Linux for Pentester: sed Privilege Escalation

This article will take our readers through all about Stream Editor (Sed), which is one of the most prominent text-processing services on GNU/Linux. In this article, we came with the brief introductory guide to sed which supports the main concern that how sed works and how we can accomplish its supplementary practice in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview of sed                                            

  • Summary to sed
  • Chief Action achieved using sed
    • Replacement with the sed command
    • Printing and viewing from sed command
    • Deleting lines with sed

Abusing sed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to sed

SED command in LINUX/UNIX stands for “stream editor” that can implement lots of purpose on file like, searching, find and replace, insertion or deletion. However, the most common use of SED command is for exchange or for discover and swap. By using SED you can edit files even without opening it, which is a much faster technique to find and replace something in the file. It is a powerful text stream editor which can do insertion, deletion, search etc. for any file as per user requirements. This command also supports regular expression that allows it to perform complex pattern matching too. Now to know further about the “sed” command we will start from its help option.

Note:It’s worth remarking that this article omits several commands, as our main concern is to reach about the “sed” influence over Privilege Escalation.

Key actions achieved by “sed”

  • Replacement with the sed command: As we know the “sed” performs many tasks that include insertion, deletion, modification and so on for any file as per user request so now we will start our journey to explore the entire utility of sed one by one.

1.1 Substituting or switching string: “sed” is used to replace or swap the string so whenever we need to exchange any string within a file then we will frame command as:

In the above command “s” denotes the substitution action. The “Ignite” is the hunt pattern and the “Egnyte” is the replacement string. By default, the sed command replaces the first incidence of the pattern in each line and it won’t replace the second, third…occurrence in the line.

1.2 Substituting the nth existence in a line: When we want to replace nth occurrence i.e. first, second and so on the existence of a pattern in a line then we will use the /1, /2 etc flags to mention the nth term.

Here I’m swapping for 2nd occurrence in each line.

1.3 Substituting all the existence at a time: As we know by default the sed command replaces the first incidence of the pattern in each line so if we wish to replace all occurrence simultaneously within a file then we can use flag “/g” for this purpose.

1.4 Substituting from nth occurrence to all existences: When we use “/g” this will make change globally to the entire file so if we want to make this swapping from a specific place then we need to mention that value(nth) from where we want to make changes.

On framing the above command it will replace all the patterns from the nth occurrence globally.

Note: In the below image you can’t see any changes for flag “3g” as my file doesn’t contain any 3rd occurrence of the replaced word but whenever there is the existence of substituted word at multiple times within a line then you can clearly see the changes that how its change globally from nth term.

1.5 Substituting the existence for a particular range:  We can limit the sed command to replace the string for a particular range. This can be achieved by framing command as shown below.

On framing this command the “sed” will replace “Ignite” starting from the first line to the third line.

Note:  One can use “$” in place of end index if we want substitute from nth term to the last line in the file.

  • Printing and viewing from sed command: Apart from substituting the string sed can help in printing and viewing a file as per user’s instruction.

2.1 Replicating the replaced line with /p flag: If we want to make duplication for replaced line then we can use the “/p” flag which prints the replaced line twice on the terminal. If a line does not have the search pattern and is not replaced, then it will print that line only once.

2.2 Printing only the replaced lines: If a user wants to print only those lines which are substituted then he can use “-n” option following by print command as shown below.

As from below image it can be cleared that on using “-n” the print flag has printed all the replaced line as output.

2.3 Printing lines by numbering it: This command is similar to “cat” in which we use “-n” for numbering the line for any file, same we can achieve from sed command too by framing the command as below.

On drawing the above command sed will print the output by numbering each line as per user request.

2.4 Display a file from x to y range: If we want to view a file from an instance i.e. for a range of starting index to end index then we write command as:

If we use “d” instead of “p” then sed will View the entire file except for the given range.

2.5 Print nth line of the file: Inplace of fixing end index you can also leave it blank if you wish to print only a specific line.

As in below screenshot, you can see when I have used above-mentioned command then sed has reflected the output only to print for the 4th line.

2.6 Print from nth line to end of file: To print any file from its nth line to the last (end of file) line then frame command as below:

Here “$” is an indication for reflecting the last line of the file.

2.7 Print the line only for pattern matching: If we want to print only those lines which match the given pattern then, in this case, we will draw command as:

From the below image, it is clear how this command works. Here in the below image, I have print those lines which include the word “training”.

2.8 Print lines which matches the pattern nth line: We can use numeric value along “p” to print for pattern matching till nth line.

3 Deleting lines with sed: Now we check how we can delete the lines from a file by the help of sed.

 3.1 Remove a specific line: To delete any particular line within a file us “d” option followed by sed command. Here I’m deleting the 3rd line from “Ignite.txt”.

3.2 Remove line for a range: If we wish to delete content till a particular range then we will set its “initial index value” and “end value” of file. In below image, I have deleted the content of “Ignite.txt” from its 3rd line to 5th line and will attain output for remaining file content.

3.3 Remove from nth to last line: Instead of fixing end index one can also use “$” to delete lines till the end of the file.

Here “2” indicating for the initial index from where deletion must be done and “$” is indicating to delete lines till the end of the file.

3.4 Remove the last line: If we won’t set any index value then “$d” will simply delete only the last line of the file.

3.5 Remove the pattern matching line: Sometimes we not only want to print or view those lines that match the particular pattern but also desire to delete them so in such case we will frame below command to attain output as per user request.

Here in below image sed has deleted all those lines which match the word “training”.

Abusing sed

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission of privilege escalation. To grab this first, we have to set up our lab of sed command with administrative rights. After that, we will check for the sed command that what impact it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting sed facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

Now we will access our /etc/passwd file by the help sed command to escalate or maintain access with elevated privileges.

Conclusion: Hence we have successfully exploited “sed” by achieving its functionality after granting higher privilege. 

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Escalate_Linux: Vulnhub Walkthrough (Part 1)

Escalate_Linux is an intentionally developed Linux vulnerable virtual machine. The main focus of this machine is to learn Linux Post Exploitation (Privilege Escalation) Techniques. The credit for making this VM machine goes to “Manish Gupta” and it is a boot2root challenge where the creator of this machine wants us to root the machine through twelve different ways. You can download the machine following this link: https://www.vulnhub.com/entry/escalate_linux-1,323/

NOTE: In this article, we have exploited the machine with six different methods.

Security Level: Beginner-Intermediate

Penetrating Methodology:

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Web Directory Search 

Exploiting

  • Metasploit shell upload
  • LinEnum.sh

Privilege Escalation

  • Method 1: Get root shell by exploiting suid rights of the shell file
  • Method 2: Get a root shell by cracking the root password
  • Method 3: Get root shell by exploiting sudo rights of user1
  • Method 4: Get root shell by exploiting crontab
  • Method 5: Exploiting Sudo rights of vi editor
  • Method 6: Exploiting writable permission of /etc/passwd file

Walkthrough:

Scanning:

Let’s start off by scanning the network using Netdiscover tool and identify the host IP address. We can identify our host IP address as 192.168.0.17.

Now let’s scan the services and ports of target machine with nmap

Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser and got nothing but the default Apache webpage.

So we used dirb with .php filter for directory enumeration.

After brute-forcing with dirb, we found a URL named http://192.168.0.17/shell.php

Now we opened the URL in our browser and found that it accepts cmd as get parameter.

So, we passed the id command in the URL and found the results are reflected in the response.

Exploiting

Since the target machine is vulnerable to command injection, we created a web delivery shell using Metasploit.

The target host was not able to run the script directly, so we used URL encoding.

After encoding the script, we were successfully able to run it on the target machine and get the meterpreter session.

We got the bash shell of User6 after using python one-liner shell command.

To further enumerate the target host, we uploaded LinEnum tool on the target host.

From the results of LinEnum scan, we found that the target host has eight users namely user1, user2 up to user8.

We also found that in crontab, a file named autoscript.sh is being run every 5 minutes with root privileges.

From the same LinEnum scan, we came to know that /etc/passwd is writable for users also. Also, we found that we can run shell and script files with root privileges because SUID bit is enabled on it.

Privilege Escalation:

As mentioned above there are multiple ways to do the privilege escalation of this machine.

We will try to do as many methods as possible.

Method 1: Get root shell by exploiting SUID rights of the shell file

Using the find command we can confirm that the shell file located in the home directory of user3 can be executed with root privileges.

We tried to execute the same file and got the root shell.

Method 2: Get a root shell by cracking the root password

From the above screenshot, we know that the script file located in the user5 home directory can be executed with root privileges. Using the Path variable exploitation methodology we can access the /etc/shadow file.

To know more about path variable privilege escalation use this link: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

on executing ./script, we have fetched the content of shadow’s file as shown in the below image.

We copied the hashed password of root user in the hash file and used John The Ripper tool to crack the password. We got the password of the root as 12345 and then using the su command we were able to access as root.

Method 3: Get root shell by exploiting SUDO rights of user1

We already know by now that script file can be executed with root privileges.

Using the same script file we can change the password of all the users with the help of Path variable methodology.

Here we used echo and chpasswd command to replace the existing password with our new password 12345. And then switched to the user1 account using su command. After checking the sudoer’s list for user1 we came to know that this user can run all commands as sudo.

So we ran the command sudo su and got the root access.

Method 4: Get root shell by exploiting crontab

In the previous screenshot, we saw there is a task scheduled after every 5 minutes for user4 in the crontab by the name autoscript.sh. We changed the password of user4 the same way as we did for user1 and then switched to user4 with the new password 12345. There we can see a file autoscript.sh in the Desktop folder.

So what we did is we created a payload using msfvenom and then copied the code into autoscript.sh file using echo.

After copying the code into autoscript.sh file we executed the file and started the netcat listener on our kali machine and waited for the shell.

Yes we got the root shell as the autoscript.sh is executing as root in the crontab.

Method 5: Exploiting SUDO rights of vi editor

We changed the password of all the users to 12345 using the same methodology as above and switched between users to check for more exploits. We found that user8 has a sudo permission for vi editors.

Open the vi editor with sudo and insert sh command as shown in the screenshot below, exit the editor and hurray we got the root shell.

And again we will obtain the root shell as shown below in the image.

Method 6: Exploiting writable permission of /etc/passwd file

Continuing with the enumeration of users, we found that user7 is a member of the root group with gid 0.

And we already know from the LinEnum scan that /etc/passwd file is writable for the user. So from this observation, we concluded that user7 can edit the /etc/passwd file.

So we copied the contents of /etc/passwd file in our kali machine and created a new user named raj with root privileges for which we generated a password pass123 using openssl.

As you can observe we have created a new entry inside /etc/passwd for user raj with root privilege.

On the target machine, we downloaded the edited passwd file in the /etc folder using wget command.

Then we tried to switch to our newly created user raj and YES yet again we proudly got the root shell of the machine.

Conclusion: So in this part-1 of Escalate_Linux we did the privilege escalation by six different methodologies. In the part-2 we will try to exploit the machine by some different methods. So keep visiting Hacking Articles for next part.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

PumpkinRaising : Vulnhub Walkthrough

PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags – Seed ID’s) and gain access to root and capture the final Flag.txt file.

You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

  • Nmap

Enumeration

  • txt
  • Abusing HTTP services

Exploiting

  • Ssh Login

Privilege Escalation

  • Abusing Sudo right

Walkthrough

Scanning

Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.

From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities. 

Enumeration

So first we navigate to a web browser and explore the VM IP and welcome by following web page. Read the following message:

“To raise Pumpkins, we need to collect seeds in the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”

From this message, we can assume for “Jack” which could be a username.

Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries, I found a few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg.  so, we have explored each entry one-by-one.

The hidden note.txt showed certain data which may be needed to login credentials subsequently.

when I checked the source code of the homepage and here, I found a link for pumpkin.html

On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encoded string.

With the help of online base32 decoder, we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.

To identify what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.

Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.

Again, we come back to pumkin.html page and I found the decimal string on scrolling same file.

On decoding decimal string, we found one more seed:96454

As you know we have enumerated /robots.txt and from inside that, we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.

Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.

After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: [email protected]” secret keys from inside /hidden/notes.txt

I used the key: [email protected] for extracting the hidden file “decorative.txt” from inside the stegno image.

So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568

Further, I downloaded the .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.

So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2nd image.

 On decrypting I obtained following text file as shown below and it was a Morse encoded text which used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.

To decrypt the Morse text I have used cyberchef which is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507

As it was declared by the author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.  

When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as a password for user jack.

  1. SEED ID: 69507  
  2. SEED ID: 50609
  3. SEED ID: 96454
  4. SEED ID: 86568

Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.

 Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box: Netmon Walkthrough

Netmon is a recently retired CTF VM on Hack the Box with the objective – Capture the user and root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of netmon is 10.10.10.152

Penetration Methodology

Scanning

  •     Network Scanning (Nmap)

Enumerating

  •     Browsing the webpage
  •     Enumerating FTP

Exploiting

  •    Anonymous Login in FTP
  •    Reading user.txt

Privilege Escalation

  •      Enumerate for the config file
  •      Logging in Administrator Panel
  •      Exploiting RCE
  •      Reading root.txt

Walkthrough

Let’s start off with scanning with the nmap to check open ports.

Here I found port 21 for FTP, 80 for HTTP, 135 for RPC, 139 for NetBIOS, 445 for SMB are opened, rest were filtered.

We immediately proceed towards port 80 when we see it open. We find the PRTG Network Monitor page. But to use this dashboard, we need the login credentials. But we don’t have the access to those credentials at this stage.

In the nmap scan earlier, we saw that the FTP port 21 is open as well allows Anonymous Login. So, we login the FTP using the Anonymous as Login as well as password. After successfully logging, we use the ls command to list all the files that are shared. We see that we Users Directory available so we traverse into it using the cd command. Here, we have 2 more directories, Administrator and Public. We don’t have permission to access the Administrator directory so we move into the Public Directory. Here we find the user.txt file. We use the get command to download this file onto our system. Hence, we got our first flag, that is; the user flag.

Now we need to get the root flag. For this, we went to our most dependable friend, Google. After working our way through some of the PRTG Network Monitor manuals and help pages, we found this post. This gives us the location of the data that PRTG Network Monitor stores, that is “%programdata%\Paessler\PRTG Network Monitor”. As we still have the FTP connection, we went to ProgramData directory and then traversed all the way to the location mentioned. Here we located an old configuration file. We downloaded this file to our system so that we can analyse it closely.

After successfully downloading and searching through many lines of code, we stumbled upon the password, that was used previously. We took a guess here, as this was the previous configuration and it contains the year 2018 and whenever there is a current date in the password then they could be updated with the change in the date to the latest date.

This means, that the previous password was [email protected] and since the current year is 2019, we replaced 2018 in the password by 2019. This was an educated guess we made. So, using the new login credentials, we successfully logged in the PRTG Network Monitor Dashboard.

After looking around the dashboard for some time, we didn’t find anything that could help us in our quest to get the root flag. So, we went to another dependable friend, Exploit DB. We searched the exploit dB for PRTG Network Monitor and found this exploit. On further researching on the internet about this exploit, we found this script on GitHub. This script creates a PowerShell file and then it uses it to run commands on the target system to create a user. But in order to work, it needs the cookie that was used in the original login in the dashboard of the PRTG Network Monitor. We capture the request using the Burp Suite. Upon close inspection of the captured packet, we find the cookie that we require.

Now, we clone the git directory that contains the script that we require to create a new user. After giving the necessary permissions to the file to run. We run the prtg-exploit.sh file, with the Target IP Address and the cookie, captured as parameters. This script can take some time to run depending on your connectivity speed. But after successfully running it creates a user with following credentials.

Now that, we have the user created on the target machine with Administrative Rights, let’s nab that root flag and complete this challenge. We will use the psexec.py script form the impacket tool kit to connect to the Target machine. You can use any of the methods that are provided in this article. Here, we chose to run it directly as a python file. We need the username, password and target IP address as parameters as shown in the image given below. As we can see that after running, psexec gives the shell with Administrator rights. Now, we used the cd command to traverse into the Desktop Directory to find the root flag.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here