.

Basic Priv Esculation for newbi

<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 29, 2012 1:40 pm

Basic Priv Esculation for newbi

When we first gain access to a Linux box there is a good chance that we have gotten a low level account. The next step is usually to escalate our privileges (give us access to more than we have now) up so we can view things like the shadow file. Or maybe there are certain tool we want to run to attack another system and need to be root to run these tools.

I wanted to give some idea of commands we can run to get information that may help us to escalate our privileges and then give really basic example to show what I mean.

Who are you?
Linux Command: id

Where are you?
pwd

What version of Linux is running?
uname -a

What can you do?
sudo -l

Find all files and directories that are owned by you
find / -user `whoami` -ls 2> /dev/null

List (running) processes/cronjobs
ps aux
cat /etc/crontab
crontab -e
ls -R /etc/periodic/

List Listeners/Sockets/Open files in general
lsof -i
netstat -an

List users & groups
cat /etc/passwd
cat /etc/groups

Find SUID/SGID binaries
find / \( -perm -2000 -or -perm -4000 \) -ls 2> /dev/null

Find files that have been accessed/modified/changed recently (e.g. in past 60 Minutes)
find / -type f -amin 60 -ls 2> /dev/null
find / -type f -mmin 60 -ls 2> /dev/null
find / -type f -cmin 60 -ls 2> /dev/null

List files in /tmp
ls -al /tmp/

See logfiles in /var/log
ls -al /var/log

Read other users' bash history
cat /home/*/.bash_history

Find files with interesting extensions
find / -name "*.cfg" -or -name "*.config" -or -name "*.txt" -ls 2> /dev/null

Basic Example of usage:
We have been given a box to pen testing so we have taken the same process as most pen testing and done information gathering and run nmap scans.

  • The only two ports that are open are 80 and 22
  • We use Firefox to see if there any web page.
  • We find there is a pretty simple web page that contains some information including email address.
  • We then take these email address and produce a user list to use with hydra to brute force the ssh.
  • After around 5 mins we get the username as john and passwords as password123.
  • We then ssh into the box as the john using his password.
  • We now want to try escalate our privileges so we can dump the shadow file and try to crack the other users password.
  • We start with our basic privilege list above until we run find / \( -perm -2000 -or -perm -4000 \) -ls 2> /dev/null this tells us that the find command is running at suid
  • We can use this to get a root shell by running find . -exec /bin/sh\; this will give us a euid of 0 meaning root.
  • We can now use this to cat the /etc/shadow or ant other root task we want to complete on the box.

Please note this very basic example and depending on the system we may not want dump the hashes. I have just used this as its a very simple concept to explain.

Recommended Reading:
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/User_identifier
http://g0tmi1k.blogspot.co.uk/2011/08/b ... ation.html
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Aug 29, 2012 2:24 pm

Re: Basic Priv Esculation for newbi

CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Wed Aug 29, 2012 2:34 pm

Re: Basic Priv Esculation for newbi

thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server
ICS Academy Network Security Certified
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Aug 29, 2012 5:11 pm

Re: Basic Priv Esculation for newbi

Nice write up.  Fast read full of useful info!
Certs: GCWN
(@)Dewser
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Wed Aug 29, 2012 7:55 pm

Re: Basic Priv Esculation for newbi

Cyber.spirit wrote:thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server


Read the above article and the links it points to. Privilege escalation isn't an exact science. It depends a lot on what's on the server and what you have access to. The only way to get anywhere is to enumerate, test, fail, try again.
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Wed Aug 29, 2012 8:53 pm

Re: Basic Priv Esculation for newbi

Cyber.spirit wrote:I hack the ftp admin account then how can i esculate my priv? Its a linux server


If you hacked the ftp admin account you are already escalated.
Try harder....hmpf!!
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 30, 2012 3:52 am

Re: Basic Priv Esculation for newbi

shadowzero excatly this why I tired to keep this simple with small example as if you never done any priv before its like where do you start.

sternone That is ture but most people with commom sense would make it so you can never login via ftp or ssh as root. You will login as a normal user then esculate your priv using sudo.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Aug 30, 2012 5:57 am

Re: Basic Priv Esculation for newbi

shadowzero wrote:
Cyber.spirit wrote:thank u jamie r like always good article i knew some of these technics but i have a question. I hack the ftp admin account then how can i esculate my priv? Its a linux server


Read the above article and the links it points to. Privilege escalation isn't an exact science. It depends a lot on what's on the server and what you have access to. The only way to get anywhere is to enumerate, test, fail, try again.
sternone wrote:
Cyber.spirit wrote:I hack the ftp admin account then how can i esculate my priv? Its a linux server


If you hacked the ftp admin account you are already escalated.


Jamie.R wrote:shadowzero excatly this why I tired to keep this simple with small example as if you never done any priv before its like where do you start.

sternone That is ture but most people with commom sense would make it so you can never login via ftp or ssh as root. You will login as a normal user then esculate your priv using sudo.


i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 
ICS Academy Network Security Certified
<<

Novice hacker

Newbie
Newbie

Posts: 43

Joined: Sun Apr 08, 2012 6:45 am

Post Thu Aug 30, 2012 6:49 am

Re: Basic Priv Esculation for newbi

Great tutorial! Very easy to understand, and I just can't wait for the next one!  :)
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Thu Aug 30, 2012 7:59 am

Re: Basic Priv Esculation for newbi

i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 


No, if you hacked the ftp service and you hacked the root account of the ftp service then you are already escalated for that service.
Try harder....hmpf!!
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Aug 30, 2012 8:39 am

Re: Basic Priv Esculation for newbi

sternone wrote:
i just can log on to the ftp service. not to the machine remotely the ftp account is valid only for this service if could log on remotely escalating privilege was so easy 


No, if you hacked the ftp service and you hacked the root account of the ftp service then you are already escalated for that service.


for that service of-course but i want to get os level access any idea??
ICS Academy Network Security Certified
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Aug 31, 2012 3:23 am

Re: Basic Priv Esculation for newbi

As mention above it really does depend on lot of factors when doing priv escalation. That is why I used a really basic senario it just case looking on the box seeing what you can do.

Where can you write too what scripts are running ?

Is there a script that called clean.py being run by root that located in a file you can write too?

If so just replace the file with a simple script to run shell.

It depends on so many things so its hard to give advice. I would just go thought the links provided and see what you can do. There are also tools like Linux priv checker.

http://pentestmonkey.net/blog/unix-privesc-check-update-1-2
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Fri Aug 31, 2012 7:29 am

Re: Basic Priv Esculation for newbi

Cyber.spirit wrote:for that service of-course but i want to get os level access any idea??




We don't know anything about the server you're accessing and you haven't given us any information about it other than you've got an ftp account.

Can you write files anywhere? Can you login as the same user using a different service? Are there other services running? Are there files you can download? Have you done enough enumeration and research?

Just because you've got access to one service, doesn't mean you can escalate it to a privileged user. It could be a dead end.
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Fri Aug 31, 2012 8:35 am

Re: Basic Priv Esculation for newbi

Thanks for the tutorial, as a newbie I found it very helpful. I haven't setup a linux box in my lab to practice on yet, I'd like to try something like this.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun Sep 02, 2012 12:47 am

Re: Basic Priv Esculation for newbi

shadowzero wrote:
Cyber.spirit wrote:for that service of-course but i want to get os level access any idea??




We don't know anything about the server you're accessing and you haven't given us any information about it other than you've got an ftp account.

Can you write files anywhere? Can you login as the same user using a different service? Are there other services running? Are there files you can download? Have you done enough enumeration and research?

Just because you've got access to one service, doesn't mean you can escalate it to a privileged user. It could be a dead end.


Shadowzero, i ran a brute force attack against admin account and i hacked it. So i can read, write, del files but i cant logon using that account to other services as i mentioned the server is Linux
Last edited by cyber.spirit on Sun Sep 02, 2012 9:52 am, edited 1 time in total.
ICS Academy Network Security Certified
Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software