Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to see what we should do when we first hack into a system and then we are trying to enumerate some information, we're trying to gather some information related to that system in order to find various ways to escalate our privileges. So, if you run ls -la in our Debian system, you will see a folder called tools. And if you go over there and write at ls -la, you can see there are a lot of tools over here available for your convenience. So, these are placed in the vulnerable machine for you so that you can understand how to use them. But again, these are tools that you can actually use within a real pentest as well but I will try to avoid it. I will try to avoid using them at least in an intense way in this section, because we want to learn how actually manual works. Manual ways work in a better way so that we can do whatever we want to do in any given environment. For example, Linux Exploit Suggester is a fantastic tool, but maybe you cannot download anything when you hack into a server, even in the tmp folder as well. So, maybe it's even though, you know how to use it, even though you know it's a very good tool, maybe you will not be able to use it. So, you should understand what you should do in order to enumerate, in order to gather information. So, first of all, let me show you what I mean by Linux Exploit Suggester. If you search for Linux Exploit Suggester in Google, you will be presented with a lot of options and this is the one that we are looking for. As you can see this is a bash script, okay? It actually tries to gather information related to given system and search for ways to exploit and search for ways to escalate your privilege. So, you can just run it here and see for yourselves. But again, doing all of those things manually will be better for you, at least for this course. And after that, if you learn about this stuff, you can always come back and just or you can always use Linux Exploit Suggester in a real world example or in a real CTF as well, okay? So, I'm going to go back and say clear. So, what should we do when we first hack into system? Of course, you may want to run whoami because you may want to see what kind of user you're in and you may want to run id to see the groups that you belong to or what kind of id that you are using right now. You can run uname -a in order to understand what kind of Linux version that you are currently in so that maybe you can understand the Kernel exploits that you can take leverage. We're going to see about that in a couple of lectures, okay? Of course, you can go for cat /proc/version to gather maybe a little bit detailed, more detailed version of the Linux that you're in. You can also cat the /etc/issue to see if any description or any kind of useful information is over there or not. And then later try to do this when you just hack into a system, okay? Just do this automatically. Run whoami, uname -a, cat /proc/version, cat /etc/issue and try to understand what you can do with this information. There are a lot of Kernel exploits that can be used in CTFs and also in real life pentests as well. You can run ps aux like this, aux. So, this ps aux will give you the current processes that is going on in the system. So, you can see if there's anything funny going on or you can see what kind of users are running, what kind of operations, what kind of process. Maybe we can gather some information over here. Maybe you can see the Apache service running under this user and some other processes running under this user. So, if I can do with something with that it may lead to privilege escalation, something like that. It's always a good idea to run ps or ps aux in order to see all these details over here, okay? So, maybe you can create a note.txt as usual and just put all of this information in there in order to keep your notes in a constructive way, in a simplified way, but it's your call. Maybe you can just cat the /etc/passwd. Of course, you can do that and of course you should do that. You can see different users over here and you can see what kind of things they are doing over there. And beware that even though we actually cat the /etc/passwd all the time, we see all these bashes, we see all these shells but we don't see the password, right? Even though it's called /etc/passwd, it doesn't contain any password in this file. So, it's used to contain the passwords actually over here but then Linux actually separated this password into another file. So, /etc/passwd only contains this information whereas /etc/shadow, so make sure you cat the /etc/shadow as well. /etc/shadow actually contains the passwords over there. And most of the time we're going to have to become root in order to see the /etc/shadow. But it's worth a shot. If you hack into something like some server, make sure you check the cat /etc/shadow as well. If you can get the passwords over there then it would be very easy for you to decrypt this passwords. Of course, it's going to be hashed, it's not going to be like in a simple string but again you can try to decrypt it and then you can actually use the root password to become root or any other passwords that you can gather. So, if you run ifconfig, of course you can see the current IP addresses and stuff. So far, over here, we don't have any fancy thing going on. We only have the fe80 but if you have some other networks connected to each other, like in a complex network maybe if you hack into a corporate server, something like that, you can always run ip route in order to understand how they are connected to each other. And if you can actually go from here to another network or something like that, it's always a good idea to check it as well, okay? And of course, we can check for the ARP tables. If you get the complete ethical hacking course from me, we have checked that a lot during the man in the middle framework attacks, if you might remember. So, you can just run ARP. Of course, in this case you can just run arp -a as well in order to see the Mac addresses and the IP address pairings over here. However, in this case we don't get much because it's simple, it's a simple CTF over here. It's not even a CTF, we just hack in and try to escalate our privileges but make sure you take a note of that. You can just look for ifconfig, arp -a, arp and ip route in the networking section. Of course, you can locate the passwords like this. You can just run locate password to see if a user, for example, just saved a file called password.txt in order to unsecurely save their passwords. And as you can see there are a lot of password.files over here, is worth a shot to check it to see if you can get something out of it. And this is real life example, okay? People do this every time. So, maybe we can just cat this out and try to see if we can get something useful over here. So, even though in this case we don't get it, make sure you check for the passwords. So, you can check it with locate or with find, you can just run find/name password. And if you do that, you will get a lot of results like this because libraries or the Linux system files and folders contains a lot of things called password as well. So, it really doesn't mean that you get something useful out of this but also you may simplify defined command that you run and I believe I did something wrong because we're getting a lot of things over here. It won't be useful at all. Yes, here we go. So, I misspelled the name password so it should be something like this. The name and the password like that, okay? So, maybe we can just actually write this into Devnel as well so that we get rid of the output over here, okay? And here we go. At least we found one, okay? That is the one that we have found with the locate as well I believe. But again, just make sure that you run it like this or you can actually search for the IDRSA for example in order to find any file that may lead you to another server or maybe in a privileged way in the same server as well. But in this case we don't have that. So, these are some basic steps that you need to do for enumeration once you get into a system so you can gather much more information over here. Of course, you can use the Exploit Suggester. You can use some other automated tools as well. However, make sure you take a note of those and do this manually in order to learn this stuff, at least for the CTFs that you're working on. After that you can run an automated test of course, that would be much faster and that would be much more comprehensive than what you generally do. But again, to understand the theory, to understand what you should do, it's always a good idea to run this manually. So, another command that you should run is history. As you can see, it gives me, it gives us the history of the command that has been executed in this shell. And over here we see a lot of things. Maybe it will do much, maybe it won't do much. However, it's worth a shot, okay? So, you can maybe see some passwords or maybe some useful commands that the previously logged in user has executed and we can just leverage that as well in our pentesting. So far, so good. I believe it's done, we're going to stop here and continue within the next lecture with our first leverage, first escalation.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.