Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to see another technique that we can use in order to escalate our privileges in Linux and we're going to see this in another machine because it's relatively newly discovered. It's discovered in 2019 and a lot of Linux servers around the world didn't, actually upgrade themselves in order to patch the security over here. So, let me show you what I mean. I'm going to go into the Hacktivities one more time and this is a free machine as well and I didn't even create it or I didn't even upload it, we're just going to take leverage of somebody else's machine on this thingy. And I believe there are more than once, but I will show you at least the most popular machine or at least what I liked most because they laid out the terry as well in a very good way. So, we are looking for CVE-2019 and 42, actually, 14, 28, and 7, like this, okay, 14287. So, as you can see, there is only one machine right now and I believe I have seen some others as well, maybe it was in the HackTheBox, but let me show you what it does. So, I'm going to search for the CVE online and, of course, you will find it in ExploitDB or any other CVE tracking websites over here. So, let me just open a couple of these over there so that you can see how it's discovered and what are the technical things behind it. So, I believe this is the Debian website. So, let me come over here, yep, it's been discovered in Debian and it says that it's related to Sudo command itself, okay? An attacker with access to run as all Suso account can bypass certain policy blacklists and I'm going to show you how it's done, how it can be possible to bypass that security, okay? And over here you don't have to do that by now. By the way, I'm just showing you some kind of details or how you can find it online but, actually if you can find this machine on TryHackMe. They laid out the terror behind it in a very good way, okay? So, make sure you join the room over here and just deploy the machine, okay? And then you can just try to read the task over there. And for the first task, it's just for deploying, we already know how it's done because we have sold our own machine in the TryHackMe and for the Task 2 at security bypass, I'm just going to say 'Ok' to this. Okay, and go into the Task 2 to read about the details over here. So, as you can see, this is a vulnerability found in the Unix Sudo. So, Sudo is a command in Unix that allows you execute programs as other users, we already knew that, right? But what we didn't know or what we actually will learn in here is that we can try to act like another user and we can try to just give the UID of the user, okay? So, we can run this command sudo -u and just give the UID of that user. So, maybe you did know that, maybe you didn't know that. It's not very important because we can use the usernames in the Linux as well, but it got really important when a certain guy figured out something. If you just come over here and you know the root always has the UID of 0. So, we knew that because we actually seen it in the set guid, set uid codes in C. So, over here, it says that root is always 0 so you can try to become root like sudo -u, #0 and try to run the command and, of course, it won't work, okay? Because there is a security config over there that it will not let you run this. But what if you just put a -0 over there? So, some guy discovered that if you put a -0 rather than 0 over here, -1 I mean, not -0. Maybe -0 works as well. Rather than 0, if you put -1 over there, then it becomes like confused and it actually bypasses that security config and it gets executed as root. So, let me ssh into this thing, okay? The username and password is tryhackme. Okay, I'm going to ssh into this and I'm going to say 'Yes' and we're going to try this. So, the password should be tryhackme, and here you go. We are inside of the tryhackme. If we run ls -la nothing is over here. We don't need any kind of thingy or folder or file in order to crack this. So, what I'm going to do, I'm going to run this, okay? So, I'm going to run sudo -u and give the 0 over here in order to try and execute this as root. So, I'm going to execute this as /bin/bash. It will ask me for a password, I'm going to give the tryhackme password and here we go, it didn't accept it, let me try it one more time. Yes, even though it accepts, it will say that the user tryhackme is not allowed to execute /bin/bash as root on sudo-privesc, of course. But if I do this like -2, let me see, yeah, it says that I have no name, okay? But if we execute this like, yeah it cannot find that ID, if we run whoami. But if we execute this like let me exit and execute this as -1, and here we go, now we are root. So, it actually ricochets in the roots for some reason and the reason is that we actually managed to bypass the security by running -1 over here. So, let me get the root.txt over there so that we can actually copy this selection and put it in the TryHackMe to gain a little bit ranking, right? So, you can just do this on your own as well. So, what command are you allowed to run with Sudo? Yeah, /bin/bash. We have run /bin/bash, right? So, here you go, correct answer. So again, this is a very, actually easy vulnerability to just use in order to escalate your privilege but also very creative one to discover so congratulations on this guy or whoever discovered it. And again, don't forget to try this because it's relatively new and you can actually see this in real life pentests as well. So, let me stop here, continue within the next section.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.