privilege escalation techniques on Linux

what is privilege escalation?
Privilege Escalation on Linux


A privilege step-up attack may be a sort of network intrusion that takes advantage of programming errors or style flaws to grant the wrongdoer elevated access to the network and its associated information and applications.

Not each system hack can at first give associate unauthorized user with full access to the targeted system. In those circumstances privilege increase is needed. There square measure 2 sorts of privilege escalation: vertical and horizontal.

Vertical privilege increase needs the wrongdoer to grant himself higher privileges. this is often usually achieved by performing arts kernel-level operations that permit the wrongdoer to run unauthorized code.

Horizontal privilege increase needs the wrongdoer to use an equivalent level of privileges he already has been granted, however assume the identity of another user with similar privileges. as an example, somebody gaining access to a different person's on-line banking account would represent horizontal privilege increase.

  Disclaimer 



Always make sure you have a permission from

the system owner before participating in any “hacking” acDviDes

Techniques discussed here, if used while not

permission, ar considered malicious and ineligible

   Overview 
Privilege Escalation on Linux 

  • Enumeration
  • Quick wins
  • Exploiting weak configuration
  • Exploiting vulnerable services
  • Kernel exploitation
  • Post exploitation

 Enumeration

 what is enumeration in hacking.?

Enumeration is outlined because the method of extracting user names, machine names, network resources, shares and services from a system. during this part, the wrongdoer creates a full of life association to the system and performs directed queries to realize additional info concerning the target. The gathered info is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining part.

Enumeration (cont.) 

• Who are we?

whoami id

• What’s the operating system and kernel (32 / 64 bit?)

uname –a cat /etc/issue
• What can we learn from environment variables?
env cat /etc/profile /etc/bashrc ~/.bashrc ~/.bash_profile ~/.bash_logout

• What services are running and with what privilege?

ps –ef

 • Are there any scheduled jobs?

crontab –l cat /etc/crontab

 • What’s the IP address and network interfaces?

ifconfig –a cat /etc/network/interfaces

 • Check network configuration semngs
cat /etc/networks
cat /etc/hosts cat /etc/resolv.conf

iptables -L
 • Check open ports

netstat -antup

 • What other users are on the system?
cat /etc/passwd last
 • Check for senstive files and directories  "if you can access them as current user"
cat /etc/shadow ls -al /var/mail/ ls –alR /root/ ls -alR /home/
 • What was the user doing?
cat ~/.bash_history
• Can you find private keys?
ls –al ~/.ssh/
SUDO

Check if current user can run any commands with sudo,what would then execute them with root permissions
sudo –l
• What to look for?

User may run the following commands: (ALL : ALL) NOPASSWD: ALL (ALL) NOPASSWD: /opt/scripts/* (ALL) NOPASSWD: /opt/admin/custom_binary

Command History

• Some commands or poorly wriSen scripts require users to enter their credentials as a command line parameters 
• Everything that user types in is saved in the command history
• Check command history files for any sensiDve data (credenDals,configuration,interesting directories)
cat ~/.bash_historycat ~/.ksh_history
SSH Private Keys



• System administrators sometimes overlook the importance of keeping private keys… private,and
leave them around on the servers 
• Check if the current user has any SSH private keys saved on the system
  ls –al ~/.ssh/id_rsa ~/.ssh/id_dsa
• Users oien reuse the same key across number of
different accounts, including root, and number of various servers

Hardcoded Passwords

• You can oien find hardcoded passwords to various services or user accounts in scripts or log files
• Search the entire file system for “password” string

grep –R –i “password” /
• See if you can access any sensitive configuration files
or logs
cat /etc/syslog.confcat /etc/apache2/apache2.conf cat /var/log/syslog cat /var/log/apache2/access.log
Weak Configura-on – SUID/GUID binaries 

• execute with permissions of the owner (root)

$ ls –l /usr/bin/passwd -rwsr-xr-x 1 root root 53112 Nov 19 2014 /usr/bin/passwd

• Find all binaries with SUID/GUID

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

 World Read/ Write directories (cont.)
• To find all world writeable directories:
find / -perm -0002 -type d -print
• To find all world writeable files:
find / -perm -0002 -type f -print
 • Find both files and directories (exclude symbolic links which produce false posiDves):

find / -perm -2 ! -type l -ls
 Vulnerable Services (cont.)

• Find all processes running on the system:
ps –ef ps –ef | grep root
• Find installed applications and note their version:
dpkg –l rpm -qa
• Search for known vulnerabilities in discovered processes and services (https://exploit-db.com, Google)

Kernel Exploits
• Find out what kernel version is the system running:
uname -a
• Find a relevant one for the version of target kernel:
using searchsploit to find exploits

exploits







• Remember! Not all exploits will work
                                  
 Post Exploitation

• What is post exploitation?
As the term suggests, post exploitation primarily means that the phases of operation once a victim's system has been compromised by the aggressor. the worth of the compromised system is set by the worth of the particular knowledge keep in it and the way Associate in Nursing aggressor could build use of it for malicious functions. The conception of post exploitation has up from this truth solely on however you'll be able to use the victim's compromised system's data. This section really deals with grouping sensitive data, documenting it, and having an inspiration of the configuration settings, network interfaces, and alternative communication channels. These could also be accustomed maintain persistent access to the system as per the attacker's desires.

• Go through all sensiDve files that you can now access, parDcularly ones with password hashes
/etc/shadow
• Crack password hashes
– using hashcat, john or online rainbow tables
• If you can’t crack the hash, use pass-the-hash technique to log-in to different hosts using only password hashes
Previous Post Next Post