Linux for Pentester: sed Privilege Escalation

This article will take our readers through all about Stream Editor (Sed), which is one of the most prominent text-processing services on GNU/Linux. In this article, we came with the brief introductory guide to sed which supports the main concern that how sed works and how we can accomplish its supplementary practice in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview of sed                                            

  • Summary to sed
  • Chief Action achieved using sed
    • Replacement with the sed command
    • Printing and viewing from sed command
    • Deleting lines with sed

Abusing sed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to sed

SED command in LINUX/UNIX stands for “stream editor” that can implement lots of purpose on file like, searching, find and replace, insertion or deletion. However, the most common use of SED command is for exchange or for discover and swap. By using SED you can edit files even without opening it, which is a much faster technique to find and replace something in the file. It is a powerful text stream editor which can do insertion, deletion, search etc. for any file as per user requirements. This command also supports regular expression that allows it to perform complex pattern matching too. Now to know further about the “sed” command we will start from its help option.

Note:It’s worth remarking that this article omits several commands, as our main concern is to reach about the “sed” influence over Privilege Escalation.

Key actions achieved by “sed”

  • Replacement with the sed command: As we know the “sed” performs many tasks that include insertion, deletion, modification and so on for any file as per user request so now we will start our journey to explore the entire utility of sed one by one.

1.1 Substituting or switching string: “sed” is used to replace or swap the string so whenever we need to exchange any string within a file then we will frame command as:

In the above command “s” denotes the substitution action. The “Ignite” is the hunt pattern and the “Egnyte” is the replacement string. By default, the sed command replaces the first incidence of the pattern in each line and it won’t replace the second, third…occurrence in the line.

1.2 Substituting the nth existence in a line: When we want to replace nth occurrence i.e. first, second and so on the existence of a pattern in a line then we will use the /1, /2 etc flags to mention the nth term.

Here I’m swapping for 2nd occurrence in each line.

1.3 Substituting all the existence at a time: As we know by default the sed command replaces the first incidence of the pattern in each line so if we wish to replace all occurrence simultaneously within a file then we can use flag “/g” for this purpose.

1.4 Substituting from nth occurrence to all existences: When we use “/g” this will make change globally to the entire file so if we want to make this swapping from a specific place then we need to mention that value(nth) from where we want to make changes.

On framing the above command it will replace all the patterns from the nth occurrence globally.

Note: In the below image you can’t see any changes for flag “3g” as my file doesn’t contain any 3rd occurrence of the replaced word but whenever there is the existence of substituted word at multiple times within a line then you can clearly see the changes that how its change globally from nth term.

1.5 Substituting the existence for a particular range:  We can limit the sed command to replace the string for a particular range. This can be achieved by framing command as shown below.

On framing this command the “sed” will replace “Ignite” starting from the first line to the third line.

Note:  One can use “$” in place of end index if we want substitute from nth term to the last line in the file.

  • Printing and viewing from sed command: Apart from substituting the string sed can help in printing and viewing a file as per user’s instruction.

2.1 Replicating the replaced line with /p flag: If we want to make duplication for replaced line then we can use the “/p” flag which prints the replaced line twice on the terminal. If a line does not have the search pattern and is not replaced, then it will print that line only once.

2.2 Printing only the replaced lines: If a user wants to print only those lines which are substituted then he can use “-n” option following by print command as shown below.

As from below image it can be cleared that on using “-n” the print flag has printed all the replaced line as output.

2.3 Printing lines by numbering it: This command is similar to “cat” in which we use “-n” for numbering the line for any file, same we can achieve from sed command too by framing the command as below.

On drawing the above command sed will print the output by numbering each line as per user request.

2.4 Display a file from x to y range: If we want to view a file from an instance i.e. for a range of starting index to end index then we write command as:

If we use “d” instead of “p” then sed will View the entire file except for the given range.

2.5 Print nth line of the file: Inplace of fixing end index you can also leave it blank if you wish to print only a specific line.

As in below screenshot, you can see when I have used above-mentioned command then sed has reflected the output only to print for the 4th line.

2.6 Print from nth line to end of file: To print any file from its nth line to the last (end of file) line then frame command as below:

Here “$” is an indication for reflecting the last line of the file.

2.7 Print the line only for pattern matching: If we want to print only those lines which match the given pattern then, in this case, we will draw command as:

From the below image, it is clear how this command works. Here in the below image, I have print those lines which include the word “training”.

2.8 Print lines which matches the pattern nth line: We can use numeric value along “p” to print for pattern matching till nth line.

3 Deleting lines with sed: Now we check how we can delete the lines from a file by the help of sed.

 3.1 Remove a specific line: To delete any particular line within a file us “d” option followed by sed command. Here I’m deleting the 3rd line from “Ignite.txt”.

3.2 Remove line for a range: If we wish to delete content till a particular range then we will set its “initial index value” and “end value” of file. In below image, I have deleted the content of “Ignite.txt” from its 3rd line to 5th line and will attain output for remaining file content.

3.3 Remove from nth to last line: Instead of fixing end index one can also use “$” to delete lines till the end of the file.

Here “2” indicating for the initial index from where deletion must be done and “$” is indicating to delete lines till the end of the file.

3.4 Remove the last line: If we won’t set any index value then “$d” will simply delete only the last line of the file.

3.5 Remove the pattern matching line: Sometimes we not only want to print or view those lines that match the particular pattern but also desire to delete them so in such case we will frame below command to attain output as per user request.

Here in below image sed has deleted all those lines which match the word “training”.

Abusing sed

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission of privilege escalation. To grab this first, we have to set up our lab of sed command with administrative rights. After that, we will check for the sed command that what impact it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting sed facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

Now we will access our /etc/passwd file by the help sed command to escalate or maintain access with elevated privileges.

Conclusion: Hence we have successfully exploited “sed” by achieving its functionality after granting higher privilege. 

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: pip Privilege Escalation

The main objective of this article is to make attentive our readers for the other most expedient command from the list of Linux for pentesters. As we know apart from copying, downloading and searching task user desires other excessive operational mission i.e. installation of packages. So in this article, we are going to make you familiar with the command that can perform such task i.e. “pip”. The main utilities of this command are to install, uninstall, search python packages. So by knowing this functionality of pip command now, we will check how we can acquire its benefit in our mission of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to pip                                        

  • Major Operation performed using pip

Exploiting pip

  • SUID Lab setups for privilege Escalation
  • Exploiting SUID

Introduction to pip

Before we start, let’s do a quick appendix check and determine what a ‘Python package’ is in actually. It is a Python module which can contain other modules or recursively, other packages. It is the kind of Python package that you import in your Python code. So there are many tools available that help to install such packages and “pip” is one of that which is widely used in today’s era.

The pip is an abbreviation of “python install packages” which is a tool for installing and managing Python packages. This command is very useful for web development as well as for sys-admins who manages cloud computing-based resources. Now we will start by running its help command to know the depth of “pip” operations.

Major operations performed by “pip”

List all installed packages: To check the list of all installed python packages in our machine we can use option “list” followed by pip command. The list option has its vital role in pip command as it can perform many operations that a user can need. Some of these functions are listed below:

  • List installed packages: This will help in listing all the installed packages.

Other option for package listing:

Syntax: pip list  <options>

List outdated packages: Whenever we wish to check the list for all those packages that are outdated then we will use “–outdated” option followed by pip list command which will provide the list of all installed outdated packages with its current and latest version.

List installed packages with column formatting: If we want to display the desired output in the specific format then we will use the “–format” option for this purpose. Suppose I want to wish to list the details in column format then I will frame command as below.

List outdated packages with column formatting: This is same as format option consisting some more fields to display the output as the current version, latest version, and type of installed packages.

List packages that are not dependencies of other packages: whenever anybody required to check the list for those installed packages who do not have any kind of responsibleness of other packages then we will frame command as below.

To install the new package: As above I have described the main objective of pip command is “installing new packages” so now by grabbing this advantage I am installing ‘flask”.

Syntax: pip install <package name>

Show information about packages: The “show” option in pip assist to reflects the detailed information about installed packages.

Syntax: pip show <package name>

As from below image it can be well understood that after using show option it has produced the output by showing the relevant information of flask.

To uninstall any package: Apart from installing the software packages we also required its other phase i.e. uninstallation. The pip command tends this utility too where one can uninstall the desired packages without any hassle.

Syntax: pip uninstall <package name>

Here in the below image, I’m showing to uninstall “jinja2” which is a modern-day templating language for Python developers.

To freeze any package:  Freezing is a procedure where pip reads the versions of all installed packages in a local virtual atmosphere and then produces a text file with the package version for each python package stated. For performing this operation use option “freeze” as shown below.

Syntax: pip freeze > <filename>

To search for an installed package: The search option helps to search for an available Python package. The search term generates quite a widespread group of packages.

Syntax: pip search <package name>

Most of the time, we wish to hunt for packages directly on the PyPI website. So PyPI delivers such search abilities for its index and a way to filter results.  Now I’m framing command as shown below to search for “keyring”.

To create a hash for any package: A Hash Value is a string value of specific length which is the result of calculation of a Hashing Algorithm. One of the chief uses of Hash Values is to define the Integrity of any Data (which can be a file, attachments, downloads etc).

Syntax: pip hash <package name>

The pip provides this functionality too to maintain the integrity of installed packages. In below image, I’m using this option for creating hash value of a file i.e. “rockyou.txt.

To download any file or package: Instead of above all described task “pip” also supports the functionality to upload, download, read etc. for any file. Here I’m using one of these i.e. download the package. Pip download use to download file and package into default path or can do the same for a specific path.

In below image I have used this to download a compressed file from remote location.

Syntax: pip download <path>

Exploiting pip

Sudo Rights Lab setups for Privilege Escalation

Now we will start our task of privilege escalation. For this very first we have to set up our lab of pip command with administrative rights. After that we will check for the pip command that what influence it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting pip service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

Now after knowing the fact that test user attains admin rights so, taking this benefit here we can use pip command to run in privileged context and can be used to access the file system, escalate or maintain access with higher privileges if permitted on sudo.

Conclusion: Hence we have successfully exploited pip by achieving its functionality after granting higher privilege.  

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: git Privilege Escalation

In this article, we will understand a very dominant command i.e “git” which is use in version control of software development for controlling source code and helps the software developer. Here I’m using the basic commands that a git can perform to learn its advantage in our mission of privilege escalation. So by knowing this fact, we will examine how we can take this benefit in our Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to git                                        

  • Major Operation performed using git

Exploiting git

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO rights

Introduction to git

Git is a software source code Change Management system for cooperative improvement. It maintains a history of file versions. Unlike typical client-server CM systems which “check-out” the latest version of the files, Git is a scattered CM system where the user has a local copy of the entire repository which includes the entire history of all files.  Git is better than SVN for speed, data reliability and also upkeep non-linear workflows. The user working with files in their local project work area which relates with the local clone source can add, edit and delete files and finally committing their changes. The user can then share these changes to the local repository with a “push” or “pull” to other Git repositories.

To know more about git command use its help page by the command as below:

Generate user’s Integrity: The very first step to gain git’s utility is to create self-identity in git repository. For this user needs to mention his name and email address with git.  This is very important as every Git commits you made uses this information. Use below command for framing the same as shown in below image:

Cloning a git repository: After creating the identity we need to clone the git repository for our project to start with and only then you we can commit our changes. Git clone is used to point an existing repo and make a copy of that repo in a new directory, at another location. The original repository can be located on the local filesystem. This automatically produces a remote connection pointing back to the original repository which makes it very easy to interact with a central repository.

Initialize a new git repository: If someone desire to start to own git repository server for his codebase then we can take advantage of option “init” for this purpose which helps the user to initiate a new git repository and the machine can be now used as a git repository server for that particular codebase.

Checking git status:  To check the status of files that possess in the index versus the working directory for your git repository use option “status” as shown in below image.

Initially, I haven’t created any file or made any kind of commitments to my git repository so it will show it as blank.

Add a new file in repository:  Now I will add a file to my new git repo for this first I will create a file that will act as source code for performing this task. In the below image I have created a file “ignite.txt’ which holds some content. Now I want to add this file to my git repo for this I will use the option “add”.

Git commit: At every step while adding any file to git repo we need to make its confirmation and for doing same we make commit to our git repo. As I have created a fresh file so will refer it as my “first commit”.

On framing the above command, it will add the file “Ignite.txt” with its file content with a comment “first commit” so that you can search it later.

Now in the below screenshot I have added some more lines to my file “Ignite.txt” in the same way as above and will make another commit by mentioning it “second commit” to modify these changes to the git repo.

Git log: Now when I have completed my task of making all commit the to git repo probably I would like to look back to see what has happened so this can be simply achieved by the most basic and powerful tool i.e. “git log” command. This can also be done for if you have cloned a repository with an existing commit history.

As from the below image it can easily understand that after using the “git log” option it reflects two commits which I have made above.

It can be used to break out from restricted environments by spawning an interactive system shell or available for executing an arbitrary system command.

Exploiting git

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of git command with higher privileges. As in my previous article, I have explained that the behaviour of many commands get changed after getting higher privileges correspondingly, we will check for the git command that what influence it has after receiving sudo rights and how we can use it further for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting git service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the git command as “root” without a password.

Therefore, type the below command to spawn bash shell:

This will invoke the default pager to read the config like as man and here we can inject “!/bin/sh” and press enter to execute bash shell for us.

You get “#” shell which means we have successfully escalated the root shell, as shown in the following picture.

Conclusion: Hence you can notice from the given below image we have escalated the root privilege by abusing SUDO permission on git. Similarly, we can exploit the SUID permission assign on the git program.

References:

https://gtfobins.github.io/

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: cp Privilege Escalation

In this article, we are going to grasp another very worthwhile command i.e. “cp” (copy) and will cover all the basic function of ‘cp” command that a user can use. As we know this command helps in copying the file/directories from the source to destination so, in this article we will study how we can attain the utility of this command in Privilege Escalation.

Note: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to cp

  • Major Operation performed using cp

Exploiting cp

  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to cp

cp stands for copy. This command helps to copy files or group of files or directory from its source location to the destination. This generates an exact image of a file on a disk with the different file name. cp command needs at least two filenames in its arguments.

Very first, we will run its help command to make our readers more aware of the use of “cp” command.

Copy single file to the destination: As said above that cp command helps the user to copy the content of source file to its destination so now, here I am replicating the content of single file (raj.txt) to new file (chiya.txt). If the destination file already exits so this command simply overwrites the file without any warning message but if the destination file doesn’t exist, then first “cp” will create a new file then will copy the content of source file as per user’s desire.

By framing the above command cp will copy all the content of file raj.txt to chiya.txt as shown in below image.

Copy multiple files to a directory: By the help of this command, we not only copy the single file but also can copy multiple files to a directory whenever needed. Suppose we have multiple files as shown in the below image for the reader’s reference and we want to copy all at once to a specific directory then we can frame command as shown below:

By this command cp will copy the entire content from the file “1,2,3, chiya.txt” to mentioned destinated directory. If the directory doesn’t exist then first it will create a new directory and will copy the content to it but, if the directory already exists then cp will erase all content from the destinated directory and will simply overwrite to it so be careful while copying the content from source to location.

Copy source directory to the destination: With this option “cp” command shows its recursive performance by replicating the entire directory structure recursively. Suppose we want to copy all files and directories that a directory contains then in this case we will simply copy the whole directory instead to copy its files one by one to our desired destinated path.

In the below image I have copied the entire content of source directory “ignite” to destinated directory “demo2” (which is not exits). One can use -r or -R both argument for this purpose.

Interactive prompt: Normally when we use the cp command then it simply overwrites the file if it exists so to make it prompt for confirmation while copying a file, we will use the option “-i”. Using this argument, the command will prompt to overwrite the file which helps the user to save the content from being erased while copying from source to destination.

Here I want to copy the content of “chiya.txt” to “author” which have some of its own content so when I will use “-i” option then it will prompt me for its confirmation of overwriting the text.

Backup a file:  Whenever we need to create a backup of the destination file then we will use the “-b” option for this purpose. cp helps to create a backup of the file in the same folder with the different name and in a different format.

 On framing the above command cp will create a backup of file “author” in the same folder with a different name.

Copying using * wildcard: Suppose we have many text documents in a directory, and we want to replicate it into another directory so, copy all files one by one will take lots of time if specify all file names as the argument but by using * wildcard it becomes simple.

On typing above command, cp will copy all “txt” to destination.

Force copy: Sometimes it happens when user unable to open a file to perform writing operation due to permission which is set upon that in such case we use force copy “-f” option in cp command which helps the user to delete the destinated file first and then copying of content is done from source to destination file.

In the below screenshot we have seen that Example.txt file doesn’t have write permission to it so on using “-f” argument followed by cp command user can copy the content of source file to destination file.

SUID Lab setups for Privilege Escalation

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Assume we are accessing the victim’s machine as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Now we are going to give SUID permission on cp so that a local user can take the privilege of cp as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

For this, we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then use find command to identify binaries having SUID permission.

So here we came to know that SUID bit is enabled for so many binary files, but we need /bin/cp.

As we know, cp has suid permission so taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.

First, we will open our /etc/passwd file followed by a tail command which will read this file from its end and help us to know that the file ends with the user “test”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in the screenshot below.

And we will get our hash value copy it for further use.

On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “chiya” then paste the above-copied hash password in the record as shown below.

Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.

Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget to download the passwd file from our machine (Kali Linux) inside /tmp directory.

Now by the help of cp command, we can easily copy the content of source file to the destination as shown in below image.

Now let’s switch to user chiya that own root user’s privileges and can access the root shell.

Conclusion: Hence you can notice from the given below image we have escalated the root privilege by abusing SUID permission on cp. Similarly, we can exploit the sudo permission assign on CP program.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here