processes
§
Cronjobs
§ User’s Sudo Right
§ Wildcard Injection
There are several script
use in Penetration testing for quickly identify potential privilege escalation
vectors on Windows systems and today we are going to elaborate each script
which is working smoothly.
LinuEnum
Scripted Local Linux
Enumeration & Privilege Escalation Checks Shellscript that enumerates the
system configuration and high-level summary of the checks/tasks performed by
LinEnum.
Privileged access: Diagnose if the current user has sudo access without
a password; whether the root’s home directory accessible.
System Information: Hostname, Networking details, Current IP and etc.
User Information: Current user, List all users including uid/gid
information, List root accounts, Checks if password hashes are stored in
/etc/passwd.
Kernel
and distribution release details.
You can download it
through github with help of following command:
git clone https://github.com/rebootuser/LinEnum.git
Once you download this script, you can simply run it by
tying ./LinEnum.sh on terminal. Hence it will dump all fetched
data and system details.
Let’s Analysis Its result what is brings to us:
OS & Kernel
Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname:
Ubuntu
Moreover…..
Super User Accounts: root, demo, hack, raaz
Sudo Rights User: Ignite, raj
Home Directories File Permission
Environment Information
And many more such things which comes under the Post exploitation.
Linuxprivchecker
Enumerates the system configuration and runs some privilege
escalation checks as well. It is a python implementation to suggest exploits
particular to the system that’s been taken under. Use wget to download the
script from its source URL.
wget http://www.securitysift.com/download/linuxprivchecker.py
Now to use this script just type python
linuxprivchecke.py on terminal and this will enumerate file and
directory permissions/contents. This script works same as LinEnum and hunts
details related to system network and user.
python linuxprivchecker.py
Let’s Analysis Its result what is brings to us.
OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname: Ubuntu
Network Info: Interface, Netstat
Writable Directory and Files for Users other than Root:
/home/raj/script/shell.py
Checks if Root’s home folder is accessible
File having SUID/SGID Permission
For example: /bin/raj/asroot.sh which is a bash script with
SUID Permission
Linux Exploit Suggester 2
Next-generation exploit suggester based
on Linux_Exploit_Suggester. This program performs a 'uname -r' to grab the Linux operating system release version, and
returns a list of possible exploits.
This script is extremely useful for quickly finding
privilege escalation vulnerabilities both in on-site and exam environments.
Key Improvements Include:
·
More exploits
·
Accurate wildcard matching. This expands the
scope of searchable exploits.
·
Output colorization for easy viewing.
·
And more to come
git clone
https://github.com/jondonas/linux-exploit-suggester-2.git
cd
linux-exploit-suggester-2
You can use the '-k' flag to manually enter a wildcard for
the kernel/operating system release version.
./linux-exploit-suggester-2.pl
-k 3.5
Bashark
Bashark aids pentesters and security researchers during the
post-exploitation phase of security audits.
Its Features
·
Single Bash script
·
Lightweight and fast
·
Multi-platform: Unix, OSX, Solaris etc.
·
No external dependencies
·
Immune to heuristic and behavioural analysis
·
Built-in aliases of often used shell commands
·
Extends system shell with post-exploitation
oriented functionalities
·
Stealthy, with custom cleanup routine activated
on exit
·
Easily extensible (add new commands by creating
Bash functions)
·
Full tab completion
Execute following command to download it from the github:
git clone
https://github.com/TheSecondSun/Bashark.git
cd Bashark
To execute the script you need to run following command:
source bashark.sh
help
The help command will let you know all available options
provide by bashark for post exploitation.
With help of portscan
option you can scan the internal network of the compromised machine.
To fetch all configuration file you can use getconf option. It will pull out all
configuration file stored inside /etc
directory. Similarly you can use getprem
option to view all binaries files of the target‘s machine.
portscan <
target’s IP>
getconf
getprem
BeRoot
BeRoot Project is a post exploitation tool to check common
misconfigurations to find a way to escalate our privilege. This tool does not
realize any exploitation. It mains goal is not to realize a configuration
assessment of the host (listing all services, all processes, all network
connection, etc.) but to print only information that have been found as
potential way to escalate our privilege.
git clone
https://github.com/AlessandroZ/BeRoot.git
cd Linux
chmod 777
beroot.py
To execute the script you need to run following command:
./beroot.py
It will try to enumerate all possible loopholes which can
lead to privilege Escalation, as you can observe the highlighted yellow color
text represents weak configuration that can lead to root privilege escalation
whereas the red color represent the technique that can be used to exploit.
It’s Functions:
Check Files Permissions
SUID bin
NFS root Squashing
Docker
Sudo rules
Kernel Exploit
Conclusion: Above
executed script are available on github, you can easily download it from
github. These all automated script try to identify the weak configuration that
can lead to root privilege escalation.
