Right to root. Privilege escalation in Linux

Root privileges allow you to do whatever you want in the system: establish a foothold by creating a backdoor, inject a rootkit or a trojan, alter or delete any information, etc. Accordingly, privilege escalation is one of your primary objectives during an attack. In this article, I will explain how to gain root rights on Linux systems.

Generally speaking, privilege escalation means getting more rights in the system than you already have. But in real life, this usually involves gaining access to the root account in Linux or to system/administrator in Windows.

A logical question is: why is it possible to escalate your rights in a system supposedly designed to prevent such things?? In fact, there are plenty of reasons for that, including:

  • vulnerabilities in apps and scripts;
  • misconfigured OS and apps;
  • forgotten critical data (logins, passwords, backups, etc.); and 
  • vulnerabilities in the kernel.

But of course, the main reason is the human factor. In an ideal world, you wouldn’t be able to escalate your privileges on somebody else’s PC, but errors made by people make this possible.

Where to start?

Prior to doing anything, you need to get an idea of what you are dealing with. Of course, you will collect some information about the system at the penetration stage, but right now you need to find out how to escalate your privileges to root.

Some data can be obtained manually, for instance, kernel information:

uname -a 2>/dev/null

Or the processor information:

cat /proc/cpuinfo 2>/dev/null

Or the OS version:

cat /etc/*-release 2>/dev/nul

If you want, you may continue collecting information in the terminal mode, but this would take enormous time. It’s much easier and more efficient to use special tools. The most popular ones are:

All these utilities are based on the same principle: they run bash commands or short scripts in sequence and send the output to stdout or to a log file depending on the parameters.

A standard output usually looks as shown below.

LinEnum
LinEnum

Where to look?

Below are a few examples of common vulnerabilities and their exploitation mechanisms.

Forgotten treasures

First of all, check for critical data forgotten by users by examining their home folders: some of the users may keep files with passwords or keys to something on their desktops. Of course, such things occur rarely, but still… Sometimes, credentials are hardcoded in scripts and configs. It is also worth checking the shell history: there may be long commands containing credentials. If a user has typed a password not requested by the console, it will also be saved in the history.

SUID/GUID

The setuid and setgid flags enable users to run programs on behalf of the owner (e.g. if a program must be run on behalf of root, while the user doesn’t have root privileges). SUID is a more common variant. To install this bit, type:

chmod +s /bin/script

In theory, a program with this flag isn’t supposed to do anything it wasn’t intended for. But as said above, humans make mistakes which is good allowing you to compromise their systems. In most situations, privilege escalation becomes possible when a program enables you to perform operations with the file system or execute arbitrary code.

Your primary targets are files whose owner is root. To find them manually, use the command:

find / -user root -perm -u=s -type f 2>/dev/null

Alternatively, you can search for these files in the output of the above-listed tools. If you manage to locate files with such permissions, you have a chance to escalate your privileges to the maximum.

For instance, in the LinEnum.sh output, the files you need are displayed as follows.

The find file is of utmost interest – LinEnum.sh has conveniently highlighted it.

It allows you to gain the required privileges pretty easily.

Linux capabilities

Since the above method grants excessive rights to files, in 1997, the linux capabilities concept was proposed. Its main idea is not to grant the full privileges to files, but only those required to implement a specific task.

How is it working? First of all, you have to find such files in the system.

getcap -r / 2>/dev/null

Here is the output.

A classical example is the executable tar file: the permission cap_dac_read_search+ep enables it to read any file in the system. This includes inter alia the possibility to access the archive with the /etc/shadow file that cannot be accessed by unprivileged users. Access to this file gives you password hashes, including the root password, and you can try to brute-force it.

If a file has the =ep extension (the equal sign in the beginning, and no list of permissions), this means that it has all the possible permissions. In the above example, this is openssl.

Using openssl, you can read the /etc/shadow file.

Generating keys.

Launching the web server.

And reading the file.

Then you can generate a new shadow and overwrite the system file with it. Simply create a new hash, replace the existing hash with it (the explanation mark in the above example), and prepare the file for upload.

Then copy your file to /etc/shadow and log in.

Cron

Cron is a Unix service used to run scripts at certain intervals. All operations are described in the file /etc/crontab and in special folders (e.g. /etc/cron.daily).

The scripts are used to perform a broad range of tasks: from scheduled backups to cleaning the /tmp directory.

If such scripts have extra privileges assigned by mistake, this is a true gift for an attacker. For instance, a careless administrator who just wants “to make it work” may write chmod 777, which enables you to edit the scheduled script. And since cron runs files on behalf of root, nothing prevents you from launching a root shell together with the script.

Sudo

The sudo program allows you to execute commands on behalf of superuser (or other users registered in the system). Its config is located in /etc/sudoers, and errors in this config usually provide excellent privilege escalation opportunities. The number of available exploitation scenarios is pretty large; so, you can choose an optimal one depending on the situation. One of the common variants is shown below.

Checking permissions assigned to sudo.

The vi editor can be launched without a password, and it runs on behalf of root. So, you can use the editor to launch a shell, and this shell will also run on behalf of root.

Sometimes admins give permissions to run standard sh scripts, and then such scripts remain available for editing. You can use them to get a shell and perform other malicious pentesting operations.

info

Another way to abuse sudo is the possibility to inject a process possessing a valid sudo token.

Kernel exploits

Similar to any other program, Linux kernel is not free from vulnerabilities. Sometimes, such vulnerabilities make it possible to escalate your privileges to root. There are no universal solutions, and the suitable exploitation technique depends on numerous factors: kernel version, availability of required permissions or files, and even hardware configuration (e.g. whether the processor is vulnerable to Meltdown or not).

On the screenshot below, Kali is searching for Linux kernel exploits.

Despite the large number of displayed exploitation options, only a few of them are workable. Note that there are no exploits for certain kernel versions (or previously vulnerable versions can be patched already). In addition, some exploits are unstable.

I suppose you remember a kernel vulnerability known as Dirty COW. This bug allows to provoke a race condition; as a result, you gain write access to memory mappings (instead of read-only access) and can escalate your privileges.

For this particular vulnerability, there are several ready-made exploits.

But not all of them will work correctly on a specific system; so, try different variants.

Below are a few vulnerabilities that can be used for privilege escalation:

Of course, this list is not complete. The number of potentially suitable vulnerabilities is much larger; you may find them using the method described above or check exploit-db.com and other similar resources.

Conclusions

There are plenty of ways to escalate your privileges to root in Linux systems; in this article, I described only the most obvious and common techniques. You may encounter them in real life, at a CTF, or at an exam.

Sometimes privilege escalation becomes a creative task: to achieve your goal, you have to identify and apply an unobvious combination of different methods. As said above, there are no universal solutions, and every system requires a comprehensive analysis.

GTFOBins offers a great collection of exploitation techniques based on popular privilege escalation utilities. But remember: the number of possible variants is much, much greater – we just don’t know everything yet!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">