We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.
Table of Content
- Introduction
- Vectors of Privilege Escalation
- LinuEnum
- Linuxprivchecker
- Linux Exploit Suggester 2
- Bashark
- BeRoot
Introduction
Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information helps the attacker to make the post exploit against machine for getting higher-privileged shell.
Vectors of Privilege Escalation
- OS Detail & Kernel Version
- Any Vulnerable package installed or running
- Files and Folders with Full Control or Modify Access
- File with SUID Permissions
- Mapped Drives (NFS)
- Potentially Interesting Files
- Environment Variable Path
- Network Information (interfaces, arp, netstat)
- Running Processes
- Cronjobs
- User’s Sudo Right
- Wildcard Injection
There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.
LinuEnum
Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.
Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.
System Information: Hostname, Networking details, Current IP and etc.
User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd.
Kernel and distribution release details.
You can download it through github with help of following command:
git clone https://github.com/rebootuser/LinEnum.git
Once you download this script, you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.
Let’s Analysis Its result what is brings to us:
OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname: Ubuntu
Moreover…..
Super User Accounts: root, demo, hack, raaz
Sudo Rights User: Ignite, raj
Home Directories File Permission
Environment Information
And many more such things which comes under the Post exploitation.
Linuxprivchecker
Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.
wget http://www.securitysift.com/download/linuxprivchecker.py
Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.
python linuxprivchecker.py
Let’s Analysis Its result what is brings to us.
OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname: Ubuntu
Network Info: Interface, Netstat
Writable Directory and Files for Users other than Root: /home/raj/script/shell.py
Checks if Root’s home folder is accessible
File having SUID/SGID Permission
For example: /bin/raj/asroot.sh which is a bash script with SUID Permission
Linux Exploit Suggester 2
Next-generation exploit suggester based on Linux_Exploit_Suggester. This program performs a ‘uname -r‘ to grab the Linux operating system release version, and returns a list of possible exploits.
This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.
Key Improvements Include:
- More exploits
- Accurate wildcard matching. This expands the scope of searchable exploits.
- Output colorization for easy viewing.
- And more to come
git clone https://github.com/jondonas/linux-exploit-suggester-2.git cd linux-exploit-suggester-2
You can use the ‘-k’ flag to manually enter a wildcard for the kernel/operating system release version.
./linux-exploit-suggester-2.pl -k 3.5
Bashark
Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.
Its Features
- Single Bash script
- Lightweight and fast
- Multi-platform: Unix, OSX, Solaris etc.
- No external dependencies
- Immune to heuristic and behavioural analysis
- Built-in aliases of often used shell commands
- Extends system shell with post-exploitation oriented functionalities
- Stealthy, with custom cleanup routine activated on exit
- Easily extensible (add new commands by creating Bash functions)
- Full tab completion
Execute following command to download it from the github:
git clone https://github.com/TheSecondSun/Bashark.git cd Bashark
To execute the script you need to run following command:
source bashark.sh help
The help command will let you know all available options provide by bashark for post exploitation.
With help of portscan option you can scan the internal network of the compromised machine.
To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etc directory. Similarly you can use getprem option to view all binaries files of the target‘s machine.
portscan < target’s IP> getconf getprem
BeRoot
BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that have been found as potential way to escalate our privilege.
git clone https://github.com/AlessandroZ/BeRoot.git cd Linux chmod 777 beroot.py
To execute the script you need to run following command:
./beroot.py
It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents weak configuration that can lead to root privilege escalation whereas the red color represent the technique that can be used to exploit.
It’s Functions:
Check Files Permissions
SUID bin
NFS root Squashing
Docker
Sudo rules
Kernel Exploit
Conclusion: Above executed script are available on github, you can easily download it from github. These all automated script try to identify the weak configuration that can lead to root privilege escalation.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Linux Privilege Escalation via Automated Script appeared first on Hacking Articles.