Linux Privilege Escalation by Exploiting Cronjobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

  • Introduction
  • Cron job
  • Crontab syntax
  • Crontab File overwrite
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)
  • Crontab Tar wildcard Injection
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)

Let’s Start!!!

What is cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

 

For example:  Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.

Crontab File overwrite

Lab Setup for Poorly configured cron job

 Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.

As you can observe from given image some files are stored inside cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

Now let’s verify the objectives

Coool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

 From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

YUPPIEEEE!!! We have successfully obtained root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Beginner Guide to impacket Tool kit

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC). According to the Core Security Website, Impacket supports protocols like IP, TCP, UDP, ICMP, IGMP, ARP, IPv4, IPv6, SMB, MSRPC, NTLM, Kerberos, WMI, LDAP etc.

For the following practical we will require two systems,

  1. A Windows Server with Domain Controller Configured
  2. A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

  • Domain: SERVER
  • User: Administrator
  • Password: T00r
  • IP Address: 192.168.1.140

Kali Linux: 192.168.1.135

Before beginning with the Impacket tools, let’s do a Nmap version scan on the target windows server to get the information about the services running on the Windows Server.

As you can see in the above screenshot, we have domain services, Kerberos Services, Netbios Services, LDAP services and Windows RPC services.

Now let’s install the Impacket tools from GitHub. You can get it from here.

Firstly, clone the git, and then install the Impacket as shown in the screenshot.

This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

cd impacket/examples

These are the some of the tools included in impacket, let’s try some of them.

Ping.py

Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.

./ping.py

Syntax: ./ping.py [Source IP] [Destination IP]

Here we can see that we are getting the ICMP reply from 192.168.1.140 (Windows Server)

Lookupsid.py

A Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

./lookupsid.py

Syntax: ./lookupsid.py [[domain/] username [: password] @] [Target IP Address]

As you can see that the lookupsid tool had extracted the user and group information from the server

Psexec.py

It lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

./psexec.py

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

As you can see that we got a remote shell of the server in the given screenshot

Rpcdump.py

This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

./rpcdump.py

Syntax: ./rpcdump.py [[domain/] username [: password] @] [Target IP Address]

As you can see below we have the list of RPC targets

Samrdump.py

An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

./samrdump.py

Syntax: ./samrdump.py [[domain/] username [: password] @] [Target IP Address]

As you can see below we have extracted SAM information form the Target Server

Sniff.py

Simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface.

. /sniff.py

Choose the interface using the number associated with it. And the sniffing starts.

Sniffer.py

Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.

. /sniffer.py

And the sniffer starts to monitor icmp, tcp and udp

Wmiexec.py

It generates a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs as Administrator. It is highly stealthy.

./wmiexec.py

Syntax: ./wmiexec.py [[domain/] username [: password] @] [Target IP Address]

As you can se below that we have the shell from the Target Server

Wmiquery.py

It allows to issue WQL queries and get description of WMI objects at the target system.

./wmiquery.py

Syntax: ./wmiquery.py [[domain/] username [: password] @] [Target IP Address]

This will open a shell, where you can run WQL queries like

Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

./atexec.py

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

getArch.py

This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature.

./getArch.py

Syntax: ./getArch.py -target [IP Address]

Command: ./getArch.py -target 192.168.1.140

Here we can see that the architecture of the target system is 64-bit

Ifmap

This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interfaces UUID and reports whether the interface is listed and/or listening.

Syntax: ./ifmap.py [Host IP Address] [Port]

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Linux Privilege Escalation using LD_Preload

Hello friends, today we are going to discuss a new technique of privilege escalation by exploiting an environment variable “LD_Preload” but to practice this you must take some help from our previous article.

Table of contents

  • Introduction
  • Shared Libraries
  • Shared Libraries Names
  • LD_Preload
  • Lab setup
  • Post-Exploitation

Introduction

Shared Libraries

Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwards automatically use the new shared library. 

Shared Libraries Names

Every shared library has a special name called the soname”. The soname has the prefix lib”, the name of the library, the phrase .so”, followed by a period and a version number.

The dynamic linker can be run either indirectly by running some dynamically linked program or shared object. The programs ld.so and ld-linux.so* find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it. (read from here)

LD_Preload: It is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so

For more information read from here.

Lab setup

It is important that logged user must have some sudo rights, therefore, we have given some sudo rights such as /usr/bin/find to be executed by sudo user. But apart from that, there is some Default specification where you can set an environment variable to work as sudo.

To do this follow below steps:

  • Open /etc/sudoers file by typing visudo
  • Now give some sudo rights to a user, in our case “raj” will be members of sudoers.

Raj          ALL=(ALL=ALL) NOPASSWD: /usr/bin/find

  • Then add following as default specification to set environment for LD_preload.

Defaults        env_keep += LD_PRELOAD

Post-Exploitation

To exploit such type of vulnerability we need to compromise victim’s machine at once then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh now for post exploitation type sudo -l command to detect it. And notice the highlighted environment variable will work as sudo.

Let’s generate a C-program file inside /tmp directory.

Then save it as shell.c inside /tmp.

As discussed let’s compile it to generate a shared object with .so extension likewise .dll file in Windows operating system and hence type following:

Yuppieeee!!!! We got the ROOT access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Multiple Ways to Get root through Writable File

In Linux everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going allow or restrict all three permissions.

In this article, we are going to discuss Linux privilege escalation through writable file/script. To know more about Linux system permission to read this article.

Table of content

  • Escalate root via writable script in 5 different methods
  • Copy /bin/sh inside /tmp
  • Set SUID bit for /bin/dash
  • Give ALL permission to logged user through sudoers
  • Set SUID bit for /bin/cp
  • Malicious code for reverse connection.

Let’s start!!!

Start yours attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command, we can enumerate all binaries having writable permission.

As you can observe that it has shown a python file which is stored inside /lib/log. When we explored that path we notice permission 777 for sanitizer.py

So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

Now if an attack identify such types of situation in victim’s machine then he can destroy his system by escalating root privileges in following ways

1st Method

 There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace “rm -r /tmp/*” from the following line as given below

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

As you can confirm this from given below image.

2nd Method

Similarly, you can also replace “rm -r /tmp/*” from the following line as given below.

After some time it will set SUID permission for /bin/dash and when you will run it will give root access.

As you can confirm this from given below image.

3rd Method

In this method we have pasted python reverse shell connection code at place of rm -r /tmp/* and start netcat listener in a new terminal.

And as said above after some time we got the reverse connection through netcat and root access.

As you can confirm this from given below image.

4th Method

Another most interesting method is to give sudo right to the logged users by making him suoders file member. If you will notice below image then you can ensure that currently usre: wernerbrandes may not run sudo command.

Similarly you can also replace “rm -r /tmp/*” from following line as given below.

And after some time, when you will type “sudo -l” command then you will notice, it becomes the member of sudo users. To take root access type “sudo bash” and enjoy the root access.

5th Method

As we all know how much important role play by passwd in any linux -like system and if an attacker gets chance to modify this file, it becomes a dynamic way of privilege escalation.

Similarly, we will try something like this BUT with help of the writable script, here by using cat command we can etc/passwd file.

Here you can observe the highlighted entry for user: nemo records, as per my guessing UID:1000 & GID:1000 indicates it would be a member of admin group.

However, we want to edit nemo record to make him a member of root, therefore, select the whole content of etc/passwd and copy it and then paste into empty text file.

After then in a new terminal generate a salt password with help of openssl as shown and copy it.

openssl passwd -1 -salt abc 123

 

Now paste above-copied salt password at the place of “X” in the record entry of user nemo and also change previous UID&GID with 0:0 as shown in the given image. Once above said all steps are completed save the text file as “passwd” because when you will transfer this file to victim’s machine it will overwrite the content of original passwd file.

Now taking advantage of writable script replace “rm -r /tmp/*” from the following line as given below.

After some time it will enable SUID bit for /bin/cp to copy any file.

Now download your modified passwd file inside /tmp directory of victim’s machine. Let’s check whether SUID bit gets enabled for /bin/cp or not with help of the following command after then copy modify passwd file into /etc/passwd with help of cp command which will overwrite the content of original passwd file.

Now let confirm whether we have successfully manipulated the content of passwd file or not with help of the following command.

tail /etc/passwd

Wonderful!!! You can observe the following changes has now become the part of passwd file.

Now let take root access by executing following command:

 So today we have demonstrated how an attacker can lead to privilege escalation through the writable file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...