Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to focus on Sudo List or Sudo -L and we have seen this technique before during the CTF solving in the previous sections. But I believe we have to recap this one more time in order to truly understand what we can do with this. So far, we know that once we get the user, once we hack into a system we can run Sudo - L, okay? So, let me run this and see what we can do over here. So, once we do this, we can see what kind of things or what kind of binaries that we can execute over here and we can do this without giving a password. So, maybe we can get this in some kind of servers or in some kind of pentest, maybe we don't get this but it's worth a shot. So, once we do that, it's even not guaranteed to become root using one of these binaries or one of these programs over here, but again we can search for it and we can see what we can do with it, okay? So, even though it's not guaranteed, make sure you run sudo -l, just take it in your notes, okay? One of the first things that you should do once you become a user or once you just hack into a system and we have seen this thing, right? We have seen nmap before and we have used nmap to become root. So, for example, let me just do this one more time. Let me see if we can run this with Sudo command. As you may have already know Sudo means super user do and we actually run any of the binaries with escalated privilege. Of course, if we have the permission. For example, if I run this as you can see it gets executed since I didn't provide any of the parameters that I should, it just displayed me the help documentation, but again it's enough because I know I can run this. So, maybe I can just use the interactive mode that we have seen before and just run !sh in order to get a shell back from root. So, maybe you remember that, it was very easy and actually at that time I didn't know that we just googled it and found it, okay? So, let me show you what I mean. We can come over here and say --interactive. So, maybe you have skipped that lecture and once you go into the command line of nmap, you can run anything you want. If you run just this then you get a shell back, an sh shell and over here if you run id, as you can see we are root. If you run whoami, you get root back. So far so good, as you can see we became root by using the nmap over here. So, maybe you didn't know nmap does that, nmap let's that. Of course, you can google it out and find it, okay? And I have shown you how to do that in the previous sections, so I'm going to go out of this by running exit, okay? So, I'm going to run exit one more time and we are back in user. So, I'm going to run sudo -l one more time and here we have some other tools as well. I don't think we can use find, for example, in order to become root, but maybe we can use vim as we have already seen in the bandit section, vim has its own command line as well. So, we can use vim and try to become root. For example, we can just say sudo /usr/bin/vim and over here in order to use the command line of vim, we can just say -c and this is the command that we are going to execute. We're writing this in between single quotation marks, okay? All you got to do is actually run bin/bash or bin/sh, whatever works for you in that case, okay? So, come over here and just say !/bin/sh for example. Let's see if we get the sh shell back. So, here we are, let me run whoami and here we are root. As you can see, it's very easy if you know what you're doing and most of the time, more and often you will see those things because many times administrators are too lazy to implement the security features and they just let it run with Sudo. They think that nothing is going to happen, but more than often something's going to happen over here if the hacker knows what he's doing, okay? So, here we have the Apache 2 and others here as well. Maybe you can search for them online and see if there's any way to become root using Apache for example. And we are inside of the vim, I'm going to say column Q! and hit 'Enter' to exit out of this one and here we are. So, I'm going to stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.