Linux for Pentester: Time Privilege Escalation

In this article, we’ll talk about Time command which is a Linux utility and learn how helpful the time command is for Linux penetration testing and how we’ll progress time to scale the greater privilege shell.

Table of Contents

All About Linux Time Command

Major Operation Perform by Time

Abusing Time Utility

  • SUID Lab Setups for Privilege Escalation
  • Privilege Escalation
  • Sudo Lab Setups for Privilege Escalation
  • Privilege Escalation

All About Linux Time Command

The time command runs the specified program command with the given arguments.  When the command finishes, time writes a message to standard error giving timing statistics about this program run.

These statistics consist of:

  • the elapsed real time between invocation and termination named as real.
  • the user CPU time named as a user.
  • the system CPU time named as sys.

Time may exist in most cases as a stand-alone program (such as GNU time) or as a shell (such as sh, bash, tcsh, or zsh).

To identify all type of installed time program we run this:

Here “time is a shell keyword” which means it a built-in keyword exist to bash whereas “time is /usr/bin/time” denotes it’s a binary that exists to GNU.

Major Operation Perform by Time

One can go with “help time” or “man time” commands to explore the summary to ensure why time command is used for?

Run Command

As said above, time command computes the timing statistics for any program run (pipeline’s execution). For example: To compute the time taken by date command

As result, you will notice, first it has run the date command and dump the complete date with time zone and then disclosed the time taken by date command as real, user CPU, system CPU time in seconds. While the same information was dumped by using GNU with some extra information such as total INPUTS or OUTPUT.

Use -p options with /usr/bin/time for obtaining output into bash time.

Note: The real, user & system time will be zero for any program which would execute continuously because next time that program will be recalled from the inside cache memory of the system.

Save Output

By default, time command displays the timing statistics for the program being executed at the end of its execution in the terminal but if you want to store the obtained timing statistics inside a file then you can go with -o options.

Syntax: /usr/bin/time -o [path of destination folder] command

Verbose Mode

You can use -v option for verbose mode, here you can estimate the time acquired by the internal resources to produce an output of the given input.

Formatting String

The format string generally comprises of ‘ resource specifiers ‘ combined with plain text by using a percent sign (`%’) as given below.

You can use \n for a new line to print the format string as shown the given screenshot.

Abusing Time Utility

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on time so that a local user can take the opportunity of time as the root user.

Hence type following for enabling SUID bit:

Privilege Escalation

Now we will start exploiting time service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

Here we came to recognize that SUID bit is permitted for so many binary files, but are concerned is:   /usr/bin/time.

Taking privilege of SUID permission on time we are going to grab the shadow’s file for extracting password hash file.

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using time utility for Privilege Escalation.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for time executable. Here we are going to add a user by the name of the test in the sudoers files and here we have given permission to user test to run /usr/bin/time as the root user.

Privilege Escalation

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run /usr/bin/time as the root user.

As we have seen above, that time command computes the time when a program run, therefore, now taking advantage of time command.

Conclusion: In this post, we have talked on time command to demonstrate how an to intrude can escalate the privilege using time utility due to permissions allowed on it.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: xxd Privilege Escalation

In this article, we are going to make our readers familiar with another influential command i.e. “xxd” which assist for converting any hex dump to a binary and vice-versa. So, by knowing this certainty now we will check how wisely we can make it applicable in Privilege Escalation.

Table of Content

Introduction to xxd

  • Major Operation performed using xxd

Exploiting xxd

  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to xxd

As we know whenever we want to convert any format of a file into another format then, we can grab that simply by using online converter which helps to convert a file into the desired format such as: “pdf to word, jpg to pdf, excel to pdf” etc. but what if someone desired to get any file into its hexadecimal form or binary??

So, in this article, I’m emphasizing the way through which one can easily get hex dump or binary format for any file. This can be achieved by one of Linux command i.e. “xxd”. The xxd command enables the user to generate a hex dump of a given file and can also reverse a hex dump back to its original ASCII form.  This phenomenon can also help in the procedure of encoding and decoding any mysterious file.

First, we will check for its help/man command to identify how we can use xxd for this conversion.

By typing the above command, we can achieve a list of arguments that can be used with xxd for generating hex dump of a given file.

Major Operation performed using xxd

Converts file contents into hex: For instance, I’m creating a new file by the name of “secret.txt” and now I want to convert its whole content into the hexadecimal form so, I will type the below mentioned command to execute the desired output.

Syntax: xxd <options> filename

By the below image it’s clear that xxd has generated the hex dump for the file “secret.txt”.

Here, we can observe the following hex dump are obtained its default format such as:

  • Indexing the number of lines. (eg: 00000000, 00000010, 00000020…………00000220)
  • The default number of octets per group is 2 (-e: 4 little-endian hexdump) which is groupsize of 4 bytes. (eg: 4967 6e69…………6e67)
  • The standard column length is equal to 16 bits with whitespace. (eg: Ignite is Having)

Skip the nth line with xxd: While converting a file there may be lots of data that may not be of our use so, instead of obtaining whole data we can skip those contents that are needless (skip the no. of lines). For this, we can use xxd to skip the nth line and produce hex value after skipped lines.

Suppose in our circumstance we want to generate hex dump from line 5 ahead then this can be attained by using “-s” argument followed by xxd command.

To limit output up to particular length: As above I have explained how one can retrieve data by skipping no. of lines i.e. output from a specific line but, if we need to limit the length of standard output then we will use “-l” argument instead of “-s”.

Here I’m limiting the length of my contents to print the data up to limited range i.e. 5th line as shown in below screenshot.

Hence, we can observe the difference between both commands; the first command generates the hex value initialized from the 6th line and the second command ended with the 5th line as per hex indexing, take reference from the above screenshot.

Converts file contents into binary: In above all image we have noticed that file has been dumped into its “hex form” but whenever we wish to produce the “binary form” for any file then we will use “-b” option. On using this option, the result will switch to its bit dump (binary digit) by grouping the output data into its octet using “1 or 0” rather than hex dump. To attain the same as per below image type command:

Set column length: As above I have described how we can skip and limits the output up to range. Now I will illustrate how we can set column length. By default, it used to be 12, 16 for any dumped file but now I will explain what else we can do.

For this I’m taking three occurrences:

Default: As we know the default column length is 16. This will print 16 characters including whitespace.

Set the column length up to 32: I have set end index to limit printing data range by using “-l” option now after doing so I will set column length up to “32” which can be achieved by using “-c” argument.

From the given below screenshot, we can easily realize how xxd has limits the column length.

Set the column length up to 9: As above, now I have set column length up to “9” by following the same process as discussed above.

In all case, xxd has created the hex dump for a file by counting each character with whitespace.

Print Plain hex dump style: The postscript option “-ps” is used only in case when we required our output in plain hex dump style. Here we have saved its output inside hex file to obtain the plain hexadecimal value of the secret.txt file. To ensure the result we have used the cat command to read output from hex file.

From the below image, it can be cleared that how xxd has created plain hex dump style for file “secret.txt” by restricting the plain text.

To revert any file: To return any generated output into its original form we can use the “-r” option. In our case we have used “-r -p” to print the reverse output from plain hex dump style into its ASCII form.

Groupsize bytes: If we required to group the output into a number of octets then we can use the “-g” option for this purpose. By default, it is 2 (-e: 4 little-endian hex dump). So, if we set this value to 4 then it will be grouped into 8 bits.

In below screenshot, we have set this value to 8 which will group into 16 bits as desired output to concise the result.

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on xxd, so that a local user can take the opportunity of xxd as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

Now we will start exploiting xxd service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

Here we came to recognize that SUID bit is permitted for so many binary files, but our concerned is:   /usr/bin/xxd.

Taking privilege of SUID permission on xxd we are going to grab the shadow’s file for extracting password hash file.

In the below image first, I have requested to expose the /etc/shadow file by the use of xxd which will produce the hex dump for the file along with that I have piped the xxd command to revert its output.

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using xxd command for Privilege Escalation.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: CAT Privilege Escalation

Today we are going to talk about CAT command and learn how helpful the cat command is for Linux penetration testing and how we’ll progress cat to scale the greater privilege shell.

Table of Content

  • Introduction to CAT
  • Major Functions of CAT command
  • Sudo rights Lab setups for Privilege Escalation
  • Exploiting Sudo Rights

Introduction to CAT

In Linux, Cat stands for “catenate,” which is one of Unix-like operating system most frequently used commands. It reads file information and displays its content as an output. It enables us to build, view and link files. So, we can not only see the content using CAT command; apart from this we can, copy the content of the file to some other file and view the files with numbers and so on. Not only this we will do such things which is not only new but is what we might have not thought of. We will perform Privilege Escalation using CAT command. That’s sounds interesting. Isn’t it? So, let’s start-

Major Functions of CAT command

At first, we will run cat -h command which means help and which will tell you about all the options which are available in CAT command as we can see in the picture below.

Write and Read a file:

Our next step is to create a file using the cat command. And for this, we will use greater than sign (>) after cat command to generate a new file. So, we have created a new file named notes.txt by using (>) this sign after cat command and write the content which you want to keep in the file as in our case I have written “Welcome to Hacking articles” in the file notes.txt

Not only this we can also edit the content of the existing file without opening the file by using greater than sign twice (>>) as you can see in the screenshot that we have added “Join Ignite Technologies”  in notes.txt

Now we can confirm this by reading the file once again.

Number all output lines:

Now let’s say if we want to view file contents preceding line numbers or in other words you want to view the output serialized. So first we will create a new text file named dict.txt in which we have written some content which is going to be easily readable number wise with -n command.

As a result, this add a serial number column for every line as shown below:

Overwriting a file

Now we want to copy the content of file dict.txt into notes.txt or in other words we want to overwrite the file notes.txt. So in order to do, this first we write the file name from which the content is to be copied and then we will write the file name whose content we want to replace followed by greater than sign(>).

As you can observe in the picture below that we have replaced the content of notes.txt with dict.txt

Concatenating files:

Now we want to merge two files together or in other words, we want to combine two files. So, what will we do? Its again very simple; we will use greater than sigh here but now twice (>>) and the content will be replaced successfully. So here we have another new file which is pass.txt and then we will proceed towards merging two files for which we will use (>>) sign again as we have done in the image below. Now again we will use -n to put this content number wise which we have done above.

As result, you can observe that we have concatenate dict.txt in the pass.txt file.

Reverse order

As the name suggests and we can reverse all the content using tac command which is just a reverse of cat command and it works for this purpose only.

With the help of tac command, we try to reverse the file by making a vertical flip as shown below.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for cat executable. Here we are going to add a user by the name of the test in the suoders files and here we have given permission to user test to run cat command as root user.

Exploiting Sudo Rights

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run cat as root user.

Now our next step is to exploit sudo rights through cat command. So, we will run cat /etc/shadow command to see all the users and their respective passwords hashes.

Wonderful! We have got all the user’s list and their passwords’ hash value.

Cracking the Hash Password

Now our next step is to crack the hash value so that we are going to use “John the Ripper” tool to crack this hash value in order to get the password in decrypted form. So first we have taken one user whose password we want to check. So, run the following command in the terminal-

Great! We have cracked the password successfully. Now we will switch user raj to check if we can log in through that password and we can see that we have successfully logged in as raj user.

Now we will run sudo -l command to check if user raj, and found he has all the root permissions.

Now, we will again try to switch to user root and we are logged in as root and then we run id command we get to know that we got a root shell.

So, we have performed privilege escalation through cat command successfully.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Linux for Pentester: Find Privilege Escalation

Today in this article we are back with another most advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list of files and directories, so by knowing this fact, we will now illustrate how we can avail it in Privilege Escalation.

Table of Content

Introduction to Find

  • Major Operation performed using Find

Exploiting Find

  • Sudo Rights Lab setups for Privilege Escalation
  • Exploiting Sudo rights
  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to Find

 Find command is a command line facility for a walk around a file pyramid structure to find the exact location of the file and directory as per the user’s desire. This search command can be used by the variability of services like search any file by “size, permissions, date of modifications/access, users, groups” and many more as per user requisite.

Alike every command the Find also can be concisely understood by its help/man command as per below image.

Major Operation performed using Find

Search any file by particular name in the current directory: This command supports the user to search any file by a specific name. Suppose we want to search a text file by the name of “raj” from current directory then simply compose the command as per below screenshot.

Search any file by particular name in the home directory: If we wish to find all the files under home directory by desired file name, in our case it is “raj.txt” then from command as below:

(It will permit the user to find all “raj.txt” file under home directory)

Find files by its extension: This can be returned by specifying the particular file extension. If any user wants to fetch any file by its extension, then it can be done by “-type f” option followed by Find As in our scenario we are fetching for .txt

One can also use the “-type d” option instead of the “-type f” for retrieving the directory.

This command will support the user for printing all .txt file as the desired output.  

Find files with full permission: Whenever anybody wishes to explore for the files that have full permission i.e. “777” then it can be simply acquired by “-perm 0777” followed by Find command with the option “-type f” which will print the output for all the files that have“777”

To find all files for a specific user of a directory: If we need to find all those files that belong to a particular user under any selective directory then that we can execute this by command as:

In our instance, we are finding for all those files that belong to user “raj” under “tmp directory”.

  • To find all hidden files: If we want to find all hidden files within any directory then we will type the command as below:

This command will give a consequence for all hidden files in the current directory.

To find all readable files within a directory: To find all readable files from a specific directory. In the below screenshot we are discovering for all those files that is in the readable form under /etc directory

By typing above command, we will get all readable files that come under /etc as output.

Find SUID files: Whenever any command runs, at which SUID bit is set then its effective UID becomes the owner of that file. So, if we want to find all those files that hold the SUID bit then it can be retrieved by typing the command:

Find SGID files: The SGID permission is similar as SUID but the only difference is that, whenever any command runs at which SGID permission is set, then the process will have the same group ownership as the owner of the file. So, to run all those files that possess SGID bit, type command:

To find SUID & SGID files simultaneously: If we want to fetch all those files simultaneously at which both bits i.e. “SUID & SGID” are set then frame command as:

To find all writable file: To find any writable directories within any desired directory such as: /home, /tmp, /root, then we will run the command as:

As per below image we have find all writable directories from /home.

Exploiting Find

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of Find command by granting it higher privilege i.e. with administrative rights. As we know the performance of every command gets changed after the influence of higher privileges. Same we will check for our Find command and will grasp what effect it would have after the accomplishment of sudo rights and how we can custom it more in privilege escalation.

To recognize it more visibly first we will create a local user (test) who retain all sudo rights as root.

To add sudo right open /etc/sudoers file and frame below command as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting Find service by taking the privilege of sudoer’s permission. For this, we must have a session of the victim’s machine which will enable us to devise the local user access of the targeted system which will support us further to escalate the root user’s rights.

 For this we need to connect with the target machine with ssh, so type the command as shown below for performing the same.

Then we checked for sudo right of “test” user (if given) and found that user “test” can execute Find command as “root” without a password.

Find command let you perform some specific action such as “print, delete and exec”. So here we are taking the privilege of “exec” for executing the command to access root shell by running /bin/bash with the help of find command as given below:

On running above command, we have successfully escalated the root shell as shown in the below image.

SUID Lab setups for Privilege Escalation

As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on Find so that a local user can take the opportunity of Find as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

As we know we have access to victim’s machine so we will use Find command to identify binaries having SUID permission.

So here we came to recognize that SUID bit is empowered for so many binary files, but our concerned is:   /usr/bin/find.

As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking the privilege of “exec” for executing another command i.e. “whoami”

Similarly, you can take honour of Find command for escalating the root privileges.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here