THM — Linux Priv Esc
This room is aimed at walking you through a variety of Linux Privilege Escalation techniques. Below are some of the tasks:
Task 2 : Service Exploits
The MySQL service is running as root and the “root” user for the service does not have a password assigned. We can use a popular exploit that takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.
Located within the VM is a file under the name raptor_udf2.c. This is a helper dynamic library for local privilege escalation through MySQL run with root privileges. Compiling and executing this file allows us to connect to MySQL shell and to create a UDF:“do_system”.
Executing the command do_system to copy /bin/bash to /tmp/rootbash and set the SUID permission:
Exiting MySQL, we attempt to run the /tmp/rootbash executable with -p to gain a shell running with root privileges:
Task 3: Weak File Permissons: /etc/shadow
etc/shadow is a common linux file that contains user password hashes that should only be readable by root. In this environment, /etc/shadow is visible to every user.
Each line of the file represents a user. A user’s password hash (if they have one) can be found between the first and second colons (:) of each line.
Switching over to our Kali Linux VM, we can utilize John The Ripper to crack the hash.
Task 6: Sudo Shell Escape Sequences
In this task we attempt to escalate our privileges based on sudo. Running sudo -l we can see all of the programs which allow us to run sudo. Using GTFOBins we can be used to bypass local security restrictions in misconfigured systems.
Searching the above programs in GTFOBins shows us how to potentially raise our privileges. Of the list above, we attempt to login as root with the man command. For the man command in GTFOBins, we can escalate our privileges by: sudo man man and !/bin/sh within the man page. Below is our attempt:
Task 7: Sudo — Environment Variables
Sudo can be configured to inherit certain environment variables from the user’s environment.
This exploit works by using both LD_PRELOAD and LD_LIBRARY_PATH. Preload loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first. This exploit works by setting LD_PRELOAD to the path of a shared object, that file will be loaded before any other library, which allows us to choose the path with LD_LIBRARY_PATH. Running the command given to us we see that from our vulnerable sudo program man, we can gain root shell.
Attempting this same approach on apache2. We first load all the libraries for apache2. We then compile a similar file to libcrypt using the code located at /home/user/tools/sudo/library_path.c. We then run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp, which is where we have our compiled code .
Task 8 - Cron Jobs: File Permissions
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. In this environment Cron jobs are writeable. We can use this to our advantage to execute our command to allow us root privilege.
The same method can be used for PATH environment variables.
Task 16: History Files
If a user accidentally types their password on the command line instead of into a password prompt, it may get recorded in a history file. We can check the history file by using cat ~/.*history | less
In the screenshot above we can see that a user mistyped the command to the sql server. The user forgot to leave a space between the -p option and the password.
Task 17- Config Files
Sometimes config files leave passwords in plaintext. Below we find the path to a file which contains the root password