Linux Privilege Escalation

00:00

Module nine privilege escalation,

00:03

Lennox privilege escalation

00:05

are. Learning objectives are to understand what Lennox colonel exploits are and explain the various methods to escalate privileges and Lennox.

00:13

So, getting a shell or a foothold on the box is only half the battle and no SCP on some of these boxes, you're gonna have to escalate privileges from an privileged user

00:23

to either route. If it's alan X box or system, if it's a Windows box,

00:28

people typically, you know, in the in the lab environment, I would say rely a lot on Colonel exploits and colonel exploits are great because they're um all you have to do is enumerate the kernel version of that Lennox box and hopefully it matches up to an exploit and

00:48

you can become route, which we saw with this dirty cow wax plate

00:51

and that's how I figured it out was, you know, we go back to the command line uh, module I did you name A and I saw the version of the kernel was 3.2 point zero. Well if I searched dirty cow, I see that the vulnerable kernels are 2.6 point 22 before 3.9. So obviously this

01:10

colonel version is vulnerable to dirty Count. We saw that we were able to use this exploit

01:15

successfully to escalate our privileges to root.

01:19

Yeah,

01:19

they're typically compiled or I'm sorry, written in C and they need to be compiled.

01:26

Which in and of itself can be difficult. As you you saw the different flags. I had add when I compiled this. If you don't see that in the comments, the default syntax would be gcc the name of that C program tack. Oh little Oh, and then whatever output you want to make it,

01:46

sometimes you'll get errors on the box. Um and sometimes that you'll have issues compiling

01:51

that. Either on that box or you can compile it locally on your machine, but you might have different architectures than the vulnerable box, in which case it's not gonna work.

02:02

So you take a risk compiling it locally and putting on the machine again, if your architecture is different. Um but that's a possibility of gcc isn't on the victim box, you can always compile it locally.

02:16

Also you have to get it onto that box and that's why we did all that file transfer and how to transfer files was because you had to figure out different ways to get it on the host machine.

02:27

Mhm.

02:30

Don't get comfortable with these colonel exploits. I mean, they're great when they work,

02:37

but you should also figure out other ways to enumerate vulnerability is a privilege escalation, vulnerabilities on Lenox hosts.

02:46

And how do we do that? There's a really great got milk has this really great page. Why is it really long? Well I had issues recently getting onto his page directly,

02:58

but if you use archive dot org, you'll see here that I'm referencing a certain date and time the way back machine. This is how I got to read his blog. But he goes, this is kind of like the de facto source for privilege escalation, manually figuring out how to escalate privileges

03:16

and find weaknesses.

03:19

I recommend, highly recommend you go to his blog and you read through this information.

03:27

So start with the basics. I've been on plenty of boxes where I do Sudo tack l

03:31

and it says that you can run everything that you have all privileges.

03:36

Um so all you have to do is Sudo Su and you are the root user

03:40

makes things really easy. I just did this on a capture the flag recently. Uh did Sudo Su and I was the root user.

03:51

The problem

03:52

you can also find processes running as root

03:54

and the command line lab. You found

03:59

a flag running as a process. So that's to say you can also find all the processes running his route

04:05

and from there we need to figure out if the process has some kind of if it's a sewage binary, if it's something that we can write to and if we can write to it then hopefully we can run it as root and you know, maybe put a nice reverse shell in there.

04:25

So improper permissions. This is another big thing proper permissions in sc password.

04:30

If you find that you can write to etc password you can add a user and you can see here

04:36

I have this user hacker and the password here is hacker.

04:42

And what I can do is if I can put this into the etc. Password file, I can then sue hacker

04:47

password hacker and become the root user.

04:51

Also, if you can view the ETC. Shadow file, you can crack passwords, which we'll talk about more in the pastor cracking lab. But together if I can only read the etc password file and I can only read the etc shadow file, I can put those together with jOHn the ripper and I can crack passwords that way.

05:10

No

05:12

sewage binaries. So this might be hard to see. Um, but you'll see here. I'm running an enumeration script. I see sewage files,

05:19

I see user espen P P P D

05:24

and I see that there's a vulnerability for it via IOS privilege escalation via Sudo, P P P D.

05:30

And what I'm running here is

05:33

Annette Cat shell. I'm using pseudo P P P D connect and you'll see Net Cat here

05:40

and I now am route on the box, so sued binaries when you can run Sudo on a binary and and basically run something with root permissions, google that service and see if there is a privilege escalation vulnerability for that is like I did here

05:59

and ultimately I got root here.

06:02

Cron jobs also why I had you

06:05

uh look at Cron jobs is because if a Cron job is running as root and you can edit that file, then you could again put a nice reverse shell in there, you know, to take out whatever is in their ad

06:18

a reverse shell in there and connect to your box is route.

06:23

Of course, it depends on the timing. If it only runs, you know, every once every monday,

06:29

you know, every other month.

06:30

Um, it's not gonna work because you want something that's continually running every minute every five minutes. P. S P Y on on GIT hub has helped me a lot of hacked the box challenges and it will show you all the processes that are running. So you'll you'll see it in kind of in nearly real time

06:48

what processes are running and it polarizes it so you can tell which ones are running as root

06:54

and then see if a process is running as root and then see if you have permissions to modify that file.

07:03

Enumeration is your friend in all things as you saw with that. I didn't even know about that privilege escalation on that machine. I make a lot of labs as I've told you. I didn't even know about that until I googled it and found that that was a vulnerable service.

07:17

Um I'll talk about this in the in the enumeration script part.

07:24

But simple, I think simple targeted searches are are good, at least when you're getting used to this than just running an enumeration script that spits out page after page after page of output

07:35

and you have no idea what you're looking at.

07:39

Okay,

07:41

so we'll talk about these privileged escalation, enumeration scripts at length more,

07:46

but you should understand what Lennox colonel exploits are our nuclear option and then also be able to explain the various methods to escalate privileges. And Lennox. This is another thing that you'll get familiar with after time,

08:01

as I said, getting a foothold on getting initial shell in a box is only half the battle privilege escalation is a big thing as well and something that you need to get good at. So in the lab you'll get to explore the various ways to uh to escalate privileges to root. And that's why I put that box in there because I think

08:20

it's better that you see the various ways I'd rather have too many vulnerabilities