Basic Priv Esculation for newbi

Viewing 29 reply threads
  • Author
    Posts
    • #7851
      Jamie.R
      Participant

      When we first gain access to a Linux box there is a good chance that we have gotten a low level account. The next step is usually to escalate our privileges (give us access to more than we have now) up so we can view things like the shadow file. Or maybe there are certain tool we want to run to attack another system and need to be root to run these tools.

      I wanted to give some idea of commands we can run to get information that may help us to escalate our privileges and then give really basic example to show what I mean.

      Who are you?
      Linux Command: id

      Where are you?
      pwd

      What version of Linux is running?
      uname -a

      What can you do?
      sudo -l

      Find all files and directories that are owned by you
      find / -user `whoami` -ls 2> /dev/null

      List (running) processes/cronjobs
      ps aux
      cat /etc/crontab
      crontab -e
      ls -R /etc/periodic/

      List Listeners/Sockets/Open files in general
      lsof -i
      netstat -an

      List users & groups
      cat /etc/passwd
      cat /etc/groups

      Find SUID/SGID binaries
      find / ( -perm -2000 -or -perm -4000 ) -ls 2> /dev/null

      Find files that have been accessed/modified/changed recently (e.g. in past 60 Minutes)
      find / -type f -amin 60 -ls 2> /dev/null
      find / -type f -mmin 60 -ls 2> /dev/null
      find / -type f -cmin 60 -ls 2> /dev/null

      List files in /tmp
      ls -al /tmp/

      See logfiles in /var/log
      ls -al /var/log

      Read other users’ bash history
      cat /home/*/.bash_history

      Find files with interesting extensions
      find / -name “*.cfg” -or -name “*.config” -or -name “*.txt” -ls 2> /dev/null

      Basic Example of usage:
      We have been given a box to pen testing so we have taken the same process as most pen testing and done information gathering and run nmap scans.

      • The only two ports that are open are 80 and 22
      • We use Firefox to see if there any web page.
      • We find there is a pretty simple web page that contains some information including email address.
      • We then take these email address and produce a user list to use with hydra to brute force the ssh.
      • After around 5 mins we get the username as john and passwords as password123.
      • We then ssh into the box as the john using his password.
      • We now want to try escalate our privileges so we can dump the shadow file and try to crack the other users password.
      • We start with our basic privilege list above until we run find / ( -perm -2000 -or -perm -4000 ) -ls 2> /dev/null this tells us that the find command is running at suid
      • We can use this to get a root shell by running find . -exec /bin/sh; this will give us a euid of 0 meaning root.
      • We can now use this to cat the /etc/shadow or ant other root task we want to complete on the box.

      Please note this very basic example and depending on the system we may not want dump the hashes. I have just used this as its a very simple concept to explain.

      Recommended Reading:
      https://en.wikipedia.org/wiki/Setuid
      https://en.wikipedia.org/wiki/User_identifier
      http://g0tmi1k.blogspot.co.uk/2011/08/basic-linux-privilege-escalation.html

    • #49445
      Dark_Knight
      Participant
    • #49446
      cyber.spirit
      Participant

      thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server

    • #49447
      Triban
      Participant

      Nice write up.  Fast read full of useful info!

    • #49448
      shadowzero
      Participant

      @Cyber.spirit wrote:

      thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server

      Read the above article and the links it points to. Privilege escalation isn’t an exact science. It depends a lot on what’s on the server and what you have access to. The only way to get anywhere is to enumerate, test, fail, try again.

    • #49449
      sternone
      Participant

      @Cyber.spirit wrote:

      I hack the ftp admin account then how can i esculate my priv? Its a linux server

      If you hacked the ftp admin account you are already escalated.

    • #49450
      Jamie.R
      Participant

      shadowzero excatly this why I tired to keep this simple with small example as if you never done any priv before its like where do you start.

      sternone That is ture but most people with commom sense would make it so you can never login via ftp or ssh as root. You will login as a normal user then esculate your priv using sudo.

    • #49451
      cyber.spirit
      Participant

      @shadowzero wrote:

      @Cyber.spirit wrote:

      thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server

      Read the above article and the links it points to. Privilege escalation isn’t an exact science. It depends a lot on what’s on the server and what you have access to. The only way to get anywhere is to enumerate, test, fail, try again.

      @sternone wrote:

      @Cyber.spirit wrote:

      I hack the ftp admin account then how can i esculate my priv? Its a linux server

      If you hacked the ftp admin account you are already escalated.

      @Jamie.R wrote:

      shadowzero excatly this why I tired to keep this simple with small example as if you never done any priv before its like where do you start.

      sternone That is ture but most people with commom sense would make it so you can never login via ftp or ssh as root. You will login as a normal user then esculate your priv using sudo.

      i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 

    • #49452
      Novice hacker
      Participant

      Great tutorial! Very easy to understand, and I just can’t wait for the next one!  🙂

    • #49453
      sternone
      Participant

      i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 

      No, if you hacked the ftp service and you hacked the root account of the ftp service then you are already escalated for that service.

    • #49454
      cyber.spirit
      Participant

      @sternone wrote:

      i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 

      No, if you hacked the ftp service and you hacked the root account of the ftp service then you are already escalated for that service.

      for that service of-course but i want to get os level access any idea??

    • #49455
      Jamie.R
      Participant

      As mention above it really does depend on lot of factors when doing priv escalation. That is why I used a really basic senario it just case looking on the box seeing what you can do.

      Where can you write too what scripts are running ?

      Is there a script that called clean.py being run by root that located in a file you can write too?

      If so just replace the file with a simple script to run shell.

      It depends on so many things so its hard to give advice. I would just go thought the links provided and see what you can do. There are also tools like Linux priv checker.

      http://pentestmonkey.net/blog/unix-privesc-check-update-1-2

    • #49456
      shadowzero
      Participant

      @Cyber.spirit wrote:

      for that service of-course but i want to get os level access any idea??

      We don’t know anything about the server you’re accessing and you haven’t given us any information about it other than you’ve got an ftp account.

      Can you write files anywhere? Can you login as the same user using a different service? Are there other services running? Are there files you can download? Have you done enough enumeration and research?

      Just because you’ve got access to one service, doesn’t mean you can escalate it to a privileged user. It could be a dead end.

    • #49457
      jjwinter
      Participant

      Thanks for the tutorial, as a newbie I found it very helpful. I haven’t setup a linux box in my lab to practice on yet, I’d like to try something like this.

    • #49458
      cyber.spirit
      Participant

      @shadowzero wrote:

      @Cyber.spirit wrote:

      for that service of-course but i want to get os level access any idea??

      We don’t know anything about the server you’re accessing and you haven’t given us any information about it other than you’ve got an ftp account.

      Can you write files anywhere? Can you login as the same user using a different service? Are there other services running? Are there files you can download? Have you done enough enumeration and research?

      Just because you’ve got access to one service, doesn’t mean you can escalate it to a privileged user. It could be a dead end.

      Shadowzero, i ran a brute force attack against admin account and i hacked it. So i can read, write, del files but i cant logon using that account to other services as i mentioned the server is Linux

    • #49459
      sternone
      Participant

      Linux is not a service. It’s an OS.

    • #49460
      dynamik
      Participant

      @Cyber.spirit wrote:

      Shadowzero, i ran a brute force attack against admin account and i hacked it. So i can read, write, del files but i cant logon using that account to other services as i mentioned the server is Linux

      And that may be the best you’ll be able to do in this situation. It’s not always possible to compromise a system or escalate privileges.

      A couple points to keep in mind:

      • If a service has a vulnerability that can only be exploited from an authenticated session, obtaining credentials may help you exploit the service. Otherwise, you’ll just have standard access to the service.
      • Obtaining access to information is often sufficient. If a service you compromise contains sensitive information, that in itself is enough to sound the alarms. You don’t need to root the box on top of that.
      • You may be able to leverage that access in other attacks. For example, you may be able to upload a file that could be accessed by a web server. Don’t assume each service on a system exists in isolation.
    • #49461
      Jamie.R
      Participant

      It may not always be possible but I say there really high chance as if there no script or anything else running on the machine that you can use to gain high privs. There good chance there might be exploit for the version of OS. It does really depend on a lot of factors.

    • #49462
      cyber.spirit
      Participant

      the server is ubuntu i think ok im going to find some vuln but i dont think so its not possible

    • #49463
      sternone
      Participant

      @Cyber.spirit wrote:

      the server is ubuntu i think ok im going to find some vuln but i dont think so its not possible

      The differences between something which you see and the truth is so much

    • #49464
      cyber.spirit
      Participant

      @sternone wrote:

      Linux is not a service. It’s an OS.

      I have ubuntu, backtrack, fedora, and kubuntu and i can work with all of the so i think i know what is linux! ;D and the difference is so much but not in this case coz i know 100% that the server is ubuntu coz as i mentioned im helping 1 of my friends and he told me before the pentest but im sure i cant find any useable exploit

    • #49465
      sternone
      Participant

      @Cyber.spirit wrote:

      @sternone wrote:

      Linux is not a service. It’s an OS.

      I have ubuntu, backtrack, fedora, and kubuntu and i can work with all of the so i think i know what is linux! ;D and the difference is so much but not in this case coz i know 100% that the server is ubuntu coz as i mentioned im helping 1 of my friends and he told me before the pentest but im sure i cant find any useable exploit

      Sounds like your living in a prison !! A prison which you can see Ubuntu, touch Ubuntu, taste Ubuntu, or smell Ubuntu. A prison for your Ubuntu mind. The differences between something which you see and the truth is so much in this Ubuntu prison.

    • #49466
      cyber.spirit
      Participant

      @sternone wrote:

      @Cyber.spirit wrote:

      @sternone wrote:

      Linux is not a service. It’s an OS.

      I have ubuntu, backtrack, fedora, and kubuntu and i can work with all of the so i think i know what is linux! ;D and the difference is so much but not in this case coz i know 100% that the server is ubuntu coz as i mentioned im helping 1 of my friends and he told me before the pentest but im sure i cant find any useable exploit

      Sounds like your living in a prison !! A prison which you can see Ubuntu, touch Ubuntu, taste Ubuntu, or smell Ubuntu. A prison for your Ubuntu mind. The differences between something which you see and the truth is so much in this Ubuntu prison.

      Man ubuntu isn’t a prison is an os like what u’ve said. But windows is a world and world is prison so windows is going to be a prison for us coz we can’t move on from it to ubuntu!!! LoL COZ our habits! And seriously this world (not windows! Real world!) is sick and is a prison too. So save ur mind and make it free good luck

    • #49467
      shadowzero
      Participant

      Right. I take it you missed the Matrix reference.

    • #49468
      cyber.spirit
      Participant

      @shadowzero wrote:

      Right. I take it you missed the Matrix reference.

      The matrix just said the truth

    • #49469
      S3curityM0nkey
      Participant

      @sternone wrote:

      Sounds like your living in a prison !! A prison which you can see Ubuntu, touch Ubuntu, taste Ubuntu, or smell Ubuntu. A prison for your Ubuntu mind. The differences between something which you see and the truth is so much in this Ubuntu prison.

      I’ll pay that one….

    • #49470
      cyber.spirit
      Participant

      who thinks the matrix movie was not real?

    • #49471
      Phillip Wylie
      Participant

      Thanks for posting this, Jamie.R! This was just what I needed.

    • #49472
      petCT
      Participant

      Thanks u very much , this article can help me .

    • #49473
      Jamie.R
      Participant

      Glad you find it useful since this been so popular I plan on doing another tutorial soon not sure what on tho.

Viewing 29 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?