Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to continue working on the sudo -l. And also, we're going to show you some other technique called unshadowing. So, I have talked about this before, and we have seen we cannot chat the etc Shadow file. So, in this lecture, we're going to see if we can cat this out, how we can actually crack the password of the root and become root in a way that we want. So, when we ran sudo -l, we have seen apache2 is in this list. So, if you actually search for apache2, you can see this: We can use apache2 in order to cat something out. So, how do we do that? Let me show you. You can run sudo/user/sbin/apache2. And if you can use -f like this, you can cat this out. As you can see, we managed to get the etc password over here. So, even though it's not ideal to use this, we managed to get the first line. So, if I do cat etc/password, I can just see whole thing. So, there is no point using apache2 to just get the first line of the etc/password file. Because I can already get all of it. But in this case, we already had the permission of etc password, but we don't have the permission of etc shadow, for example, as user. So, rather than doing this on etc password, maybe we can do this on etc shadow. Because since we are using this with sudo, with an escalated privilege, then it means that we can get the first line, and here you go. This is the shadow file. This is the etc shadow. So, you can try this on your own Kali Linux as well in order to see your own etc shadow. If you become root, and if you just cut the etc shadow, you can see what kind of things that you get, and this is the thing that you get.
So, let me show you one more time. If we do the etc password, we have this over here. So this is root, and this is the password of the root. So, this is the password of the root represented by x in the etc password. So, now we know that this is the password. And there are a couple of other parameters over here,
like this. So, these are for the expiry of the password and for other parameters as well, but we are actually interested in the password itself. So, I'm going to copy this, and I'm going to show you something that you should do even though we know the hash right now, it's very obvious. I'm going to show you a proper way of doing this. I'm going to copy this. And I'm going to open a new tab over here so that I can go into the documents and into the CTF folder that we have been previously working on, and I'm going to create a new directory over here, and you can call this anything you want. I'm going to call this TryHackMe. I'm going to CD into that to just create a new file over here. So, I'm going to say nano note.txt, and I'm going to actually not note.txt. Let me just do this one more time because we need a very explicit name over here. So, I'm going to come back and see. Yes, it didn't create that, so I'm going to call this something like shadow.
Okay, shadow.txt, and I'm going to paste this in. So, this is the shadow output. So, I'm going to save this with Control O, Enter, and Control X. And here, we have the shadow.txt. So, I'm going to create a password.txt, passwd.txt over here. And I'm going to copy the passwd output over there, like this. I'm going to copy this and just paste it over here. So, here we go. I'm going to save this as well. So, what have I done? I have two files right now, one of which contains the password file and other one contains the shadow file. Now, since I have only one line, I can actually skip the step, but I want to show you this unshadow command. So, this is a way to combine these files and put it together to see the whole picture. Right now, since we have one line, it's very easy. But if you had like maybe 50 lines for password file and 50 lines for the shadow file, it might be hard for you to combine them and put the passwords in the right place, make a match them together. So, unshadow command does this for you. All you have to do is just write this unshadow passwd.txt and shadow.txt. And here you go. We have the output. So, it combines the two file together, and here we have the output. So, as you can see, we actually have an output very similar to shadow.txt. But again, since we have only one line, it seems very easy for us, but if we had multiple lines, then it would get hard for us to do that.
Once we do this, once we get the unshadowed file or unshadowed output over here, we can try and attempt to decrypt this hash over here in order to find the password of the root. So, this is the password. Of course, it is hashed, and we need a way to decrypt this. So, what we can do, we can use a lot of different tools in order to try and decrypt this. I'm going to show you, of course, the most popular one so that you can try this on your own as well. And once you get this, it will be incredibly easy for you to become root. All you have to do is just run su root, or sudo root, or sudo su in order to give the root password and escalate your privilege. So, maybe you may want to just take a note of this, just save this, copy this, and save it into a file, the unshadowed output. Since I already have a very simple line, I'm just going to get this password over here and work with that.
Because this is the same thing eventually that I get from catting the shadow.txt. So, I'm going to come back to Google.com, and I'm going to say crack root password or crack root password hash linux, like this. So, if you just search for it, you will be presented with some tutorials like 100 and 500,000 results from 1,500,000 results over here. So, if you go to medium.com for example, any of the tutorials, you can see some alternatives. Let me see one. Let me just show you what is going on over here. So, as you can see, it shows the output of the etc password and the etc shadow file, and it says that you can use the John the Ripper and the Hashcat. So, if you took the complete ethical hacking, I believe we have seen Hashcat over there. So, here you go. There is one example over here. So, it says that cracking hashes with John the Ripper. So, if you come over here, you can see all the steps in order to crack the hash. It does the unshadow thing. We have already done that. So, it actually saved the output into some txt called passwords.txt. Maybe we can do that as well. So, this is the output of the unshadow file. Maybe remember that. So, as you can see, John the Ripper. John is a tool that comes pre-installed with Kali Linux, so you can actually use this.
So, you can say john --word list and provide the word list and just run this against the password.txt. It will try and break the password if and only if your word list contains the password. Since this is hashed with a very secure algorithm, you need to actually use the word list. You cannot actually reverse it. You can use the word list, and you can get the real password out of it. And this is a way to do it. So, john, word list, just provide a word list and provide the txt file that you have saved it. And then, later on you can say john --show and it will show you the result. So, over here, we have the Hashcat version over here as well. So, in order to do that, it says that hashcat -m 500, and -a 0 -o. This is for the output: cracked.txt and hashes.txt. And again, you need to provide the word list over here as well. So, as you can see, there are too ways, too many great ways in order to solve this problem. So, over here we see the parameter explanation of the hashcat as well like -m flag specifies the mode that we want to use over here. So, the -a flag determines the attack type yada, yada, yada. I believe you get the idea. You can use either the hashcat and you can use the rd John the ripper in your Kali Linux depending on your choice. So, let's try one of these in our system and see if we can actually crack the password over here. So, I'm going to go for the John the ripper over there, you can try hashcat yourselves but I'm going to go for this one, okay?
So, we have the output but we didn't put it into any kind of txt over here, as you can see that's what it's doing in this line. So, I'm going to go back and let's see. I'm going to I'm going to go into my CTF folder one more time. So, in TryHackMe. So, we have the password and the shadow. So, we can just run the command one more time. So, unshadow passwd.txt shadow.txt, it gives us this output. If we actually just put this into any other txt file or like passwords.txt then it will be put over there. So, if I cat this out I will get the exact same result back. Like this, here we go. Now it's contained in our passwords.txt. So, let's go to the next level over here. So, it says that just run the John with wordlist parameter over there and then run it against the passwords.txt. Now since we know the password, I'm going to cat it slow. I'm going to cut it easy, okay? Because I don't want to run this against like one million password wordlist, okay? We already know the password and you understood how it works and of course you know there are a lot of wordlists under users share, wordlist folder, okay? So, I'm going to create a wordlist of my own. I'm going to nano a wordlist and I'm going to write some of the passwords that we are working with. So, we know the real password, I'm just going to go for these two or the four of the options over here. Even though we made it too easy, it's just not worth debate, right? Because we need to understand how this works because we already know the password over here. So, I'm going to copy this one and come over here and just paste it over there. So, rather than providing the SQL map or SQL map however you may want to pronounce this, I'm going to just go for the wordlist.txt and run it against passwords.txt. So, here we go. It says that loaded 1 password hash and if you say john -- show password files required but non specified. So, we have to say john --show passwords.txt, and here we go. It says that root is james123. So, it managed to crack this as you can see. So, this was the, let me come over here sudo root and just give james123 over here and hit 'Enter'. If you see nothing is happening it's fine. It's for security purposes, just type it and hit 'Enter'. Let me try this one more time, james123. Yeah, it says that passwords try again. Let me just run sudo su and try one more time. Let me give james123. Yeah, it doesn't work for some reason. I believe we have to go for su root rather than sudo root. So, I'm going to go for su root and I'm just going to give the password, and here we go. Now we are root. Yes, it was asking for the sudo password which is the user password. So, if you run whoami, now we are root. Now we managed to crack this by getting the /etc/shadow and most of the time you won't actually get to cat the etc shadow but if you see something like this in sudo -l list then you can cat it out. So, I didn't even know we can cat things out with Apache 2. Of course, it's a quick Google search, right? So, whatever you see in the sudo -l list, make sure you google it out and make sure you search for how to do privilege escalation using this binary and it will give you the result. So far, so good. I believe this is time for us to stop here and continue within the next lecture with Privilege Escalation as well.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.