Multiple Ways to Get root through Writable File

In Linux everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going allow or restrict all three permissions.

In this article, we are going to discuss Linux privilege escalation through writable file/script. To know more about Linux system permission to read this article.

Table of content

  • Escalate root via writable script in 5 different methods
  • Copy /bin/sh inside /tmp
  • Set SUID bit for /bin/dash
  • Give ALL permission to logged user through sudoers
  • Set SUID bit for /bin/cp
  • Malicious code for reverse connection.

Let’s start!!!

Start yours attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command, we can enumerate all binaries having writable permission.

As you can observe that it has shown a python file which is stored inside /lib/log. When we explored that path we notice permission 777 for sanitizer.py

So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

Now if an attack identify such types of situation in victim’s machine then he can destroy his system by escalating root privileges in following ways

1st Method

 There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace “rm -r /tmp/*” from the following line as given below

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

As you can confirm this from given below image.

2nd Method

Similarly, you can also replace “rm -r /tmp/*” from the following line as given below.

After some time it will set SUID permission for /bin/dash and when you will run it will give root access.

As you can confirm this from given below image.

3rd Method

In this method we have pasted python reverse shell connection code at place of rm -r /tmp/* and start netcat listener in a new terminal.

And as said above after some time we got the reverse connection through netcat and root access.

As you can confirm this from given below image.

4th Method

Another most interesting method is to give sudo right to the logged users by making him suoders file member. If you will notice below image then you can ensure that currently usre: wernerbrandes may not run sudo command.

Similarly you can also replace “rm -r /tmp/*” from following line as given below.

And after some time, when you will type “sudo -l” command then you will notice, it becomes the member of sudo users. To take root access type “sudo bash” and enjoy the root access.

5th Method

As we all know how much important role play by passwd in any linux -like system and if an attacker gets chance to modify this file, it becomes a dynamic way of privilege escalation.

Similarly, we will try something like this BUT with help of the writable script, here by using cat command we can etc/passwd file.

Here you can observe the highlighted entry for user: nemo records, as per my guessing UID:1000 & GID:1000 indicates it would be a member of admin group.

However, we want to edit nemo record to make him a member of root, therefore, select the whole content of etc/passwd and copy it and then paste into empty text file.

After then in a new terminal generate a salt password with help of openssl as shown and copy it.

openssl passwd -1 -salt abc 123

 

Now paste above-copied salt password at the place of “X” in the record entry of user nemo and also change previous UID&GID with 0:0 as shown in the given image. Once above said all steps are completed save the text file as “passwd” because when you will transfer this file to victim’s machine it will overwrite the content of original passwd file.

Now taking advantage of writable script replace “rm -r /tmp/*” from the following line as given below.

After some time it will enable SUID bit for /bin/cp to copy any file.

Now download your modified passwd file inside /tmp directory of victim’s machine. Let’s check whether SUID bit gets enabled for /bin/cp or not with help of the following command after then copy modify passwd file into /etc/passwd with help of cp command which will overwrite the content of original passwd file.

Now let confirm whether we have successfully manipulated the content of passwd file or not with help of the following command.

tail /etc/passwd

Wonderful!!! You can observe the following changes has now become the part of passwd file.

Now let take root access by executing following command:

 So today we have demonstrated how an attacker can lead to privilege escalation through the writable file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Penetration Testing on X11 Server

X is an architecture-independent system for remote graphical user interfaces and input device capabilities. Each person using a networked terminal has the ability to interact with the display with any type of user input device.

Source: Wikipedia

In most of the cases the X’s Server’s access control is disabled. But if enabled, it allows anyone to connect to the server. This Vulnerability is called X11 Server Unauthenticated Access Open. You can get more information form here.

For a proper demonstration, we will have to create up a Lab with this Vulnerability.

Lab Setup

We will use Ubuntu 14.04 system for this Vulnerable Lab setup. After the basic installation of the Ubuntu Server, we will focus on locating the “lightdm.conf” file. The Location of this file is: /etc/lightdm/lightdm.conf. But if you can’t seem to find this at that location, you can get it for yourself from here.

To edit the file, we will use gedit.

gedit /etc/lightdm/lightdm.conf

To create the vulnerability, we will uncomment the following line:

xserver-allow-tcp=true

Now that we have made changes in the conf file, to make them come in effect, we will restart the lightdm service

command: service lightdm restart

Now when the lightdm service restarts, we will disable the access control. This will allow clients on the network to get connected to the server.

command: xhost +

And That’s it. We have successfully created the X11 Vulnerable Server.

Penetration Testing of X11 Server

To begin the Penetration Testing, we will start with the nmap scan.

nmap -sV 192.168.1.109

As we can see from the screenshot that we have the TCP port 6000 open on the Server (192.168.1.109). Also, it is running the X11 service on that port.

Nmap have a script, which checks if the attacker is allowed to connect to the X Server. We can check if the X Sever allows us the connection as shown below.

We can clearly see from the screenshot provided that the X Server allows us the access.

 

XWININFO

This is the built-in utility in Kali, it shows the windows information for X Service. In Penetration Testing, xwininfo can be used to get the information about the windows opened on the target system.

Command: xwininfo -root -tree -display 192.168.1.109:0

  • Root = specifies that X’s root window is the target window
  • Tree = displays the names of the windows
  • Display = specify the server to connect to

We can extract much information from the screenshot above like:

  • Victim has Gnome Terminal Opened
  • Victim is a VMware user
  • Victim has Nautilus (Ubuntu File Browser) Opened

XWD

It is a X Window System utility that helps in taking screenshots. On our Kali System we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.

Root = indicates that the root window should be selected for the window dump

Screen = indicates that the GetImage request used to obtain the image

Silent = Operate silently, i.e. don’t ring any bells before and after dumping the window.

Display = specify the server to connect to

After running the aforementioned command, we will successfully capture a screenshot form the victim system.

Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png

convert screenshot.xwd screenshot.png

This command will convert the xwd to a png file. After running this command, we can find out screenshot in png file format as shown below:

                              

On opening the png file we can see that the xwd tool have successfully captured the screenshot of the target system.

XSPY

It is a built-in tool Kali Linux for the X Window Servers. XSPY is a sniffer, it sniffs keystrokes on the remote or local X Server.

As we can see from the given screenshot that we have the got the user password as the victim have unknowingly entered the password. Also see that the password is not as visible on the Server terminal but as the xspy captures the keys typed, hence we have the password typed.

Getting the Shell through Metasploit

Now we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome terminal and then type and execute the payload.

NOTE: As X Server is a visual service, while the executing of the module will take place, every task occurring on the Target System will be visible to the Victim.

Now, after opening the Metasploit Framework, we will use the payload as shown:

After running the module, it will first connect to the Server and search for xterm and open it.

Then after waiting for 10 seconds, it will start typing the script command on the xterm.

After executing this command, xterm will get closed, but it will provide a command shell to the Attacker as shown.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Beginners Guide for John the Ripper (Part 2)

We learned most of the basic information on John the Ripper in our Previous Article which can be found here. In this article we will use John the Ripper to crack the password hashes of some of the file formats like zip, rar, pdf and much more.

To crack theses password hashes, we are going to use some of the inbuilt and some other utilities which extract the password hash form the locked file. There are some utilities that come inbuilt with john which can be found using the following command.

locate *2john

As you can see that we have the following utilities, we will demonstrate some of them here.

Cracking the SSH Password Hash

John the Ripper can crack the SSH private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with ssh, called “ssh-keygen”.

ssh-keygen

After opening, it asks for the location at which we want the public/private rsa key pair to store? You can use any location or you can leave it as default.

After that it asks for the passphrase, after entering the password again, we successfully generate the rsa private key. (Refer the Screenshot)

When you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “ssh2john”.

Syntax: ssh2john [location of key]

You can see that we converted the key to a crack able hash and then entered it into a text file named id_rsa.txt.

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the private ssh key to be “password123”

Cracking the KeepPass2 Password Hash

John the Ripper can crack the KeepPass2 key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will use a utility that is called “kpcli”.

kpcli

Now we will create a database file using command “saveas” and naming the database file as ignite.kdb and entering a passcode to secure it.

When you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “keepass2john”.

Syntax: keepass2john [location of key]

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the key to be “12345678”

Cracking the RAR Password Hash

Now we will crack some compressed files, to do that we will have to create a file to be compressed so let’s do that using echo command as shown in the given screenshot.

You can see that we created a file.txt which we will be using to create compressed files.

John the Ripper can crack the RAR file passwords. To test the cracking of the password, first let’s create a compressed encrypted rar file.

  • a = Add files to archive
  • hp[password] = Encrypt both file data and headers

 This will compress and encrypt our file.txt into a file.rar. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “rar2john”.

Syntax: rar2john [location of key]

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the key to be “abc123”

Cracking the ZIP Password Hash

John the Ripper can crack the ZIP file passwords. To test the cracking of the password, first let’s create a compressed encrypted zip file.

zip -er file.zip file.txt

  • e = Encrypt
  • r = Recurse into directories

This will compress and encrypt our file.txt into a file.zip. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “zip2john”.

Syntax: zip2john [location of key]

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the key to be “654321”

Cracking the 7-Zip Password Hash

John the Ripper can crack the 7-Zip file passwords. To test the cracking of the password, first let’s create a compressed encrypted 7z file.

7z a -mhe file.7z file.txt -p”password”

  • a = Add files to archive
  • m = Set compression Method
  • h = Calculate hash values for files
  • e = Encrypt file
  • p = set Password

This will compress and encrypt our file.txt into a file.7z. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “7z2john”. This is not inbuilt utility, It can be downloaded from here.

Syntax: zip2john [location of key]

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the key to be “password”

Cracking the PDF Password Hash

John the Ripper can crack the PDF file passwords. You can encrypt your pdf online by using this website. This will compress and encrypt our pdf into a password protected file.pdf. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pdf2john”. This is not inbuilt utility, it can be downloaded from here.

Syntax: pdf2john [location of key]

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the key to be “password123”.

Cracking the PuTTY Password Hash

John the Ripper can crack the PuTTY private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with PuTTY, called “PuTTY Key Generator”.

Click on “Generate”. After Generating the key, we get a window where we will input the key passphrase as shown in the screenshot.

After entering the passphrase, click on Save private key to get a private key in the form of a .ppk file

After generating transfer this .ppk file to Kali Linux.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “putty2john”.

Syntax: putty2john [location of key]

You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the private PuTTY key to be “password”.

Cracking the “Password Safe” Password Hash

John the Ripper can crack the Password Safe Software’s key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will install the Password Safe Software on our Windows 10 System.

To get a new key, Click on “New”

In this prompt, check the Show Combination Box. After that Enter the Passphrase you want to use to generate the key. This will generate a .psafe3 file.

After generating transfer this .safe3 file to Kali Linux.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pwsafe2john”.

Syntax: pwsafe2john [location of key]

You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

Great! We have successfully cracked the passphrase used to create the private pwsafe key to be “password123”

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Hack the Box Challenge: Crimestoppers Walkthrough

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.  Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.80/?op=view and went on the web browser to explore them.

At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time.

If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article. We used curl command to find out the data from inside it with the help of PHP base64-encode.

As result, it returns base64 encode text which we need to decode.

To decode bsae64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.

Syntax: echo BASE64TEXT | base64 -d

After struggling a lot, finally, we successfully uploaded our php backdoor with help burp suite. Follow given step to upload php web shell.

Open php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.

In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.  

Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.

And choose php file to paste it content at the place of shell.

As you can observe that we have successfully uploaded our malicious PHP content here.

Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.

Do not forget to launch netcat for reverse connection before executing your uploaded file.

nc -lvp 1234

Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.

 

Because we love to work with meterpreter session therefore with help of metasploit web_delivary module we generate malicious python code as shown.

Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.

HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.

Inside path: /home/dom I found user.txt file and used cat “filename” command for reading this file.

cd home

ls

cd dom

ls

cat user.txt

Great!! We got our 1st flag successfully

Now we need to find root.txt file to finish this challenge and believe me it was not easy until you won’t the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous one.

After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link: https://github.com/unode/firefox_decrypt for its decryption.

With help of the following command, we successfully found password: Gummer59

We applied this password to escalated user:dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.

First we look into INBOX for any hint for root.txt but didn’t find something related to root.txt flag similarly we open other files but didn’t found anything.

At last, we open Drafts-1 and read the following line which looks like a hint of root access.

“I don’t trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.

So we explore following the path we found the access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.

You can observe the log for a command “FunSociety” which has been executed several times.

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.

Now let’s get the root.txt and finish this task.

BOOOOOM!!!! We hit the Goal and completed both task.J

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...