Hi everyone! Welcome to Pentestguy. In this article, we will see what linux privilege escalation and different ways of achieving root user privilege escalation in the linux operating system.
While playing capture the flag or performing pentesting of the network, escalating privileges is one of the important phases. Here we are focusing on Linux privilege escalations that happen to weak permissions.
What is Privilege Escalation?
Privilege Escalation is exploiting a bug, a design flow of a system, or a weak configuration in an operating system(system software) or application software to gain access to another user or high-level user. There are two types of privilege escalation, the first is horizontal which is nothing but normal user to user and the second one is vertical privilege escalation which is normal user to root user.
#Shadow file – weak permission(Read)
Shadow file contains passwords of users in hash format, if this file has read and write access for the normal user too then that user can view the hash value of another user like root, and try to crack that hash value using different tools(John, Hashcat).
ls -l /etc/shadow
In the above example, the shadow file has read and write permission.
cat /etc/shadow
In the above example, we can get the hash value of the root user
Copy the hash in the txt file and use any tool to crack that hash, here I used John
john --wordlist=rockyou.txt hash.txt
Here we got a password which is “password123”
#Shadow file – weak permission(Write Access)
In this scenario, the shadow file has to write access, and the normal user can replace the password hash of any other user.
mkpasswd -m sha-512 newpassword
use any text editor like nano and replace the hash value of the root user.
#Passwd file – weak permission(Write Access)
The passwd file contains the user’s information, if this file has written access then we can replace X with the password hash.
ls -l /etc/passwd
In the above example, the passwd file has read and write access.
openssl passwd newpassword
Edit the passwd file into any text editor, I am using nano here. Copy the root user row and paste it at the end of the file then replace the user name root with newroot and also replace the X with the value generated by openssl.
In the above example, newroot user-added along with a hash value
#History – Password leak
The history command is used to view previously executed commands. In some scenario’s attacker may be able to get a plaintext password in the history.
cat ~/.bash_history | grep -i passw
In the above example, we got MySQL username and password, In most of ctf same credentials of the specific user.
#Config file – Password leak
The system software and application software have lots of configuration files, and any file may contain a plaintext password. The scenario given below contains a plaintext password in the text file.
In the above example, check myvpn.ovpn file and got the auth.txt file which contains the plaintext password
#SSH Keys
The ssh key of the root user may be accessible to the normal user, by using that ability to log in as a root user via ssh.
First, we need to find files, and then we need to copy the file contents into our local machine.
find / -name id_rsa 2> /dev/null cat /backups/supersecrectkeys/id_rsa
In the above example, get the id_rsa file using the find command and copy the content of it to the local machine.
Change permission of the file we saved on the local system and try to connect.
chmod 400 id_rsa ssh -i id_rsa root@ip
I hope this article will help you in real-time or solving ctf. You can find out these scenarios in the given labs available on tryhackme.
https://tryhackme.com/room/linprivesc
https://tryhackme.com/room/linuxprivescarena
https://tryhackme.com/room/linuxprivesc
Please share this post with your co-workers and friends if you found it helpful. Please provide your valuable comments and let us know if there are any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!
