Linux Privilege Escalation using Capabilities

In this article, we will discuss the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system creates a work context for each user where they achieve their tasks with the privileges that are assigned to them. So, to provide some specific functionalities, it is necessary for a non-privileged user to sometimes temporarily acquire a superuser profile to perform a specific task.

This functionality mainly can be achieved by assigning privileges through sudo, or setuid permissions to an executable file which allows the user to adopt the role of the file owner.

To accomplish the same task in a more secure way the system admin uses “capability” which plays an effective role in the security of Linux based operating systems.

Table of Content

Introduction to Capability

  • What is capability?
  • Difference between capability and SUID.
  • Use of capabilities.
  • Working with capability
  • List of capability

Abusing capability for Privilege Escalations

  • Python3
  • Perl
  • Tar

Introduction to Capability

What is capability in Linux

Before capabilities, we only had the binary system of privileged and non-privileged processes and for the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes that referred as superuser or root and unprivileged processes (whose effective UID is nonzero).

Capabilities are those permissions that divide the privileges of kernel user or kernel level programs into small pieces so that a process can be allowed sufficient power to perform specific privileged tasks.

Difference between capability and SUID

SUID: SUID stands for set user ID and allows users to execute the file as the file owner. This is defined as giving temporary access to a user to run a program/file with the permissions of the file’s owner rather than the user who runs it. This can easily be detected by the use of the “Find” command. To find all files with SUID set in the current directory we can use-perm option which will print files only with permissions set to 4000.

Capability: Security of Linux systems can be improved by using many actions. One of these measures is called Linux capabilities which are maintained by the kernel. In other words, we can say that they are a little unintelligible but similar in principle to SUID. Linux’s thread privilege checking is based on capabilities.

Uses of capabilities

Capabilities work by breaking the actions normally reserved for root down into smaller portions. The use of capabilities is only beginning to drop into userland applications as most system utilities do not shed their root privileges. Let’s move ahead that how we can use this permission more into our task.

Limited user’s permission: As we know Giving away too many privileges by default will result in unauthorized changes of data, backdoors and circumventing access controls, just to name a few. So to overcome this situation we can simply use the capability to limited user’s permission.

Using a fine-grained set of privileges: Use of capability can be more clearly understood by another example. Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024). This web server daemon needs to be able to listen to port 80. Instead of giving this daemon all root permissions, we can set a capability on the related binary, like CAP_NET_BIND_SERVICE. With this specific capability, it can open up port 80 in a much easier way.

Working with capability

The operation of capabilities can be achieved in many ways. Some of them are listed below:

Assigning and removing capability: They are usually set on executable files and are automatically granted to the process when a file with a capability is executed. The file capability sets are stored in an extended attribute named as security.capability. This can be done by the use of attribute CAP_SETCAP capability.

To enable the capability for any file frame command as shown below:

Similarly one can also remove file capability by as below mentioned command.

Reading capability: There are many files or program to which capability is predefined so to view that a file has any capability set then you can simply run the command as:

If you’d like to find out which capabilities are already set on your system, you can search your whole file-system recursively with the following command:

List of Capability

On the basis of functionality, the capability is categorized into total 36 in the count. Some of the majorly used are shown below.

Abusing Capabilities Privilege Escalations

Python Capability

Suppose the system administrator wants to grant superuser permission for any binary program, let’s say for python3, which should only be available to a specific user, and admin doesn’t want to give SUID or sudo permission. The admin supposed to used capabilities, for the python3 program that should be executed by specific user let’s say for user “demo”. This can be accomplished with following commands on the host machine.

As a result, the user demo received the privilege to run the python3 program as root because here admin has upraised the privilege by using cap_setuid+ep which means all privilege is assigned to the user for that program. But if you will try to find 4000 permission files or programs then it might not be shown for /home/dome/python3.

Note: the user home directory should be not accessible for other users because if it is accessed to other non-root users then other users will also proficient to take the privilege of capabilities set for user demo.

Exploiting capability using python3

Assuming an intruder has compromised the host machine as local user and spawn the least privilege shell and he looked for system capabilities and found empty capability (ep) over suid is given python3 for user demo that means all privilege is assigned to user for that program, therefore taking advantage of this permission he can escalate into high privilege from low privilege shell.

Hence you can observe the local user demo has accessed the root shell as shown in the given image.

Perl Capability

We have another example “perl” which is same as above where the admin supposed to used capabilities, for the perl program that should be executed by specific user let’s say for user “demo”. This can be accomplished with following commands on the host machine.

As a result, the user demo received the privilege to run the python3 program as root because here admin has upraised the privilege by using cap_setuid+ep which means all privilege is assigned to the user for that program.

Exploiting capability using perl

Repeat above step for exploit perl program to escalate the root privilege:

Tar Capability

We have another example “tar” which is same as above where the admin supposed to used capabilities to extract high privilege file that are restricted for other users, that should be extracted by specific user let’s say by user “demo”.

Let’s take an example: The admin wants to assign a role, where the user “demo” can take the backup of files as root, for this task the admin has set read capability on tar program. This can be accomplished with following commands on the host machine.

Exploiting capability using tar

Repeat same procedure to escalate the privilege, take the access of host machine as a local user and move ahead for privilege escalation. Since this time admin has use CAP_DAC_READ_SEARCH that will help us to bypass file read permission checks and directory read and execute permission checks.

In this, we try to read shadow file where all system’s user password hashes are stored for this you have to follow below steps.

  • Compress the /etc/shadow in the current directory with the help of the tar program.
  • You will get shadow.tar in your current directory.
  • Extract the shadow.tar and you will get a directory as “etc/shadow”.
  • Use cat/head/tail or program to read the hashes of passwords.

As a result, you will have “etc/shadow” file your current directory and you can read the hashes of the password as shown here.

A malicious user can break this password using a tool such as a john the ripper or hash killer etc.

Conclusion:  The system admin should be aware of security loopholes during assigning such capability which can affect the integrity of kernel that can lead to privilege escalation.

References:

http://lists.linuxfromscratch.org/pipermail/hlfs-dev/2011-August/004870.html

https://gtfobins.github.io/

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. ContacHere

Linux for Pentester: Perl Privilege Escalation

Here we are again coming back with one of very essential command i.e. “Perl”. As we know Perl has it’s significant in the era of programming language specially designed for text editing. Apart from all of this, now it is also very prominent for a variety of purposes including Linux system administration, network programming, web development, etc. So keeping this fact into our mind we will proceed to this article that how we can take more advantage of this command in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Contents

Overview of Perl             

  • Introduction: What is Perl?
  • Where we use Perl?
  • What is it’s necessities?
  • Multiple operations using Perl.

Abusing Perl

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO
  • Capabilities

What is Perl?

Perl is a programming language that stands for “Practical Extraction and Reporting Language”.  It was created by Larry Wall in 1987 which is specially designed for text editing purpose.  As we all know computers understand only binary language i.e “0,1” or one can say low-level language, which is very difficult for humans to program in a binary language. So to overcome that difficulty we were needed a programming language which uses natural language elements, words that are used in common English language that can be easily understand by humans [high-level language].

So once a program is coded by a human, it needs to be converted into the form that a computer understands. For that, we need something which can translate the high-level language to low-level language. Here interpreter comes to our help which is a software that converts the program written in the high-level language to low-level language for the computer to understand and execute the instructions written in the program. Hence, Perl is an interpreted programming language.

It was originally a language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information.

Where we use Perl?

The influence of Perl can be applied in many fields and the most popular use of Perl is in Web development. As we know that the major role and purpose of Perl is for text editing and extracting data and generating reports. Perl has become a popular language used in web development, networking and bioinformatics too. Apart from all this Perl can also be used for CGI programming.

What is it’s necessities?

As we all know there are many programming languages that can be used to do all the stuff which can be achieved by the help of Perl.

So here is the question arises that, why should we specifically use “Perl”? Perl is very easy to learn, particularly if you have a background in computer programming. It is extremely portable which can run on any operating system that has Perl interpreter installed, so it is platform-independent. All Linux Operating Systems come installed with Perl, so you can start Perl coding in Linux out of the box.

Alike other language Perl is faster and more powerful in performing many tasks. It possesses many shortcuts which allow the user to write quick scripts. It was designed specifically for text processing. It built-in text processing ability makes Perl as widely used server-side programming language.

So on moving ahead in achieving our goal of Privilege Escalation varies first we will check for its version. For this purpose, we will use the “-v” option as shown below.

To know more about all those operations that a Perl can do we will use its help command which will direct us for other functionality.

Multiple operations of Perl

Help in scripting: As we know unlike other programs that are written in languages such as C and C++, Perl programs do not need to compile for its execution, it’s simply interpreted and executes the Perl programs. The term script often is used for such interpreted programs written in a shell’s programming language or in Perl.

For example as per below image you can see I’ve created a file “script.pl” in which I have stored some line of codes or can say have created a small script (one can use it in creating any script as per requirements) that need to execute program over the screen. So, to view your script use command as below:

Help to execute code on the command line: This can be used to run a piece of Perl code without creating a file. Due to differences between the Unix/Linux shell and the MS Windows Command prompt we need to use different quotes around our code.

Here in below screenshot, I’m running a piece of code which is “Welcome to Ignite Technologies” by using “-e” argument to execute the same.

Note: In simple words, one can say that this option “-e” is used to execute or print one line of code.

Help in restricted shell environment: A user can use -e option to break out from restricted environments by spawning an interactive system shell and it plays an especial role in privilege escalation. By the help of this, we can also run any command in a restricted environment. Suppose in our case here I’m using this option to run tail command for displaying last few lines of /etc/passwd file.

Help to wrap the code in while loop:  If we wish to wrap our code inside the loop which depends upon certain conditions within a code which is defined by Perl then we will use “-n” option for that case.

For example, in below image, you can see that I have a file named as “Infosec.txt” and here instead of displaying whole content I just want to print those lines which fulfil the condition.

On framing above command Perl will check to each line of file Infosec.txt and will print all those lines which contain our search word i.e Testing.

Help to edit file content: Perl command also is used in editing any file content. For executing the same we will use “-i” argument which will open files one by one and replaces the content with STDOUT.

As you can see in below image I’ve used this option to convert the content of file Infosec.txt in upper case.

The most common use of “-p” together with the “-i” option also helps to provide “in-place editing”. Which means that instead of printing to the screen, all the output spawned by our one-liner will be written back to the same file from where it was taken. Here we are using this to replace a word with another word.

On framing above command you Perl will replace the word “IGNITE” with “Egnite” of file Infosec.txt

Perl in reverse shell: We all knows that reverse shell is a type of shell in which the target machine interconnects to the attacking machine and the attacking machine has a listener port on which it receives the connection.

So, here we are using Perl command which will send back a reverse shell to a listening attacker that will open remote network access.

 

On framing above command run nc -lvp 1234 on the attacker box to receive the shell.

Abusing Perl

Sudo Rights Lab setups for Privilege Escalation

In above all, we have covered the main objectives that a Perl can perform but now we will move ahead in the task of privilege escalation. So to grab this first, we have to set up our lab of Perl command with administrative rights. After that, we will check for the Perl command that what impression it has after getting sudo rights and how we can use it more for privilege escalation.

From the below image It can be clearly understood I have created a local user (demo) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

On adding user “demo” to etc/sudoers file, now we will start exploiting Perl facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “demo” user (if given) and found that user “demo” can execute the Perl command as “root” without a password.

Capabilities in Privilege Escalation

As we know that whenever any sticky bit is set to any file then every privileged and unprivileged user can easily access those files but if for security purpose if we want to share or get access those only with limited/single user then we can simply use capabilities for acquiring this operation.

Capabilities are those permissions that divide the privileges of kernel user or kernel level programs into small pieces so that a process can be allowed sufficient power to perform specific privileged tasks.

From the below image, it has been cleared that user “demo” can easily execute “perl” as root and hence we have successfully accomplished our mission of privilege escalation using perl.

Conclusion: The main influence of this article is to use “Perl” command for privilege escalation that’s why we have just covered the basic operation that can be achieved by the use of this command.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

SUDO Security Policy Bypass Vulnerability – CVE-2019-14287

After the detection of a major security vulnerability, Official released an immediate security fix to the ‘ sudo ‘ kit in the Ubuntu repositories. If you are not aware of sudo right’s power then read this post “Linux Privilege Escalation using Sudo Rights” that help you to understand more above “CVE-2019-14287” the latest vulnerability which we will discuss in this post.

In sudo before 1.8.28, the vulnerability CVE-2019-14287 is a security policy bypass issue in Linux/Ubuntu before 19.10 that offers a local user or a program the ability to carry out commands as root or superuser on a Linux system when the “sudoers configuration” clearly prohibits the root access.

For example, this allows the bypass of “! Root” configuration, and USER= logging, for a “sudo -u \#$((0xffffffff))” command.

Exploiting CVE-2019-14287

Victim’s Machine

Let’s suppose the system admin has created a local user who is not allowed to perform high privilege task such as “cat /etc/shadow” to read saved the password of the system.

Similarly, we have created a user “demo” who is not able to run privileged task as superuser.

But if admin will make the following configuration with the suoders file:

where admin has to assign sudo rights to the user “demo” to run programs or command as superuser other than root and clearly prohibits the root access using !root.

 

Or the system admin can use the following configuration too which stats the same permission as said above.

Let understand once again what is sudo right and what it defines as configured above by taking help of the following image:

Username: demo

Host: ALL

Runas (user): ALL,!root

Runas(group): ALL,!root

Tag: NOPASSWD

Command to execute: ALL

So basically here demo is defined to execute ALL command as ALL (User, Group) other than root (User, Group) and “ALL,!root” is misconfiguration and causes the security loopholes because the user demo is restricted to perform the task as root but not as admin. As a result, he can run a command as administrator (user “root”).  

In other words, this fault gives the privilege of a local user (attacker) accessing the root shell as demonstrated. Assume the attack has the host machine shell as a local user and he found above-mentioned sudo rights then  the attacker can easily escalate the root privilege by using privilege user’s id i.e. -u#-1

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Docker Privilege Escalation

In our previous article we have discussed “Docker Installation & Configuration”but today you will learn how to escalate the root shell if docker is running on the hots machine or I should say docker privilege escalation to spawn root shell.

While we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give constant root access without any password. 🧐

Quick Lab setup

Execute the below command to install docker in your localhost machine. I have used ubutnu 18.04 here as target machine.

Create a local user, say Ignite is the username with least privileges add new group “docker” for “ignite”.

To proceed for privilege escalation, you should have local access of the host machine, therefore here we choose ssh to access the machine as ignite who is a local user on this machine. 

Since we have access to the user which is a part of the docker group and said above if the user is part of the docker group then it is the same as to give constant root access without any password. 😈

We ran the command shown below, this command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.

Similarly, an intruder can mount other system files to escalate the privilege for the local user such as he can mount the passwd or shadow or ssh-key.

As you can see here, we try to mount/etc directory to obtain shadow file and similarly one can access passwd file and add his own privilege user. 🤔

So, if you have access shadow file then you can try to crack passwd hashes and if you have access passwd file you can add you own privilege user by generating password salt as shown here.

Now a new record inside the passwd file for your user.

From the given below image you can observe that now we have user raj as member of root. Thus, we switch to as raj and access the root shell.

Thus, in this way we can escalated the permission of a host machine, hope you will enjoy this little and powerful post. 😊

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here