Check Your Privilege (Escalation)
3 likes304 views
The document discusses privilege escalation in Linux systems, outlining methods to gain higher access levels through various techniques such as 'easy mode', 'sneaky mode', and 'boss mode'. It includes explanations on checks for user permissions, such as sudo access and exploiting misconfigurations, as well as the use of cron jobs and kernel exploits. The presentation aims to educate on identifying vulnerabilities and effectively escalating privileges within a secure environment.
![8
sudo = super user do [something]
sudo –l
• What commands can you execute?
• Do you need a password?
https://xkcd.com/838/ - Incident
MAKE ME A SANDWICH
sudo](https://image.slidesharecdn.com/bsidescmh2019-kb-privescworkshop-190301175750/85/Check-Your-Privilege-Escalation-8-320.jpg)
![9
sudo = super user do [something]
sudo –l
• What commands can you execute?
• Do you need a password?
MAKE ME A SANDWICH
sudo
cat /etc/sudoers
• if readable, tells you which
users/groups to target
cat /etc/group
• lists users, IDs, group affiliations](https://image.slidesharecdn.com/bsidescmh2019-kb-privescworkshop-190301175750/85/Check-Your-Privilege-Escalation-9-320.jpg)
![16
• What is the SUID/SGID bit?
• How to find a SUID/SGID binary?
• What runs as the root user?
find / -perm -u=s [-type f] 2>/dev/null
find / -perm -4000 [-type f] 2>/dev/null
• What runs in the root group?
find / -perm -g=s [-type f] 2>/dev/null
find / -perm -2000 [-type f] 2>/dev/null
CHECK THEIR PRIVILEGE
SUID/SGID bits](https://image.slidesharecdn.com/bsidescmh2019-kb-privescworkshop-190301175750/85/Check-Your-Privilege-Escalation-16-320.jpg)
Check Your Privilege (Escalation)
- 1. Check Your Privilege (Escalation) KATE BROUSSARD, SENIOR SECURITY ANALYST AT BISHOP FOX March 1, 2019 BSidesCMH 2019
- 2. 22 Kate Broussard Senior Security Analyst kbroussard@bishopfox.com @grazhacks on Twitter ROADMAP FOR THE NEXT HOUR Introduction Outline • Priv esc definition + framing • Easy mode • Sneaky mode • Boss mode • Summary • Resources
- 3. PRIVILEGE ESCALATION AND SO WE BEGIN
- 4. 4 Definition • Using privileges of various agents to gain access to resources When does it come into play? Framing • Who’s doing the execution? • What are their privileges? Two ways to escalate: 1. You’re the agent – your current user permissions are sufficient to execute the command & do the thing 2. Something else is the agent – you get something else to execute the command under THEIR permissions, which are sufficient to do the thing DEFINITION AND FRAMING Privilege Escalation
- 5. EASY MODE SO YOU’RE IN THE SERVER – NOW WHAT?
- 6. 6 • Who are you? whoami id • Where are you? pwd • Are you really really lucky? cat /etc/shadow vs. cat /etc/passwd cd /root CHECK YOUR PRIVILEGE Before anything else
- 7. 7 • Where do you have read access? /home/ /usr/share/ ENV • Where do you have write access? /home/USER/.ssh /root/ /etc/crontab CHECK YOUR PRIVILEGE Permissions
- 8. 8 sudo = super user do [something] sudo –l • What commands can you execute? • Do you need a password? https://xkcd.com/838/ - Incident MAKE ME A SANDWICH sudo
- 9. 9 sudo = super user do [something] sudo –l • What commands can you execute? • Do you need a password? MAKE ME A SANDWICH sudo cat /etc/sudoers • if readable, tells you which users/groups to target cat /etc/group • lists users, IDs, group affiliations
- 10. 10 sudo –l • User has sudo permissions for python • Without needing the password – excellent! • Therefore can run python under root permissions sudo python –c ‘import pty;pty.spawn(“/bin/bash”);’ • New shell spawned by python also runs under root permissions SUDO MAKE ME A SANDWICH sudo Exploit - Python
- 11. 11 Password reuse is RAMPANT • web application passwords • common/default passwords nmap port scan or ps auf to see what’s up • known compromised passwords for specific users https://xkcd.com/792/ - Password Reuse WE ARE CREATURES OF HABIT Credential Reuse
- 12. 12 • Any passwords entered into history? • Any interesting files or directories? cat .bash_history vs history • .bash_history won’t dump current session data until session ends • history is a live dump of session LEAKED INFORMATION .bash_history
- 13. 13 • Are any credentials stored in logs? • Any other useful information? Log files/dirs that are writeable can be replaced by symlink. When owning process tries to write to log, will write to symlink instead. Can be a way to output data somewhere that you can read it. LEAKED INFORMATION /var/log
- 14. 14 1. Who/where are you 2. What can you see/modify with current permissions? 3. Look for: 1. sudo permissions 2. Credential Reuse 3. Leaked info from: 1. cat .bash_history 2. /var/log files Two ways to escalate: 1. You’re the agent – your current user permissions are sufficient to execute the command & do the thing 2. Something else is the agent – you get something else to execute the command under THEIR permissions, which are sufficient to do the thing RECAP Easy Mode
- 15. SNEAKY MODE FIND AND EXPLOIT SOME MISCONFIGURATIONS
- 16. 16 • What is the SUID/SGID bit? • How to find a SUID/SGID binary? • What runs as the root user? find / -perm -u=s [-type f] 2>/dev/null find / -perm -4000 [-type f] 2>/dev/null • What runs in the root group? find / -perm -g=s [-type f] 2>/dev/null find / -perm -2000 [-type f] 2>/dev/null CHECK THEIR PRIVILEGE SUID/SGID bits
- 17. 17 • What are “normal” SUID programs vs ones that are exploitable? Standard Linux utility? Try shell escape or command option argument Custom script to make an admin’s life easy? Try PATH = . especially if the script makes a call to an alias Also watch for wildcards CHECK THEIR PRIVILEGE SUID/SGID bits
- 18. 18 Binary Shell escape less !cmd more !cmd :!cmd vi :! cmd mysql system cmd ! cmd AND MANY MORE INTENTIONAL OPTION TO EXECUTE COMMANDS Shell escapes https://www.mariowiki.com/File:Koopa_Troopa_Artwork_- _Super_Mario_3D_World.png
- 19. 19 Binary Option find -exec CMD ; awk ‘{system(“CMD”)}’ AND MANY MORE INTENTIONAL OPTION TO EXECUTE COMMANDS Cmd option arguments
- 20. 20 TRICKING AN EXECUTABLE INTO SPAWNING A SHELL SUID Exploit Nano is another common executable If nano has a SUID bit set to root, can force an escape to root shell Exploit: 1. create a temporary file with shell cmd 2. open nano with temp file set as spell-check reference 3. run spell-check to execute cmd under root permissions
- 21. 21 Path is an environment variable telling the OS where to look for an aliased binary Instead of typing /bin/ls every time, you can just type ls Use case: Prank the Admin • Bill knows that his supervisor Sue has her PATH = . • Writes a script to prank her, names it ls, sticks it in his /home/BILL/ directory • Asks Sue why ls isn’t working in his ~ • Sue runs ls in /home/BILL/ and executes the prank script instead of /bin/ls binary START LOOKING HERE Path = .
- 22. 22 Not easy during assessment to know which users have PATH = . HOWEVER! Custom script on the web server might execute call to aliased program calling cat $FILE instead of /bin/cat $FILE If it runs under root privs, you can exploit it Use case: helperSH Exploit • helperSH is a custom script on the web server that makes life easy for an admin; SUID as root • Command within the script executes something recognizable (like ps) • In writeable dir, make new file echo “/bin/sh” > ps • Set own PATH = . • Execute script from writeable dir START LOOKING HERE Path = .
- 23. 23 Use case: helperSH Exploit • helperSH is a custom script on the web server that makes life easy for an admin; SUID as root • Command within the script executes something recognizable (like ps) • In writeable dir, make new file echo “/bin/sh” > ps • Set own PATH = . • Execute script from writeable dir START LOOKING HERE Path = .
- 24. 24 When using * wildcard, Unix shell interprets –FILENAME as command option argument Meaning you can submit command options through file name when running a wildcard process Keep an eye out for wildcards in custom scripts, cron jobs, executables chown example files in a given dir include: .FileRef.php --reference=.FileRef.php when root executes the following: chown –R nobody:nobody *.php becomes: chown –R nobody:nobody --reference=.FileRef.php User:group permissions of .FileRef.php are mapped onto every file in the directory COMMAND OPTION ARGUMENTS AS FILENAMES Wildcards
- 25. 25 When using * wildcard, Unix shell interprets –FILENAME as command option argument Meaning you can submit command options through file name when running a wildcard process Keep an eye out for wildcards in custom scripts, cron jobs, executables NOTE – EXPLOIT BELOW DELETES THE FILESYSTEM cd /tmp echo “blah” > “-rf /*” rm * When rm * gets to –rf /* file, command becomes rm –rf /* Which recursively deletes everything on the filesystem, starting at / COMMAND OPTION ARGUMENTS AS FILENAMES Wildcards
- 26. 26 SUID/SGID bits 1. Shell escapes 2. Cmd option arguments 3. PATH = . Wildcards Two ways to escalate: 1. You’re the agent – your current user permissions are sufficient to execute the command & do the thing 2. Something else is the agent – you get something else to execute the command under THEIR permissions, which are sufficient to do the thing RECAP Sneaky Mode
- 27. BOSS MODE THESE WILL TAKE SOME TIME TO GET RIGHT
- 28. 28 Cron jobs are cmds executed on a schedule Almost always run under root permissions • /etc/cron.allow & /etc/cron.deny specify user privs Cron takes a file; file tells it what to execute and when • /etc/crontab Related: at, batch (one-time execution) PRIVILEGE IS A CRONIC PROBLEM cron • How to exploit? 1. Overwrite /etc/crontab 2. Write to a cron dir (priv misconfig) 3. If the what is vulnerable, might be able to modify or hit something downstream 4. Cron jobs may also have exploitable wildcards
- 29. 29 PRIVILEGE IS A CRONIC PROBLEM cron • How to exploit? 1. Overwrite /etc/crontab (SUID on nano!) 2. Write to a cron dir (priv misconfig) 3. If the what is vulnerable, might be able to modify or hit something downstream 4. Cron jobs may also have exploitable wildcards
- 30. 30 PRIVILEGE IS A CRONIC PROBLEM cron • How to exploit? 1. Overwrite /etc/crontab 2. Write to a cron dir (priv misconfig) 3. If the what is vulnerable, might be able to modify or hit something downstream 4. Cron jobs may also have exploitable wildcards
- 31. 31 PRIVILEGE IS A CRONIC PROBLEM cron • How to exploit? 1. Overwrite /etc/crontab 2. Write to a cron dir (priv misconfig) 3. If the what is vulnerable, might be able to modify or hit something downstream 4. Cron jobs may also have exploitable wildcards
- 32. 32 Magic bullet: what if we just compromise the server OS itself??! Downside: there might be exploits that you need to grab & compile & debug NOTE: not-small risk of bricking the server HOPE YOU LIKE DEBUGGING IN C Kernel Exploits LSB_RELEASE -A UNAME -A
- 33. 33 Cron jobs 1. /etc/crontab 2. writeable cron dir 3. affect process downstream Kernel exploits Two ways to escalate: 1. You’re the agent – your current user permissions are sufficient to execute the command & do the thing 2. Something else is the agent – you get something else to execute the command under THEIR permissions, which are sufficient to do the thing RECAP Boss Mode
- 34. THAT’S ONE IN THE BANK LET ME SUM UP
- 35. 35 Typical goal in server: persistence + privilege escalation Linux tends to be consistent in its core utilities; get familiar with what’s there and where it lives, and spotting vulnerable paths gets a lot easier • Are you the agent? Drop into a root shell & give yourself persistence • Is something else the agent? Need an intermediate step – get something to help you out ONE HOUR IN ONE SLIDE Summary • Easy mode • Who are you? • Where are you? • What can you do? • Sneaky mode • SUID/SGID bits: shell escapes, cmd option args, PATH = . • Wildcards • Boss mode • Cron jobs • Kernel exploits
- 36. 36 • https://payatu.com/guide-linux-privilege-escalation/ • http://www.securitysift.com/download/ linuxprivchecker.py • https://exploit-db.com • https://www.linode.com/docs/tools-reference/linux-users- and-groups/ • https://resources.infosecinstitute.com/ privilege-escalation-linux-live-examples/ • https://www.hackingarticles.in/exploiting-wildcard-for- privilege-escalation/ • https://percussiveelbow.github.io/linux-privesc/ I’M REAL FRIENDLY Resources & Contact kbroussard@bishopfox.com @grazhacks on Twitter SLIDE DECK http://github.com/ grazhacks/BSidesCMH2019 PRACTICE VM http://bit.ly/ BSidesCMH2019
- 37. Thank You! Questions? kbroussard@bishopfox.com @grazhacks on Twitter SLIDE DECK http://github.com/ grazhacks/BSidesCMH2019 PRACTICE VM http://bit.ly/ BSidesCMH2019