Linux for Pentester: git Privilege Escalation

In this article, we will understand a very dominant command i.e “git” which is use in version control of software development for controlling source code and helps the software developer. Here I’m using the basic commands that a git can perform to learn its advantage in our mission of privilege escalation. So by knowing this fact, we will examine how we can take this benefit in our Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to git                                        

  • Major Operation performed using git

Exploiting git

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO rights

Introduction to git

Git is a software source code Change Management system for cooperative improvement. It maintains a history of file versions. Unlike typical client-server CM systems which “check-out” the latest version of the files, Git is a scattered CM system where the user has a local copy of the entire repository which includes the entire history of all files.  Git is better than SVN for speed, data reliability and also upkeep non-linear workflows. The user working with files in their local project work area which relates with the local clone source can add, edit and delete files and finally committing their changes. The user can then share these changes to the local repository with a “push” or “pull” to other Git repositories.

To know more about git command use its help page by the command as below:

Generate user’s Integrity: The very first step to gain git’s utility is to create self-identity in git repository. For this user needs to mention his name and email address with git.  This is very important as every Git commits you made uses this information. Use below command for framing the same as shown in below image:

Cloning a git repository: After creating the identity we need to clone the git repository for our project to start with and only then you we can commit our changes. Git clone is used to point an existing repo and make a copy of that repo in a new directory, at another location. The original repository can be located on the local filesystem. This automatically produces a remote connection pointing back to the original repository which makes it very easy to interact with a central repository.

Initialize a new git repository: If someone desire to start to own git repository server for his codebase then we can take advantage of option “init” for this purpose which helps the user to initiate a new git repository and the machine can be now used as a git repository server for that particular codebase.

Checking git status:  To check the status of files that possess in the index versus the working directory for your git repository use option “status” as shown in below image.

Initially, I haven’t created any file or made any kind of commitments to my git repository so it will show it as blank.

Add a new file in repository:  Now I will add a file to my new git repo for this first I will create a file that will act as source code for performing this task. In the below image I have created a file “ignite.txt’ which holds some content. Now I want to add this file to my git repo for this I will use the option “add”.

Git commit: At every step while adding any file to git repo we need to make its confirmation and for doing same we make commit to our git repo. As I have created a fresh file so will refer it as my “first commit”.

On framing the above command, it will add the file “Ignite.txt” with its file content with a comment “first commit” so that you can search it later.

Now in the below screenshot I have added some more lines to my file “Ignite.txt” in the same way as above and will make another commit by mentioning it “second commit” to modify these changes to the git repo.

Git log: Now when I have completed my task of making all commit the to git repo probably I would like to look back to see what has happened so this can be simply achieved by the most basic and powerful tool i.e. “git log” command. This can also be done for if you have cloned a repository with an existing commit history.

As from the below image it can easily understand that after using the “git log” option it reflects two commits which I have made above.

It can be used to break out from restricted environments by spawning an interactive system shell or available for executing an arbitrary system command.

Exploiting git

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of git command with higher privileges. As in my previous article, I have explained that the behaviour of many commands get changed after getting higher privileges correspondingly, we will check for the git command that what influence it has after receiving sudo rights and how we can use it further for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting git service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the git command as “root” without a password.

Therefore, type the below command to spawn bash shell:

This will invoke the default pager to read the config like as man and here we can inject “!/bin/sh” and press enter to execute bash shell for us.

You get “#” shell which means we have successfully escalated the root shell, as shown in the following picture.

Conclusion: Hence you can notice from the given below image we have escalated the root privilege by abusing SUDO permission on git. Similarly, we can exploit the SUID permission assign on the git program.

References:

https://gtfobins.github.io/

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: cp Privilege Escalation

In this article, we are going to grasp another very worthwhile command i.e. “cp” (copy) and will cover all the basic function of ‘cp” command that a user can use. As we know this command helps in copying the file/directories from the source to destination so, in this article we will study how we can attain the utility of this command in Privilege Escalation.

Note: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to cp

  • Major Operation performed using cp

Exploiting cp

  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to cp

cp stands for copy. This command helps to copy files or group of files or directory from its source location to the destination. This generates an exact image of a file on a disk with the different file name. cp command needs at least two filenames in its arguments.

Very first, we will run its help command to make our readers more aware of the use of “cp” command.

Copy single file to the destination: As said above that cp command helps the user to copy the content of source file to its destination so now, here I am replicating the content of single file (raj.txt) to new file (chiya.txt). If the destination file already exits so this command simply overwrites the file without any warning message but if the destination file doesn’t exist, then first “cp” will create a new file then will copy the content of source file as per user’s desire.

By framing the above command cp will copy all the content of file raj.txt to chiya.txt as shown in below image.

Copy multiple files to a directory: By the help of this command, we not only copy the single file but also can copy multiple files to a directory whenever needed. Suppose we have multiple files as shown in the below image for the reader’s reference and we want to copy all at once to a specific directory then we can frame command as shown below:

By this command cp will copy the entire content from the file “1,2,3, chiya.txt” to mentioned destinated directory. If the directory doesn’t exist then first it will create a new directory and will copy the content to it but, if the directory already exists then cp will erase all content from the destinated directory and will simply overwrite to it so be careful while copying the content from source to location.

Copy source directory to the destination: With this option “cp” command shows its recursive performance by replicating the entire directory structure recursively. Suppose we want to copy all files and directories that a directory contains then in this case we will simply copy the whole directory instead to copy its files one by one to our desired destinated path.

In the below image I have copied the entire content of source directory “ignite” to destinated directory “demo2” (which is not exits). One can use -r or -R both argument for this purpose.

Interactive prompt: Normally when we use the cp command then it simply overwrites the file if it exists so to make it prompt for confirmation while copying a file, we will use the option “-i”. Using this argument, the command will prompt to overwrite the file which helps the user to save the content from being erased while copying from source to destination.

Here I want to copy the content of “chiya.txt” to “author” which have some of its own content so when I will use “-i” option then it will prompt me for its confirmation of overwriting the text.

Backup a file:  Whenever we need to create a backup of the destination file then we will use the “-b” option for this purpose. cp helps to create a backup of the file in the same folder with the different name and in a different format.

 On framing the above command cp will create a backup of file “author” in the same folder with a different name.

Copying using * wildcard: Suppose we have many text documents in a directory, and we want to replicate it into another directory so, copy all files one by one will take lots of time if specify all file names as the argument but by using * wildcard it becomes simple.

On typing above command, cp will copy all “txt” to destination.

Force copy: Sometimes it happens when user unable to open a file to perform writing operation due to permission which is set upon that in such case we use force copy “-f” option in cp command which helps the user to delete the destinated file first and then copying of content is done from source to destination file.

In the below screenshot we have seen that Example.txt file doesn’t have write permission to it so on using “-f” argument followed by cp command user can copy the content of source file to destination file.

SUID Lab setups for Privilege Escalation

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Assume we are accessing the victim’s machine as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Now we are going to give SUID permission on cp so that a local user can take the privilege of cp as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

For this, we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then use find command to identify binaries having SUID permission.

So here we came to know that SUID bit is enabled for so many binary files, but we need /bin/cp.

As we know, cp has suid permission so taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.

First, we will open our /etc/passwd file followed by a tail command which will read this file from its end and help us to know that the file ends with the user “test”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in the screenshot below.

And we will get our hash value copy it for further use.

On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “chiya” then paste the above-copied hash password in the record as shown below.

Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.

Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget to download the passwd file from our machine (Kali Linux) inside /tmp directory.

Now by the help of cp command, we can easily copy the content of source file to the destination as shown in below image.

Now let’s switch to user chiya that own root user’s privileges and can access the root shell.

Conclusion: Hence you can notice from the given below image we have escalated the root privilege by abusing SUID permission on cp. Similarly, we can exploit the sudo permission assign on CP program.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: Taskset Privilege Escalation

In this article, we’ll talk about taskset command which is a Linux utility and learn how helpful the tasket command is for Linux penetration testing and how we’ll progress tasket utility to scale the greater privilege shell.

Note: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

  • Introduction to TASKSET
  • Major Functions of TASKSET command
  • Sudo rights Lab setups for Privilege Escalation
  • Exploiting Sudo Rights
  • SUID Lab setup for privilege escalation
  • Exploiting SUID Rights

Introduction to TASKSET

Taskset is used to set or retrieve the CPU affinity of a running process given its PID or to launch a new COMMAND with a given CPU affinity. The CPU affinity is a scheduler property that “bonds” a process to a given set of CPUs on the system. The Linux scheduler will honor the given CPU affinity and the process will not run on any other CPUs. Note that the Linux scheduler also supports natural CPU affinity: the scheduler attempts to keep processes on the same CPU as long as practical for performance reasons. Therefore, forcing a specific CPU affinity is useful only in certain applications.

Major Functions of Tasket command

At first, we will run taskset -h command which means help and which will tell us about all the options which are available in TASKSET command as we can see in the picture below.

Top Command:

​The top command is one of the basic commands to monitor server processes in Linux. The top command shows all running processes in the server. It shows you the system information and the processes information just like up-time, average load, tasks running, no. of users logged in, no. of CPU processes, RAM utilization and it lists all the processes running/utilized by the users in your server.

Usage

I will take the process id (PID) of 1988 as shown in the above image as an example to show the usage of taskset command.

If you want taskset to display CPU affinity of all the tasks of an already running process (PID), use the command in the following way:

If you want taskset to display CPU affinity of only a current task of an already running process (PID), use the command in the following way:

If you want taskset to display CPU affinity of an already running process (PID) in a list format, use the command in the following way:

Sudo rights Lab setup for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for the taskset executable. Here we are going to add a user by the name of the test in the Sudoer’s file and we have given permission to user test to run the taskset command as the root user.

Exploiting Sudo Rights

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run taskset as a root user.

Now our next step is to exploit sudo rights through taskset command, so we will run the below-mentioned command with sudo rights and will get the bash shell of the target machine with root privileges.

SUID Lab setups for Privilege Escalation

As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on taskset so that a local user can take the opportunity of taskset as the root user.

Type the following commands for enabling the SUID bit:

Now from the below image you can see the suid bit is set for taskset, now it’s time for the exploitation.

Exploiting SUID

Now again we will connect through ssh in kali to our victim machine using test user and after that, we will use Find command to identify binaries having SUID permission.

So from the below image, we can confirm that SUID bit is enabled for our concerned binary:  /usr/bin/taskset

As we now know that we can run taskset with root privileges, so we are going to take advantage of that fact to add a new user with root privileges to /etc/passwd file, so that we can get access of the target machine with full root privileges.

Create a password hash for new user mark and password pass123 using openssl.

Now using echo with the taskset command we have added the new user mark with root privileges into the /etc/passwd file of the target machine and then log in the system with mark using su command and enjoy the root privileges.

Conclusion: In this post, we have talked on taskset command to demonstrate how a to intruder can escalate the privilege using tasket utility due to permissions allowed on it.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

Linux for Pentester: Time Privilege Escalation

In this article, we’ll talk about Time command which is a Linux utility and learn how helpful the time command is for Linux penetration testing and how we’ll progress time to scale the greater privilege shell.

Note: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Contents

All About Linux Time Command

Major Operation Perform by Time

Abusing Time Utility

  • SUID Lab Setups for Privilege Escalation
  • Privilege Escalation
  • Sudo Lab Setups for Privilege Escalation
  • Privilege Escalation

All About Linux Time Command

The time command runs the specified program command with the given arguments.  When the command finishes, time writes a message to standard error giving timing statistics about this program run.

These statistics consist of:

  • the elapsed real time between invocation and termination named as real.
  • the user CPU time named as a user.
  • the system CPU time named as sys.

Time may exist in most cases as a stand-alone program (such as GNU time) or as a shell (such as sh, bash, tcsh, or zsh).

To identify all type of installed time program we run this:

Here “time is a shell keyword” which means it a built-in keyword exist to bash whereas “time is /usr/bin/time” denotes it’s a binary that exists to GNU.

Major Operation Perform by Time

One can go with “help time” or “man time” commands to explore the summary to ensure why time command is used for?

Run Command

As said above, time command computes the timing statistics for any program run (pipeline’s execution). For example: To compute the time taken by date command

As result, you will notice, first it has run the date command and dump the complete date with time zone and then disclosed the time taken by date command as real, user CPU, system CPU time in seconds. While the same information was dumped by using GNU with some extra information such as total INPUTS or OUTPUT.

Use -p options with /usr/bin/time for obtaining output into bash time.

Note: The real, user & system time will be zero for any program which would execute continuously because next time that program will be recalled from the inside cache memory of the system.

Save Output

By default, time command displays the timing statistics for the program being executed at the end of its execution in the terminal but if you want to store the obtained timing statistics inside a file then you can go with -o options.

Syntax: /usr/bin/time -o [path of destination folder] command

Verbose Mode

You can use -v option for verbose mode, here you can estimate the time acquired by the internal resources to produce an output of the given input.

Formatting String

The format string generally comprises of ‘ resource specifiers ‘ combined with plain text by using a percent sign (`%’) as given below.

You can use \n for a new line to print the format string as shown the given screenshot.

Abusing Time Utility

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on time so that a local user can take the opportunity of time as the root user.

Hence type following for enabling SUID bit:

Privilege Escalation

Now we will start exploiting time service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

Here we came to recognize that SUID bit is permitted for so many binary files, but are concerned is:   /usr/bin/time.

Taking privilege of SUID permission on time we are going to grab the shadow’s file for extracting password hash file.

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using time utility for Privilege Escalation.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for time executable. Here we are going to add a user by the name of the test in the sudoers files and here we have given permission to user test to run /usr/bin/time as the root user.

Privilege Escalation

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run /usr/bin/time as the root user.

As we have seen above, that time command computes the time when a program run, therefore, now taking advantage of time command.

Conclusion: In this post, we have talked on time command to demonstrate how an to intrude can escalate the privilege using time utility due to permissions allowed on it.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here