Today in this article we are back with another most
advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list
of files and directories, so by knowing this fact we will now illustrate that
how we can avail it in Privilege
Escalation.
Table of
Content
Introduction to Find
·
Major Operation performed using Find
Exploiting Find
·
Sudo Rights Lab setups for privilege Escalation
·
Exploiting Sudo rights
·
SUID Lab setups for privilege Escalation
·
Exploiting SUID
Introduction
to Find
Find command is a
command line facility for walk around a file pyramid structure to find the
exact location of the file and directory as per user’s desire. This search
command can be used by variability of services like search any file by “size, permissions, date of
modifications/access, users, groups” and many more as per user requisite.
Alike every command the Find also can be concisely
understand by its help/man command as per below image.
find --help
Major Operation performed using Find
·
Search
any file by particular name in current directory: This command supports the user to search any file by
specific name. Suppose we want to search a text file by the name of “raj” from current directory then
simply compose the command as per below screenshot.
find . -name
raj.txt
·
Search
any file by particular name in home directory: If we wish to find all the files under home
directory by desired file name, in our case it is “raj.txt” then form command
as below:
find /home -name
raj.txt
(It will permit the user to find all “raj.txt” file under home
directory)
·
Find
files by its extension: This can be returned by specifying the particular
file extension. If any user wants to fetch any file by its extension, then it
can be done by “-type f” option followed by Find command. As in
our scenario we are fetching for .txt
One can also use “-type d” option instead of
“-type f” for retrieving the directory.
find / -type f
-name *.txt”
This command will support the user for printing all .txt file as
desired output.
·
Find
files with full permission: Whenever anybody wish to explore for the files that
have full permission i.e. “777” then
it can be simply acquired by “-perm 0777” followed by Find
command with option “-type f” which will print the output for all the
files that have“777” permission.
find . -type f
-perm 0777 -print
·
To
find all files for specific user of a directory: If we need to find
all those files that belongs to a particular user under any selective directory
then that we can execute this by command as:
find /tmp -user
raj
In our instance we are finding for all those files that belongs to user
“raj” under “tmp directory”.
·
To
find all hidden files: If we want to find all hidden files within any
directory then we will type command as below:
find /tmp -type f
-name “.*”
This command will give a
consequence for all hidden files in current directory.
·
To
find all readable files within a directory: To find all readable files from a specific
directory. In the below screenshot we are discovering for all those file that
are in readable form under /etc directory
find /etc/
-readable -type f 2>/dev/null
By typing above command, we will get all readable files that comes
under /etc as output.
Find SUID files:
Whenever
any command runs, at which SUID bit is set then its effective UID
becomes the owner of that file. So, if we want to find all those files that
holds the SUID bit then it can be retrieve by typing the command:
find / -perm
-u=s -type f 2>/dev/null
Find SGID files:
The
SGID permission is similar as SUID but the only difference is that,
whenever any command runs at which SGID permission is set, then the process will have the same group ownership
as the owner of file. So, to run all those files that possess SGID bit,
type command:
find / -perm
-g=s -type f 2>/dev/null
To find SUID
& SGID files simultaneously: If we want to fetch all those files
simultaneously at which both bits i.e. “SUID & SGID” are set then
frame command as:
find / -perm -g=s -o
-perm -u=s -type f 2>/dev/null
To find all
writable file: To find any writable directories within any desired directory
such as: /home, /tmp, /root, then we will run command as:
find /home
-writable -type d 2>/dev/null
As per below image we have find all writable directories
from /home.
Exploiting Find
Sudo
Rights Lab setups for privilege Escalation
Now we will set up our lab of Find command by granting it higher privilege i.e. with
administrative rights. As we know performance of every command gets changed
after the influence of higher privileges. Same we will check for our Find command and will grasp what
effect it would have after accomplishment of sudo rights and how we can custom
it more in privilege escalation.
To recognize it more visibly first we will create a local
user (test) who retain all sudo rights as root.
To add sudo right open /etc/sudoers file and frame below
command as user Privilege specification.
test ALL=(root)
NOPASSWD: /usr/bin/find
Now we will start exploiting Find service by taking
privilege of sudoer’s permission. For this we must have session of victim’s
machine which will enable us to devise the local user access of the targeted
system which will support us further to escalate the root user’s rights.
For this we need to
connect with target machine with ssh, so type the command as shown below for
performing the same.
Then we checked for sudo right of “test” user (if given) and
found that user “test” can execute Find command as “root” without password.
sudo -l
Find command let you perform some specific action such as “print,
delete and exec”. So here we are taking privilege of “exec” for
executing the command to access root shell by running /bin/bash with the help
of find command as given bellow:
sudo find /home -exec
/bin/bash \:
On running above
command, we have successfully escalated the root shell as shown in the below
image.
SUID Lab
setups for privilege Escalation
As we know the SUID bit permission enables the user to execute
any files as the ownership of existing file member. Now we are enabling SUID permission on Find, so that a
local user can take opportunity of Find as root user.
Hence type following for enabling SUID bit:
which find
chmod u+s /usr/bin/find
ls -al /usr/bin/find
Exploiting
SUID
As we know we have access of victim’s machine so we will use Find command to identify binaries
having SUID permission.
find / -perm -u=s -type f 2>/dev/null
So here we came to recognize that SUID bit is empowered
for so many binary files, but our concerned is: /usr/bin/find.
As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking privilege of “exec” for executing another command i.e. “whoami”
find raj -exec
“whoami” \:
Similarly, you can take honor of Find command for
escalating the root privileges.
0 comments:
Post a Comment