Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to explore the kernel exploits. So, these are the most common ways of privilege escalation that you will encounter during CTFs or real pen tests. So, in order to understand this, we're going to do a lot of practice and we're going to see some different tools that you can use in this case. So, I'm going to go into the tools folder that we have over here. As I said before, we're going to avoid using these tools in this current section, but again, you should know how to use them in order to understand usage, in order to actually leverage these tools if your environment is supporting them. So, if you can download some tools, if you can use wget, for example, then it's a very good way to explore these kernel exploits. We're going to talk about the kernel exploits, don't worry about it. So, I'm going to go into the TMP folder and I'm going to try to download something to see if we can actually do that. So, let me try to ping google.com and see if we can get an Internet connection over here. As you can see it seems that it starts pinging, but I'm not very sure about this. It seems like it starts pinging this thing, but it doesn't actually get a response back. So, I don't know if we can connect to the Internet or not. So, for example, we can just stop this with Control C and we can come over here and try to find some exploit suggester that we can use. So, I'm going to share those things with you. And there is a tool called LinEnum. So, it stands for a Linux enumeration and linPEAS, and there's a winPEAS as well for Windows privilege escalation suggester. So, this Linux privilege escalation suggester and the LinEnum is actually very strong, and also the Linux exploit suggester as well. So, there are a lot of tools that you can leverage over here. So, search for linEnum and just find this. So, this is under rebootuser and you can just gather this LinEnum.sh in order to run it and try to find the kernel exploits over here. Again, I'm going to show you what is a kernel exploit, don't worry about it yet. For example, you can even copy and paste this thing if you want, but you can of course copy the link over here and try to download it with wget. So, if you run this as you can see, I believe we are connecting to that website. Let's see if we can download it really, okay? And if we can very good that if we cannot, then we cannot use this, maybe we can try to copy and paste, as I said before, or maybe we can use the Linux exploit suggester that comes with the tool that comes with the box itself, but again, this is not working, this doesn't seem to be working in this case because we cannot connect to the Internet. So, this is, this can be the case in many penetration tests that you actually take part. And again, if you cannot download it then you should know what to do. So, that's why we are focusing on the manual side of things. That's why we're not only seeing the automated things over here. So I'm going to Control C out of this and I'm going to go over to my user directory over here . So, let me just go to home, sorry, and we can go into the user directory and just say ls and let's go into tools and let's use this Linux exploit suggester for example. So pretend that you were able to download this and you were able to get a best script over here or you may just try to copy and paste the thing that you can just nano it and just create it yourself. You can just change it to executeable by running chmod 777 on that file. So, if I execute this, if I execute this sh, then it will give me some result back. So, what are those results? So, this is exactly what other tools do as well. Maybe the more comprehensive way. But again, over here we have a lot of exploit suggestions. So, these are kernel exploits. So, our Linux has a kernel as you might already know and this kernel might be vulnerable to some privilege escalation attacks and if we can leverage that then we can become root or we can become more privileged in a way so that we can complete our task. And as you can see in our case we get a lot of different exploit suggestions over here. So, dirtycow is actually one of the most popular ones and dirtycow 2 as well. And it doesn't mean that these are all going to succeed, even though we get a lot of suggestions over here, maybe some of them will work, maybe some of them won't, but it's our duty to actually try and see if they work or not. So, this nginxed-root.sh is a lot of popular. It has a lot of popularity here as well. But anyway, in any case we can try to just leverage them all one by one. So, these are all vulnerabilities that is or that may be related to our Linux version. So, if your pen test, if your target server doesn't have the most updated version, which they currently, which they hardly ever do, you can try to just go to the GitHub page or one of the exploit suggestions like this and download the exploit itself and try to use it. So, in this case I'm trying to download the dirtycow itself. And it gives us a c code. So I'm just going to close this one because I want to show you the page itself, so let me try to find the page itself. Let me go to Google and search for dirtycow exploit. And here you go, this is a Linux kernel exploit. So, in the exploit database, we can see the actual code itself, so maybe you don't know C, maybe you don't understand all of this, it really doesn't matter. As you can see there is a C code over here that takes leverage of that vulnerability and try to escalate the privilege by running some code. It's okay that you don't understand it, but you should understand how to execute this on your own server. Because if you find an exploit, if you find an actual possible exploit, like dirtycow or any other exploits that we have seen in that list, then you should go to exploit dB and try to download the code and execute it yourselves. And again, maybe it won't be possible for you to download the whole code by running wget, maybe you can just copy and paste, and if you're a psycho, you can just write it by looking over here on your own to your target system as well. But again, if you can find a way to download it, it would be much more faster for you. So, theoretically we have found a possible vulnerability over here and then we are trying to exploit it by executing some code and we are getting this code from the exploit database itself. So, let me just come back over here to our suggestions again, you can try all other ones here as well. And again this linux-exploit-suggester is a very good tool that you can actually use in your own pantas, you can try to use all other exploits over here. I'm showing you the dirtycow because it's one of the most popular ones. So, if you're on uname -a you can try to search for this exact version over here on Google in order to understand if there is any vulnerability related to that rather than linux-exploit-suggester itself like this. As you can see it's already been searched within the Google for a lot of times, and when we search it , we can directly go to dirtycow that we have found before. So, if you cannot reach a Linux-exploit-suggester in a real life example, then it won't matter a lot because you can actually find it online as well. So, this is the logic behind it. If you can reach the automated tools then it's very good, then you can get exact results, but if you cannot, again, you know how to run uname -a, you know how to get the current version of the Linux that you are in so that you can search for it in an exploit DB or any other database as well. So, in this case we're going to try dirtycow to see if this works or not and I believe these are the same things over here. So, again, there are a lot of codes over there, I'm not going to go over them. Maybe you don't even know how to write C, but we can try to download this tool and use it in our own actually tools in our own server over here. And for convenience, again, I placed the dirtycow over here so you can just see the into that and run ls to see cow.c. So, this is the file that has been given to us, again if you can wget it then it's okay. Maybe you can git clone it then again it's okay. Maybe you can copy and paste it, it's okay. Just make sure that you have the tool available in your target server. So, this is a C file, okay? First of all, we need to make sure that we can execute it, so we cannot actually run the codes by just typing the C codes. Okay? We need to convert it. So, if you go to gcc over here, or you can just search for gcc online, you can see the DirtyCow usage. Okay. So, first of all, we need to actually convert this into an executable using a tool called gcc. So, this gcc actually takes in the C codes and gives an output. Okay? And it use some parameters like pthread, and the parameters can actually change from exploit to exploit and you can see how to use them in their respective GitHub sites or in Exploit-Db as well. So, in this case as you can see, we have usage examples for 32 bit and 64 bit. So, I'm going to go for over here gcc c0w.c and this O is with zero I believe. So, over here we're going to use pthread again, and we need an output file to just give an output and executable off the C file. So, I'm going to call this dirtycow. Obviously, you can call this anything you want, in this case, I just called it dirtycow as you can see. Let's check to see if we can execute this or maybe we should run ch mode 777 on that. Let's check and see. Here you go, we can execute this. And as you can see, it says that dirtycow root privilege escalation, backing up. So, it's trying to back up some kind of password file into a temporary folder and we're going to wait until it's finished. It may take time, it may take a little bit of time over here, so make sure you wait until it's completed, and I believe, I have used this before, if it doesn't complete within a minute or something like that, we can try to exit out of this one but I'm going to wait and see. Okay? It shouldn't take more than one minute or something like that. Meanwhile, make sure you understand what we're doing over here, okay? We have just selected dirtycow as a test. Maybe it will work, maybe it won't, we have a lot of suggestions over here, and we can just use any of them. And here you go. I believe now it's completed. Again, if it takes more than one minute maybe you can try to run 'ctrl C' over there, so I'm going to run password over here and once I run password, as you can see, I became root, and I actually lost the connection for some reason. I don't know why we lost the connection. Let's see. Let's come over here and here you go. We have lost the connection because my virtual machine expired over there. So, I should have added one more hour over here, but I believe, we missed that opportunity over there. So, it is not related to the exploit thing that we have done. I believe I should have taught that a long ago and added that one hour before. Okay? But maybe you have seen that we gathered root, we were actually root in that case. So, I'm going to do this one more time so that you can see it in a better way and you can see it's not related to our privilege escalation process, but it's related to me being reluctant to add one more hour over here in a given period of time. Okay? So, I'm going to copy the IP address as far as we can see it over here. Let's wait until it's shown to us, and then we're going to get the IP address over there. Here you go. Now it's 10.10.130.137. So, I'm going to ssh into that. Okay. Our IP Address has been changed. We know that it's user, so it's user at something like that. Let me try to paste the clipboard and say yes, and give the password, so you know the password. If you can't remember the password you can always look for the room over there. So, I'm going to go into tools, and run cd dirtycow and here you go. It doesn't seem to be persistent over here. Of course, we terminated the machine and now we cannot see our files, but again it's not important. It's even more practice for us, so it's better. So, we're going to have to use gcc one more time in order to create our own executable over here. So, remember the command, we need to run gcc and just give the c0w.c over here as an input, and we need to specify the pthread over here and for the output, I'm going to call this dirtycow one more time. So, after it's been generated for us, I'm going to run the dirtycow. So, it will take a minute, then as you can see, it says that it's trying to do something with the password over here. So, once we execute the password command, user being password tool, actually, then it will make us root. And how do I know that? Of course, I get it from the Exploit-Db or from the GitHub. It actually shows you how to run the tool, and how to become root after it's been executed. So, it's different for every suggestion, it's different for every tool that you have seen in the Linux exploit suggested tools. So, you need to check the GitHub pages or you need to check the Exploit-Db pages in order to understand how different tools work. But dirtycow generally works, okay? And that's why I'm showing you this first. It's also common in the ctf's as well, as well as a real pentest. So, if you think that everybody keeps their Linux system updated, then you are wrong. Of course, they do not. And, this is one of the most common things that you will encounter in real life as well, as I said before. And also that is one of the reasons why people actually keep their passwords in files called passwords.txt. That's why we are trying to locate the passwords or find the password.txt files again. So, here you go. I believe we can do some 'Enter' or 'ctrl C' over here. Let's see if we can actually do that. Yes, here you go. Once we run password, it became root. Now we are root, if I run id, now, we can see we are root over here. If I run who am I, we are root one more time. So, we managed to get this flag or we managed to become root in some way. Okay. So, this was the first task in the section. We have seen the kernel exploits. You can go to user by running su user anytime you want, because once you become root, you can just switch between the users like that, and for some reason clear doesn't work but it's no big deal. Again, we're going to see a lot much more than kernel exploits but beware that this is one of the most common ones. So, check for kernel exploits with Linux exploits suggester, or by doing manual search in google by looking at the you name a output. So, see you in the next lecture for continuation of this privilege escalation techniques.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.