1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Deep Dive into Privilege Escalation on Linux

Suid Privilege Escalation

Contents

keyboard_tab
Linux Privilege Escalation
1
Tryhackme Setup
PREVIEW16m 43s
2
Enumeration
PREVIEW11m 41s
5
Sudo List
5m 32s
6
Shadow
15m 21s
7
Preload
9m 32s
10
Path
7m 49s
12
Crontab
11m 13s

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
2h 29m
Students
13
Description

This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!

Transcript

Hi, within this lecture, we're going to see how we can use this suid's in order to become root. And in fact, we're going to start with a very hard one, okay? We have seen that this /usr/local/bin/suid-so is over there, and we have a special suid permission over here. So, I'm going to just run it, and as you can see, we get an output over here, it says that calculating something, please wait, and we see 99% and it says done. So, as you can see it doesn't do much, it calculates something and it says done. So, I don't know what it does. And again this is one of the most, actually difficult thing that you can come across in an suid, kind of exploit or suid kind of privilege escalation, but we have seen the easy ones before, right? So, I'm going to show you something. There is a comment called strace, and you can trace what a binary or a shared object does in order to understand the logic behind it. So that you can actually take leverage of if there is any vulnerability in that particular file or particular binary. So, over here we are tracing what a binary does. So, that's exactly what we need, because we know there is something going on in this suid-so, but we don't know what it does. So, in order to understand this, I'm going to use this command, and I'm going to actually have to just give the full path over here. So, this is usr/local/bin/suid-so. So, make sure you type exact same command over here, and it actually traces and sees what is happening over there. And as you can see there's a lot of writing going on over here, like printing out going on over here. So, we actually cannot see much over there, and we cannot even see the beginning of this file. So, what I'm going to do, I'm going to pipe this into more, so that we can see what's going on, and as you can see, it's very long, we cannot understand anything from it. It just prints out something like this. So, I'm going to clear this up and I'm going to run this one more time, but I'm going to pipe this to more, okay? So, that we can see it in a better way. So, I'm going to do something like this, but it won't work as you can see, I just try to just put the output in null, but it didn't work. I believe the way to go is to put this in more, okay? So, that we can see what's going on in the beginning as well; because we need to find a clue in order to understand how we can leverage this. So, I'm going to just pipe this into something like more, and if I can make the piping sign, here you go, just write more over here and hit 'Enter' and here you go. Now we can see the beginning, and as you can see, this is the beginning of this file, or of this output. So, here we have a lot of information, just scan this a little bit and see what happens. Let me just go down a little bit. So, we have a lot of gibberish things going on over here, like logs and outputs. I don't know, any of this right now, I'm just trying to make sense of something, and as you can see, it says that we are trying to access some files etc/suid-debug, and it says no such file or directory over here. So, it's trying to access some files over here, but it cannot find it for some reason. So, for example, pre-load, for example this one. So, we have a lot of warnings and errors over here. So, for example, it tries to open this so.2 and, I believe, it opens this, so there is nothing like an error over here. But for some files we have no such file or directory errors. So, this may be a clue, why? Because if we can actually create a file like that, exact same file, then it will be accessed. So, if we can find a file that will be executed like a so file or a c file, or just a binary, then we can actually write our own exploit, and make it run as root, so that we can become root, okay? So, this is a little bit hard as I said before, it's are not easy to find in real pen test but if you can find it, then you will just find it big. Okay, you can get a big reward out of it. You can become root, you can do whatever you want. So, over here we're going to see how it's done, and again we will find a file, so that it's going to be accessed or it's going to be executed and we're going to try and create that file on our own. So, we need to find no such file or directory errors over here, okay? If you go down with your arrow keys or by hitting Enter, you will see there are a lot of them. So, what I'm going to do, I'm going to just filter this out a little bit, to understand what kind of files that we cannot find. So, rather than piping this to more, I'm going to pipe this to grep, and I'm going to search for no files. So, in order to do that you have to write -i -E "open|access|no such file". So, it's either going to be open or access or no such file. And we're going to see every one of those lines over here, okay? Of course you can go for the access, but it will show you also the accessed files, those files that really exist. So, we really need no such files over here. So, here you go. We found those steps like it tries to access this suid-debug, but there is no such file or directory. So, we try to access this but no such file or directory. And I believe we have to go for the open rather than access. So, we know it's going to be opened and we know it's going to be executed. And in this case, for example, there's an open over here and it actually ends with "so" extension. So, I believe this is a way to go or this is our best bet. So, I believe we can go for this, and if it doesn't work, we can always come back and try for the others as well. So, we are in the home user, so most probably we can actually reach this file or folder over here. So, let me see. So, this is config, and we don't actually have a config folder over here as well, okay? So, since this is in the user folder, it will be actually possible for us to create that folder, and create the file as well. So, if it was in another user's file or folder then it will be not possible for us to do that. For example, I don't know if we can actually create a file called KnowHowCap or something like that, and put it in the etc folder because maybe we don't have permission for that, but we definitely have permission for our own user folder, which is why we're going for the last one here as well, okay? So, you can try the other ones here, like etc or like lib, but since we are user, it won't be possible for us to do that most probably, I don't know. Maybe we can try that, but again, it's our best bet. So, if I run mkdir.config, I can just see the .config folder over here like this and I can go into that, and here you go. Now, if I just want to create a like something like a libcalc.so I can just write nano lipcalc.so or Lipcalc.c first. Of course, we're going to write the C code and just compel it into so shared object file later on. And again, you don't have to know C in order to do this, I'm just going to show you a very simple C code and I will put it in the TryHackMe tasks as well. So first, I'm going to include the stdio.h over here and also the stdlib.h over here like that. And after we import the libraries that we're going to use in this code, we're just going to go for init or just create a constructor attribute. Okay, you can get the code from here like this, okay? And if you know C, this will be very easy for you, and if you don't know C maybe it will be a little bit complicated, but if you know any programming language at least you will understand the logic. So, what does static void mean? So, if you've got any kind of Java course or any C course, you know this, static means it can be reached from anywhere in the project, and void means and it's actually saved in a different kind of area in the RAM and void means it will return nothing. Okay, it will return null nada and we are creating a method over here and so even if you have a different name for this method in the documentation in my task, practically we can call this anything we want. Like I will call it my name, so atil and this will be a special attribute like this, okay? So, -- attribute and not dash actually, __attribute__ and this will just take in the constructor, okay? So, this is our special method over here, make sure you put on the semicolon at the end and now we're going to write what will happen when we execute this and then within side of that method we can just specify what to do. So, again I'm going to create a void over here and I'm going to call the same thing, atil and I will put curly braces right now like that and make sure you put one tab over here, okay? 1, 2, 3, 4 spaces. So, after four spaces I can just run system and we're going to execute this on the system. So, what are we going to do? We're going to copy the bash and we're going to give the suid permission to bash and then we're going to just spawn the bash, spawn the shell so that we can become root. And again this will be executed by root so it will be good for us. Because why? Because we know suid -so is owned by root and we have given a special permission to access it. So, let me write what we're going to do over here. So, this will be between the double quotation marks. So, I'm going to copy the bin/bash over there, okay? And I'm going to copy it under the /tmp/ folder like this. And then you can just write && like this and then I'm going to give a chmod +s which is going to give us the suid permission to /tmp/bash and then it will be very good for us because we can just run the bin/bash from the user as well and you can just spawn by /tmp/bash -p over here. So, it's actually a one-line code like this. It's not even a C code, it's just doing something with the system so it will be run as a command, and the command that you should run is over here. And again, we're just going to let the root run this command for us. So far, so good. This is the whole thing that you should run, okay? So, this is kind of developing your own exploit but if you don't know C again, it's fine. Just understand that we are making root to run this thing so that it can copy the bash into tmp and give an suid permission to it so that we can spawn it like that, okay? So far, so good. You can save this by 'Ctrl + O' and just enter out of this with 'Ctrl + X' so that we can see the libcalc.c over here under the config folder, okay? And of course we're going to have to just convert it into -so and then we can just put it where it belongs. So far, we only have the libcalc.c over here and I'm going to use the same gcc command that we have seen before and you can actually reach this command from the task, from the TryHackMe website as well. So, I'm going to just put this under the /home/user/.config/libcalc.so and I'm going to give the input as /home/user/.config/libcalc.c like this, okay? And it says that no such file or directory and let's see. I didn't put the -o over here. So, it should be output like this and this is our input, okay? So, if I hit 'Enter' now it will be converted into an -so file like that. So, if I run ls -la, here we go. Now we have the libcalc.so. Now we have the file that hasn't been found before. Now if we run the same suid -so thing that we have found when we actually search for defined, search with defined command, now it should make us root. Let me find that command or let me find the path over here. Yes, here we go. So, this is the thing that we should run. Now if I hit 'Enter' on this it will get executed and hopefully now this time it will find the libcalc.so and libcalc.so will get executed and here you go. Now we get a bash shell over here. So, the bash shell, if we run whoami, we are root. As you can see, we managed to escalate our privilege with a very sophisticated way. So, you can do this. You can actually search for suids and if you find a binary you can just do the strays and see if there is any vulnerability like this and get a hold of it. So, again this is one of the hardest things that you can encounter on a pentest or a CTF. So, this is not like a very beginner challenge, I give you that but we also seen the easy ones before and right now you know what an suid is and also you need to learn about the advanced stuff here as well. So, again this is a very good example of intermediate advanced kind of CTFs or privilege escalations for you. So, if you got confused at any point please make sure you just watch this lecture again. Please make sure you scan the code that we have written in the TryHackMe website in the task, in the specific related task and you can try this on your own if you haven't done yet, okay? So, you can actually find the comments over here for your convenience as well, but I suggest you just take that as a note because you will need that a lot during the CTFs. Now if we exit out of this one as you can see, now it completes the suid -so over here and we are back with the user shell. Now it's done, I believe this is time to stop here and continue with the next lecture, but again, leveraging suid but in different ways.

 

About the Author
Students
437
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.