Lxd Privilege Escalation

In this post we are going to describes how an account on the system that is a member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.

One of them is to use the LXD API to mount the host’s root filesystem into a container which is going to use in this post. This gives a low-privilege user root access to the host filesystem. 

Table of Content

  • Introduction to LXD and LXC
  • Container Technology
  • LXD Installation and Configuration
  • LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.

Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.

Container Technology

Container technology comes from the container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processes container applications with names like Docker and Apache Mesos ‘ popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.

Requirement

Host machine: ubuntu 18:04

Attacker machine: Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host machine.

LXD Installation and Configuration

Now install lxd by executing the following command:

Also, you need to install some dependency for lxd:

Now to add a profile for user: raj into the lxd group, type following command:

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command. During initialization it will ask for choosing some option, here majorly we have gone with DEFAULT options. But for the storage backend, we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are creating a container for “ubuntu:18.04” and named as “intimate-seasnail”. Further use lxc list command to view the available installed containers.

Connect to the container withthe help of lxc exec command, which takes the name of the container and the commands to execute:

Once your are inside the container, the shell prompt will look like as following below.

Privilege Escalation

Privilege escalation through lxd requires the access of local account, therefore, we choose SSH to connect and take the access local account on host machine.

Note: the most important condition is that the user should be a member of lxd group.

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

  1. Steps to be performed on the attacker machine:
  • Download build-alpine in your local machine through the git repository.
  • Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
  • Transfer the tar file to the host machine
  1. Steps to be performed on the host machine:
  • Download the alpine image
  • Import image for lxd
  • Initialize the image inside a new container.
  • Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

On running the above command, a tar.gz file is created in the working directory that we have transferred to the host machine.

On another hand we will download the alpine-image inside /tmp directory on the host machine.

After the image is built it can be added as an image to LXD as follows:

use the list command to check the list of images

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience.

NOTE: This is a brief version of this Cheatsheet. For the complete privilege escalation Cheatsheet visit our GitHub page.

Table of Content

  1. Abusing Sudo Rights
  2. SUID Bit
  3. Kernel Exploit
  4. Path Variable
  5. Enumeration
  6. MySQL
  7. Crontab
  8. Wildcard Injection
  9. Capabilities
  10. Writable etc/passwd file
  11. Writable files or script as root
  12. Buffer Overflow
  13. Docker

Abusing Sudo Rights

The word sudo stands for Super User and Do. Basically, the keyword ‘sudo’, when used as a prefix to a command will allow you to run the said command as root without changing your user. When you run any command along with sudo, it will ask for root privileges in order to execute the command and here, Linux will confirm if that particular username is in the sudoers file. If the information matches to the sudoers file then that command will run and if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command. So, we can manipulate such rights and use them to our advantage as we have done it many CTF’s.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/

1. Ted:1
2. KFIOFan: 1
3. 21 LTR: Scene1
4. Skytower
5. Matrix: 1
6. Sputnik 1
7. Sunset
8. DC-2
9. Kioptrix: Level 1.2
10. Matrix-3

SUID Bit

Set User ID (SUID) is a form of permission that lets the user execute any file with the permissions of a certain user. Those files which have suid permissions run with higher privileges. The maximum number of bits is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x. But when special permission is given to each user it becomes SUID, SGID, and sticky bits. When extra bit “4” is set to the user (Owner) it becomes SUID (Set user ID), then it will look like as rwsr-xr-x. SUID bits can be manipulated by changing the permission of a file so that we can execute or write it in as we choose to in order to gain access and do the needful.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

1. Kevgir
2. digitalworld.local – BRAVERY
3. Happycorp: 1
4. FourAndSix: 2
5. DC-1
6. dpwwn:2
7. MinU: v2
8. Toppo:1
9. Mr. Robot
10. Covfefe

Kernel Exploit

Kernel exploit is one of the most commonly used exploits nowadays as it is the most advanced attack there is today. It works for both Windows and Linux. In this attack, malicious code evades and takes control of the root/administrator to bypass user control access and as it abuses kernel.

1. pWnOS -1.0
2. LAMPSecurity: CTF 5
3. Kioptrix : Level 1.1
4. Hackademic-RTB1
5. Hackademic-RTB2
6. ch4inrulz : 1.0.1
7. Kioprtix: 5
8. Simple
9. SecOS: 1
10. Droopy

Path Variable

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user runs any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

1. PwnLab
2. USV
3. Zeus:1
4. The Gemini inc
5. EW-Skuzzy
6. Nullbyte
7. symfonos : 1
8. Silky-CTF: 0x01
9. Beast 2

Enumeration

Enumeration is a phase of attacking where the attacker focuses on traversing through the system and network in order to find useful information such as password hashes, active connections, etc. During this, bash history and config files come handy as they often have the most useful data of which an attacker can take advantage.

1. The Library:1
2. The Library:2
3. LAMPSecurity: CTF 4
4. LAMPSecurity: CTF 7
5. Xerxes: 1
6. pWnOS -2.0
7. DE-ICE:S1.130
8. SickOS 1.1
9. Tommyboy
10. VulnOS: 1

MySQL

MySQL provides a mechanism by which the default set of functions can be expanded by means of a custom written dynamic libraries containing User Defined Functions, or UDFs.

  1. Kioptrix : Level 1.3
  2. Raven
  3. Raven : 2

Crontab

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/

  1. Billy Madison
  2. dpwwn: 1
  3. BSides Vancuver: 2018
  4. Jarbas : 1
  5. SP:Jerome

Wildcard Injection

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken therefore one can take the privilege of it to execute an arbitrary command using a wild asterisk (*) argument.

Read from here: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

  1. Milnet
  2. Pipe

Capabilities

Capabilities are referred to if there are any additional privileges given to a file or directory. This can also be manipulated to our own advantage in order to achieve the desired goal. It can override the permissions or the READ access to a filesystem along with the ability to call chroot.

  1. Kuya : 1
  2. DomDom: 1

Writable /etc/passwd file

/etc/passwd file is the one where passwords and usernames are saved with their every detail possible. So, if by chance you find that this file is writable then you can add your own user with or without password and bypass access control of the system.

  1. Hackday Albania
  2. Billu Box 2
  3. Bulldog 2

Writable files or script as root

Sometimes, there are often files which are writable. Such files can be edited with our developed malicious code. This code can either run as root or can run to gain root access. Thus, the writable files are quite important for privilege escalation.

  1. Skydog
  2. Breach 1.0
  3. Bot Challenge: Dexter
  4. Fowsniff : 1
  5. Mercy
  6. Casino Royale
  7. SP eric
  8. PumpkinGarden
  9. dpwwn: 1
  10. Tr0ll: 3

Buffer Overflow

A buffer is a sequential segment of the memory allocated to hold anything like a character string or an array of integers this particular vulnerability exists when a program tries to put more data in a buffer than it can contain or when a program tries to insert data in memory set past a definitive buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

1. Tr0ll 2
2. IMF
3. BSides London 2017
4. PinkyPalace
5. ROP Primer
6. CTF KFIOFAN:2
7. Kioptrix : Level 1
8. Silky-CTF: 0x02

Docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency. The only reason it is widely used than VMware is due to its efficiency. In Docker, all of the commands require sudo prefixing them. Docker design modules intrinsically give significant rights to any user who has access to the daemon. The Docker daemon allows access to either the root user or any user in the ‘docker’ group. This means being a member of the ‘docker’ group is same as gaining permanent root access.

  1. Donkey Docker
  2. Game of Thrones
  3. HackinOS : 1

Linux For Pentester: socat Privilege Escalation

Welcome back, to grab knowledge of another command from “Linux for pentester” series. As we know there are many tools that can help the user to transfer data. Similarly, we are going to take advantage of another command i.e. “socat” which is a utility for data transfer between two addresses. So, now we will take this benefit of “socat” in our mission of privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Overview of socat             

  • What is socat
  • Basic parameters of socat
  • The operation achieved by socat

Abusing socat

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

What is socat

Socat is a network utility similar to netcat which supports ipv6, SSL and is available for both Windows and Linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard Unix tools.

In other word you can say it is a command-line based utility that inaugurates two bidirectional byte streams and transfers data between them. Because the streams can be built from a large set of different types of data sinks and address type.

It is a utility for data transfer between two addresses which uses the syntax as “socat [options] <address><address>”.

Now we will start working with this most influencing tool by using its help command.

Basic parameters of socat

The most “basic” socat request would be: socat [options] <address><address>but another more existing example would be: socat -d -d – TCP4:www.example.com:80.

Where “-d -d” would be the options, “-“ would be the first address and TCP:www.example.com:80 would be the second address.

The above syntax can be more clearly understand by breaking each component down a bit more. Let’s first start with the address, since the address is the keystone aspect of socat.

Addresses:

As we know socat is comprised with two addresses for executing its result so it is more important to understand that what addresses are in actual and how they work. The address is something that the user provides via the command line. Entreating socat without any addresses results in a note as shown below:

~: socat

2018/09/22 19:12:30 socat[15505] E exactly 2 addresses required (there are 0); use option “-h” for help

Type:

After address, the other component of “socat” is “type” which is used to specify the kind of address that we need. Some of popular selections are TCP4, CREATE, EXEC, STDIN, STDOUT, PIPE, UDP4 etc, where the names are pretty self-understandable.

This is because certain address types have aliases. Similarly “-“ is one such alias which is used to represent STDIO. Another alias is TCP which stands for TCPv4. You can also use its man page to view lists of all other aliases.

Parameters:

Instantly after the type socat comes with zero or more required address parameters for its performance which is separated by:

The number of address parameters depends on the address type. The address type TCP4 requires a server description and a port description.

The operation achieved by socat

To send and receive text messages bidirectional: As we know “Socat” is a command-line based utility that establishes two bidirectional byte streams and transfers data between them. Now, I will start to establish a connection between two machines and will transfer messages between both of them.

For this, we need to start listener at one machine. In below image we have done this for “kali” which is acting as a listener and ready to take all of the commands that are ordered by “ubuntu” as shown below by framing command:

After running listener, our next step is to use socat command on another machine i.e. “ubuntu”. Here we need to specify the “IP” and port of the machine on which we have started the listener.

Now we have succeeded to share text between both terminals as shown in below image.

EXEC command using socat to take shell: socat command also tends the user to take the shell of any machine.  Here in this tutorial, I wish to take the shell of “ubuntu” on “kali” terminal by “EXEC type”.

Now on framing above command, we have successfully established a connection between two of the machine. After running listener on “ubuntu” now we will use socat command on “kali” by specifying the” IP” and “port” of the machine (ubuntu) which will help us to take the shell of ubuntu on kali as per our request.

Now to check whether you have got the shell of the desired machine or not, you can simply write “id”. As in below image you can see, it has directed us as user “raj” which is a user of “ubuntu”. It means we have successfully got the shell.

EXEC command using socat to transfer file: Now we will use another function of “EXEC” to transfer a file, here I want to transfer “passwd” file from “ubuntu” to “kali and again we will follow the same process.

As we switch to kali and run socat command it will result in us by opening “passwd” file of “source machine”.

Working with socat using another type: As we know socat uses the list of “type” like CREATE, EXEC, STDIN, STDOUT, PIPE etc.

Here in the below image, I have a text file named as “test” and now I want my listener machine to execute this file.

By using the above command first I have requested to open “test” file then I have pipe this output as the input for socat command.

As from below image you can see I have used “OPEN” function to which I have requested to create a file

 by the name of “raj” and will append the content of “test” file to this newly created file i.e. “raj”.

So now when I will run listener at “ubuntu” it will execute “raj” file showing the content of

“test” file as per desire.

Abusing socat

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission for privilege escalation. For this alike another command from “Linux for pentester” series here also first we need to set up our lab of “socat” command with administrative rights.

It can be clearly understood by the below image in which I have set sudo permission to local user (test) who can now run “socat command” as the root user.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

First Method:

Now we will start exploiting socat facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

As we know “test” user attains sudo user privileges so now we will try to attain root shell of the host’s machine by the help of socat using EXEC options. Then we look for sudo right for “test” user (if given) and found that user “test” can execute the socat command as “root” without a password.

On a new terminal launch socat as a listener and enter the source IP and source port along with socat command to obtain reverse shell of the host machine.

Now we have successfully got the shell of victim’s machine with root privilege as shown in below screenshot.

Second Method:

We have another method to escalate the higher privilege shell i.e. using socat one liner reverse shell command. 

On new terminal start the socat as a listener and obtain root shell of the remote machine.

Conclusion: Hence in this way, we can make use of “socat” command to escalate the privilege of the remote machine.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: scp Privilege Escalation

In this article, we are going to introduce another most helpful Linux command i.e. “scp” which is an abbreviated form of “secure copy”. The SCP command allows secure transferring of files between the local host and the remote host or between two remote hosts. So after knowing this fact we will check now how we can take advantage of this utility in privilege Escalation. 

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Introduction to scp

Major Operation performed using scp

  • Copy a file from the local system to the remote machine
  • Copy a file from a remote system to the local machine
  • Provide modification time and date
  • To display detailed information of the SCP process
  • Copying file inside directory recursively
  • To specify a specific port

Exploiting scp

  • Abusing Sudo right

Introduction to scp

Scp is a built-in command in Linux which is used to SCP is used to copy file(s) between servers in a secure way or in other words we can also say that it is a command-line utility that allows you to securely copy files and directories between two locations. This possesses the same authentication and safety as it is used in the Secure Shell (SSH) protocol. SCP is also known for its effortlessness, security and pre-installed accessibility.

Major Operation performed using scp

In this tutorial, we will show you how to use the scp command with detailed explanations of the most common scp options. For this, we will start from its help command as per below image.

After checking for its help command now we will proceed to its major operation one by one.

Copy a file from local system to remote machine: As we know the scp command tends the user to securely copy the file or directory from local to host connection or vice-versa so, by taking the help of this fact now we will copy a file whose name as “scan.xml” which is stored in my local system. For doing this we will frame command as below:

In the above command “scan.xml” is the file name that I want to copy, “aarti” is a remote user name, “192.168.1.31” is remote machine IP and ” /home/aarti/Desktop” is the path of the remote machine where I want to copy this file.

Once we have done with our command then it will be prompted to enter the user password and the transfer process will start.

Note: Omitting the filename from the destination location copies the file with the original name. If you want to save the file under a different name you need to specify a new name too.

Hence on following above syntax, our desired file has been successfully copied to a destination location on the remote system as shown below.

Copy a file from the remote system to the local machine: Alike above we can also copy a file or directory from its remote machine to the local system. For grabbing this functionality follow the below command.

On framing above command, we will again be prompted to enter the user password and the transfer process will start.

Hence our desired file has been successfully copied to a destination location on the local system from the remote system.

Provide modification time and date: Many times, you might be noticed that by default the time and date of the copied file is used to be set for current time and date.

As in below image you can notice that our “demo.txt” file showing its “current date and time” when it has been copied.

But in the below image, I have shown the original date and time i.e. when the file had created.

So if we want to make a modification of our copied file as its original details then we will use the “-p” option for this. After adding this argument our file will be copied with its original date and time instead of copying with current details.

To display detailed information of the SCP process: As in all above screenshot you can see that after you enter the password for copy the file there is no information about the SCP process but the only thing is it will prompt again once the process has been completed. So, if you want the detailed information of the SCP process, then you can use the “-v” parameter for this.

Copying the file inside directory recursively: Sometimes we need to copy directory and all files/directories inside it. It will be better if we can do it in 1 command. SCP support that scenario using the “-r” parameter.

In the below image, I have copied a file “fluxion” recursively.

Note: The speed for the process of copying any file is totally based upon its data length but we can increase this speed by using “-C” option which results faster for copy the file.

Here in the below image, we have successfully copied fluxion.

To specify a specific port: Usually, SCP uses port 22 as a default port. But for security reason, if you wish to change the port into another port then you can use the “-P” argument for this task.

For example, we are going to use port 2222. Then the command needs to be 

Lab setups for Sudo Privilege Escalation

Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Now we will start to perform privilege escalation for “scp”. For doing so we need to set up our lab of scp command with administrative rights.

After that, we will give Sudo permission on scp, so that a local user can take the privilege of scp as the root user.

Hence type following for enabling SUID:

It can be clearly understood by the below image in which I have created a local user (test) and will add sudo right for scp program in the /sudoers file and type following as user Privilege specification.

First Method

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the scp command as “root” without a password.

On framing below command, it will direct us on root shell as shown below and we will successfully accomplish our task.

Second Method

For proceeding further in our task of privilege escalation by the help of the second method very first we need to check the status for ssh service which should be active during our entire process (Kali Linux).

Now I wish to copy passwd and shadow file of the host machine (Ubuntu) as per below image by the help of scp command.

On framing above command it will prompt to enter the user password so that the transfer process will start.

Once you are done with this then you can check whether your file has successfully copied or not by framing below command.

Conclusion: Hence we have achieved our mission and successfully copied passwd and shadow file by the use of scp command.

Reference: https://gtfobins.github.io/

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here