linux-privilege-escalation

Linux Privilege Escalation – Part 1

Hi everyone! Welcome to Pentestguy. In this article, we will see what linux privilege escalation and different ways of achieving root user privilege escalation in the linux operating system.

While playing capture the flag or performing pentesting of the network, escalating privileges is one of the important phases. Here we are focusing on Linux privilege escalations that happen to weak permissions.

What is Privilege Escalation?

Privilege Escalation is exploiting a bug, a design flow of a system, or a weak configuration in an operating system(system software) or application software to gain access to another user or high-level user. There are two types of privilege escalation, the first is horizontal which is nothing but normal user to user and the second one is vertical privilege escalation which is normal user to root user.

what-is-privilege-escalation

#Shadow file – weak permission(Read)

Shadow file contains passwords of users in hash format, if this file has read and write access for the normal user too then that user can view the hash value of another user like root, and try to crack that hash value using different tools(John, Hashcat).

ls -l /etc/shadow

check-shadow-file-permission
In the above example, the shadow file has read and write permission.

cat /etc/shadow

read-shadow-file
In the above example, we can get the hash value of the root user

Copy the hash in the txt file and use any tool to crack that hash, here I used John

john --wordlist=rockyou.txt hash.txt

use-john-to-crack-hash
Here we got a password which is “password123”

#Shadow file – weak permission(Write Access)

In this scenario, the shadow file has to write access, and the normal user can replace the password hash of any other user.

mkpasswd -m sha-512 newpassword

create-password-mkpasswd

use any text editor like nano and replace the hash value of the root user.

edit-shadow-file-to-replace-value

#Passwd file – weak permission(Write Access)

The passwd file contains the user’s information, if this file has written access then we can replace X with the password hash.

ls -l /etc/passwd

check-passwd-file-permission
In the above example, the passwd file has read and write access.

openssl passwd newpassword

openssl-to-create-password

Edit the passwd file into any text editor, I am using nano here. Copy the root user row and paste it at the end of the file then replace the user name root with newroot and also replace the X with the value generated by openssl.

nano-edit-passwd-file
In the above example, newroot user-added along with a hash value

#History – Password leak

The history command is used to view previously executed commands. In some scenario’s attacker may be able to get a plaintext password in the history.

cat ~/.bash_history | grep -i passw

history-password-leak-privilege-escalation
In the above example, we got MySQL username and password, In most of ctf same credentials of the specific user.

#Config file – Password leak

The system software and application software have lots of configuration files, and any file may contain a plaintext password. The scenario given below contains a plaintext password in the text file.

linux-privilege-escalation-config-file
In the above example, check myvpn.ovpn file and got the auth.txt file which contains the plaintext password

#SSH Keys

The ssh key of the root user may be accessible to the normal user, by using that ability to log in as a root user via ssh.

First, we need to find files, and then we need to copy the file contents into our local machine.

find / -name id_rsa 2> /dev/null
cat /backups/supersecrectkeys/id_rsa

id_rsa-copy
In the above example, get the id_rsa file using the find command and copy the content of it to the local machine.

Change permission of the file we saved on the local system and try to connect.

chmod 400 id_rsa
ssh -i id_rsa root@ip

linux-privilege-escalation-ssh-keys

I hope this article will help you in real-time or solving ctf. You can find out these scenarios in the given labs available on tryhackme.

https://tryhackme.com/room/linprivesc
https://tryhackme.com/room/linuxprivescarena
https://tryhackme.com/room/linuxprivesc

Please share this post with your co-workers and friends if you found it helpful. Please provide your valuable comments and let us know if there are any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!