I Broke In, Now What? Linux Manual Privilege Escalation 101

um thank you there's um uh several other presentations in there but um it's kind of just wanted to say thank you guys for taking the time to joining me um this is i broke in now what linux manual privilege escalation 101 lips

here i am schoolers degree in computer systems engineering i'm a senior security engineer with a little bit over seven years of it experience i'm a red team enthusiast um i'm by no means a hacker i have a ccna sscp e j b t c issb just kind of like a little alphabet tip in here um more complex alphabets experience on incident detection and response honestly i've always found incident detection really fascinating because with the information that you have um you know like you're given little pieces of information and put a picture together which is definitely really fascinating and you kind of get to do a little bit of detective work which is awesome

color is pink and when i was a kid i was terrified of mr clean creepy and grumpy uh but yeah you know like i guess you you grow up and you learn if you're a blue teamer why are you teaching me fantastic stuff a very common question that i've always gotten since i had co-workers reaching out to me like why are you putting so much effort into this and you know like even one of my old bosses like you do realize we don't contest in here right you're never gonna be fantastic at least not in here i mean it makes a lot of sense but i always thought that if you really want to protect an

environment you have to think as an attacker right so you want to know how an attacker would act in order to you know like in order for you to take the right measures and you're like the right actions for you to protect your environment um another thing is that is very common the industry tries to glamorize contesting and it's true um red teamers are fascinating you know like just i get to be a hacker and i use the hashtag hacking and i'll take selfies and post them on twitter and you know like just with my hoodie and and that's fun but they really don't talk about the challenges that a blue teamer would face a redeemer

starts there they go through all the steps they well first i am you know like it's over i'll go home and watch the kardashians or do whatever i do while a blue teamer basically is working in a way if you see it like this they're basically working 24 7. so an attacker or a really really bad person wouldn't really be bad just from nine to five so i guess it's just something to keep in consideration um they're playing pretend is the blue teamers that are the unsung heroes of the head of the whole entire industry that's just the way i see it what is exactly privileged escalation well privileged escalation with our opportunities are security or security issues that

allow users to gain more permissions and a higher level of access to systems or applications that their administrators intended these types of laws are valid for attackers because they are needed for full export chains but can be overlooked by defenders or developers because of their lower security lower severity scores so what does this even mean it's just like a whole bunch of text but if you think about it for a second whenever you compromise an application whether it's you know like via port 80 or board you know like just through smb or through ftp you you can you manage to gain a shell now that i think of it about it i've never really seen ftp

in production i'm pretty sure some people still use it but it's a very old protocol and you don't really gain access to systems or to the administrator user to the root user if in an ideal world a system administrator works under privilege what does this mean you give permissions for them to perform their daily tasks and when i mean just talking for example um bethany from accounting or pedro from the front desk or alice from accounts payable or you know like bob from project management or officers but this should also apply for basically service accounts like apache or www those type of accounts should really be given the very bare minimum access for them to perform what they're

supposed to do headling ring 2009 a group of alpha and homewood teenagers broke into celebrities homes to steal luxury items they took as much as they could and they went unnoticed for several months what does this have to do with privilege escalation um although this happened time i heard about it i was kind of i think i was back in 2014 and i if i'm not mistaken they even made a movie about it but when they interviewed these people i was so surprised about the answers that they gave they were like yeah so we looked at the most obvious solutions or you know like for the most obvious things to do for us to get

access we created persistence in a way where we could have taken a copy of the key if we wanted to and yeah we got so used to and so comfortable with it that we started taking such as you know like we couldn't want it so three things came to mind they were persistent they look for the most obvious or easy solution it managed to remain sneaky so those would be you know like really good things escalation or even for compromising a machine for the first time because it's like fantastic but backwards awesome the ugly truth and when i say the ugly truth um that we face again um this industry is really going to try to

glamorize pen testing which is you know like it's pretty cool but one thing to take take in consideration is for example it is unlikely that you'll find one size fits all type of exploit whenever you're trying to work with an exploit you're going to give you a shell you have to make some changes you have to you know like if you're lucky you might only use it to change like the port number and the ip but there's a lot more to that there might be like a directory that you need to change um i don't know attempt to root boards with just a different username or um maybe you're missing a library which those are a nightmare if you're really

not familiar with any type of programming people didn't control legislation so this kind of reminds me of um for the people in your neighborhood

just because you're not able to gather something useful from your current you know like so you really want to take a good look at what's in your network and what is the purpose of those computers that are in there like is it some kind of web server is there a print server is this just you know like linda from id just anything

so this is kind of like a rinse and repeat process you're not able to find anything the first time okay enumerate again enumerate better uh look at those other machines in the network if you found credentials that's awesome try to test those credentials it's tedious and you just wanna you know like

operate with the destination the actual pen test you know this one is really not architecture for the actual pen test like for you to feel comfortable and practice there's really not going to be something defined for privilege escalation itself creating sandboxes for customization research and testing um well you know what they expect and you don't want to get in trouble so if there is an exploit or if there is like a you know like you have a defined privilege escalation methodology you're not just going to run run to the client machines and try everything just like crazy if it's something you're not familiar with it really doesn't matter if you're practicing like in half the box or

you know like what's the other one what's a try harder one oh always a b that one and anyway it really doesn't matter because you can use you can just reset the machine and then you're good to go but in the real world you can really mess up a client's environment and then get in trouble

awesome now the uh my slide is really not exactly working okay there it is yay okay explain like i'm five um we're really not going to reinvent the wheel in here we're just going to talk about a little bit of the basics when it comes to you know like the attack kill chain for example reconnaissance identify it try to gather operating systems architectures versions anything that we could potentially and very useful a lot of people say don't underestimate the power of reconnaissance hey i hacked into this box and i didn't enumerate so i mean this is just common knowledge everybody knows that if you want to start getting an initial channel it's very important to you know like

integrate well um what polanization this means basically hearing and exploit with a particular vulnerability that you know like we have an open port doesn't necessarily mean that we're going to be able to exploit it perhaps it's patch or you know like we're not able to find anything functional so that's something to keep in mind another thing that is important is when we're enumerating well bigger target bigger chances of you to get you know like bigger chances for you to be able to compromise something so we have our exploit how are we going to place it where it's supposed to go right so either if it's something that we need to inject out or we need to

place a reverse shell are there any additional ports open that we have access to um that we really want to keep in mind is

examine it and i used to say okay here's an exploit but why doesn't this give me a shell where is my reverse shell why am i not able to connect to the you know like the end host all exploits work the same some of them i do different things that you could use to your advantage for example this particular case when it

a hash that i could use for a web application so i had to crack the hash use you know like the standard you know like default admin name and boom i was in it's you know like self-explanatory how do we activate the payload or the exploit that we just delivered how do we trigger it what do we have to do whether we have to you know like just make a user click on something or make a user open an attachment so there's some from our end or an action for it to work yeah do we want to add or um install additional tools the hands-on keyboard right we're basically able to be able to do anything we want and at this

point we kind of have full control actions and objectives so what were we trying to gather out of all this our fun because we're bored we're are we really bad at people is this just an engagement you know from a client so whatever your final objective was basically we just got to it there's backwards it's about a group of security operations analysts that work for a tv station and use logs to save an innocent man from going again this means and i saw this like years ago

but this lies bread um

the word toxicity but industry when it comes to the use of metasploit you just go in and you know like food from whataburger or mcdonald's or whatever i most commonly use you're not a real well i've heard um that's pain by numbers um you know like everything is pre-made there's really no point to it um try harder that's why people had um so yeah it's like something very common and honestly i don't see why i'm not really here to bash on rapid seven i think they're a great tool and i find it extremely useful but it unlikely that in the real world you'll find a client telling you hey you better not be using metasploit or

you know like don't use this unless you don't use metasploit or don't use so-and-so tool then you should be good to go uh with them it's basically the challenges that you could potentially deal with as you get what you paid for i assumed like a paid version has a more visibility another thing is visibility so um i want you all to think of something if y'all ever use times have you actually looked at your exploits like open code because i for sure didn't when i got started so i i don't remember it very clearly but when i was just getting okay that i used it i think it was for a net happy yeah vulnerability it was for a very

old windows xp machine and it didn't really even give me like a shell itself it gave me an bnc session and it was as low as crazy and i could very barely move the mouse and but i felt like i was a hacker anyway um customization requires expertise you really there's two things to this you really have to know what you're doing in order to get the results that you expect and this applies pretty much for everything not just for fan testing so if you really want to be able to write your own code you have to have a good understanding of the vulnerability just get familiar with the vulnerability itself just learn how it works

what are the limitations uh for which operating systems or for which type of services you know like would apply to so um here is pretty much like a little rundown of our metaphor modules we have auxiliary payloads explodes encoders and notes for auxiliary this is i'm going to have to say this is definitely one of my favorite modules because even though it doesn't really give you a shell or an exploit information that you could gather and what you could potentially use during other steps and even end up scans or buzzing um sometimes i've honestly never tried this for linux and madison but i know that for windows there is an auxiliary module where you have the option to impersonate

token so you find credentials you can actually impersonate that user i know that manually you can do it with um a hot potato but for metasploit the impersonate token option is right there and it's a lot easier and it really saves you a lot of time so basically that one is you know like like a self-explanatory so what what happens with those um you get to select which payload do you want and for that okay what is the payload hello

what you've been with your victim computer do you want to get a reversal from it do you want to connect to it directly via you know like tcp bind or do you just want to be funny and pop in the calculator well that is a potential payload um pretty much all the potential codes that we would want to use the format of the presentation that we want to give an equal secure um i honestly believe that there isn't such thing as this is unhackable or this is 100 secure it doesn't exist you might as well be looking for a unicorn i'm just gonna add that extra layer of security and and you might make it trickier for them

to find you uh then there is no for no operators and uh what is an operator it doesn't do anything and why would we want an operator that doesn't do anything well um for example for memory alignment um we're trying to use buffer overflows if we want a pointer to point or to be assigned to a certain part of the registry there are certain programming languages that do not allow nulls instead to invalidate or avoid an instruction that's when we use an operator msi venom msfnm is a tool that allows users to generate payloads and encode them some msf venom are one single tool standardized and increased speed so what i mean with one single tool

is the fact that before 2015 there was a combination of msf payload and msf encode and now you can just like it's all bundled up together so that's awesome and this is what an msn venom tree so as i was mentioning earlier reverse tcp the apple ones and like the with interpreter but um it's definitely something that i want to do at some point be done these two are the ones that i most commonly use linux generic and python do like an exe so you can create really always have to go to metasploit and kind of look for them i escalate privileges and that's a that's a really good question um knowing your distribution time and

that's rather general info so i used to think that linux distributions were pretty much like vacuum mechanical movies using one using them all but that's really not true um probably not available for other distributions and now this is currently running you want to be able to visualize what you're fighting against right so you want to see which applications and services are running so you might be able to exploit them weak file permissions

so we might be able to exploit that for example um the typical case of um linda from accounts payable has permitted because she's always been harassing you know like the eit department and everybody's afraid of her times like i was mentioning before it's not really the fact that you have to be extremely technical you just have to keep your eyes open a lot of the times is the fact that i said really do their due diligence and incorrect informations are assigned which is basically for linux schedule tasks configuration files so with configuration files the fun part is we might not be able to get a shell out of them but we might be able to see

a version a default user and a lot of the times lazy admins just reuse their passwords possible to replace legitimate binaries with their code as a means of executing them at higher permissions level if a user has permissions to write into the folder where the binary is located then the file can be replaced with a custom key look long story short if i can write to it i can write whatever i want including a reverse shell or a way for it to connect back to me on the root religion and so a lot of you guys are really familiar with all of this commands we're really not gonna go super crazy on them because i want to put you all to sleep um

so we're looking at our versions of the kernel uh the computer that we connected to ifconfig we want to see um our current ib arp e able to look at our local addresses which ports are open um which you know like services are are in there which port numbers we can see um id which current user which user are we password for example um [Music] that would be like all the current accounts or all the current usernames that are in that computer um honestly this is really important when it comes to privilege escalation so pseudo kind of um it stands for super user do i'm so sorry guys okay so here's what happens with me

i speak very broken english but in my defense i've been in the u.s for like five years so anyway so this is recorded but if y'all ever have any kind of issue understanding what i'm trying to say just pick me and i can totally repeat that so back to sudo um yeah super user do so there are times not have root remove this doesn't necessarily mean that there are not certain commands on under root permissions um so i like how i'm having a window open something and it doesn't work so green button here sudo sudo-l what does this mean all the applications and all the potential commands that i could run under root permissions i'm gonna try to do sudo

them i like how i cannot type for my life and then

boom i'm rude so basically what i do what i did in here was i've used the vim option that i have i can see that for nano i can see that for ftp i can see that for i'm gonna go back to my old account a different um command so let's just go ahead and try example

oh okay yeah there is still a way that i can abuse this if i do an exclamation point boom i'm root so another thing to keep in mind is that you want to keep in mind is under the sudo options

google that so it's like okay how do i ex i've used um nano add add map option so it's really helpful um files world writable directories providable files and checking for romantic title systems why on earth would i want to know or how is this anything useful okay because if you want to be able to copy your post explanation tools or any tools that would potentially help you you want to find a location where they work

if i can write to it i can write whatever i want just basically see which applications are installed that's root uh what files am i able to see under the html folder this this would be you know especially useful that we're talking about a web server and in here which applications are running under suid

the lazy way obviously there's always going to be an easier way to do it so screen that will show you relevant information about the security of the local linux system of verbosity so you can control how much information you see

do a transfer this file um either you can do it dp server for full victim books again the the way of how to transfer it uh that's really subjective because you can do it that way or if you have for example left to report open or you notice that you have um access to their web application or their web portal and you already have like a standard user credential okay i'm going to pull the file and then i'm just going to go to build it from there so you have to work with basically with the options that you're given um and then you pull your file from your attacker box into your victim box and this way for you to notice that

everything was transferred correctly if you get a 200 here may say one okay e um urban user groups yes other uses of this shell yes other memories this is one of my favorite type of ways of um privileged escalation as for groups this is really fun because i remember back um i was trying to

notice that i didn't really have enough permissions myself so i can grab permissions and we were goofing off and he was like um grant them yourself and i was like okay maybe i will yes i could actually give myself permissions and in a normal environment you should not be able to do that um ssh files files owned by user so this is basically going to give you like the standard set of questions or the standard set of points that you want to be looking at if you want to escalate account that i created for testing so that's me don't never never rely just and you know like those typical tools you want to be able to do it

the you know like old-fashioned boring difficult way to copy anything or you're not gonna be able to find out you know like territory that you can write to and you want to be able to um read the output of this type of tools like it really doesn't make any any sense if it's just spitting information randomly and you don't really know what it means

find uh make sure that you have a good understanding of how the vulnerability is exploited which is um what i was mentioning before validate that the exploit works and it works as intended so never never ever test in production just it's recommended to have like a practice computer or like a virtual machine that you can test it on your target if your lock is just going to be source id directories and ports and very basics but i i can tell you right now it's a lot more to that now what's our indications of sections that need to be modified so i think when i asked helen wiley this is harley mattis boy like well there are

ways for you to find exploits and run them correctly and i remember asking him and i was just like all frustrated okay so how to run them well there is documentation and most of the time the exploiting there tells you how to run it so well let's read your exploit don't just try to blindly run it just read what it says database is an ultimate archive of exploits and vulnerable software a great resource for penetration testers and vulnerability researchers so you define them

let us point out so okay i mean just personal choice i guess if it's for privilege escalation the platform master options in here

particular option of search board in cali so you can just type search floyd and the name of the application that you want to find an exploit for

um there is you know in the industry like oh i use cali i'm such a hacker and there's a lot of backlash and so i ask people okay what is the right what is the right you know like type of distribution for you to use what is the right type of distribution um because that's the one that i like so if you ask me what is the right type of distribution for fan testing whatever you feel comfortable working with right unless a client specifically tells you don't use that whatever it is that you feel comfortable working with and works for you or gives you the results that you want because you know like it just works well

for me but um for example my brother is just getting started with an infosec and he tells me he told me something that made me think um rather than going for cali i'm just going to reach the fantastic framework that i could use on dvm because rather than downloading something and get or getting an extra i'm the kind of person that try to add that capability to what i already have let me think i guess exploit suggester so explicit gesture is designed with the purpose of detecting security deficiencies for a given linux kernel it provides the following functionality assessing kernel exposure i'm probably known exploits tools as in kernel on every publicly known and experimental exploit

and a vapor in security measures so it can check for most security settings available in your linux kernel and it verifies not only the kernel compile time configurations but also verifies runtime settings giving more complete picture of security posture here's the interesting part known linux kernel expo so it has to be something that has already been you know like documented so if your export suggester is really not you know like up-to-date or it's not something that you know like holidays or all the exposed documentary endless stuff then it might not be any good like i said before do not again do not rely just on third party tools you really have to have a good idea what

you're doing um so we're going to take a quick look of how the output will look like so this is this is what this is my terminal right

now so this is the result that it's given pretty much

what potential exports you can use

but um yeah just most of the hatch um you know like they take a lot of them they might be really resource consuming a good counter measure against them it's also um know that if you're in security operations there's just so much that you can do but you know like just keep your eyes open for compilation tools you do not want to keep compilation tools on you know like a on an end user's computer i'm gonna go on hacked but i mean if you're gonna get hacked make it harder on them just don't offer everything on a silver silver platter and then four so i have three rules never allowed to change without testing it

never test in production and always follow who wanted to so that's something my boss always said well just getting started and basically boils down to don't do anything stupid sdid files sgid is a linux feature that gives low privileged users the ability to execute a file as a file owner as uid stands for said user id owned by the read user and the said uid bit said no matter who executed the the file it's always going to run with root user privileges

define how we would find said uid files

and this is the one that i found i'm gonna run it through you know like the manual way with the explo um with the smart enumerator linux smart enumerator is also going to list it right so this is something to keep in mind

how to find a set uid normally linux permissions are broken into three different unit like groups like this so as you are represented by an s at um as in the execute position user group and other user is pretty much like the owner i love this meme so four four four i know that they say that if you have to explain a meme it's no longer funny but going back into the permissions we have a full user we have a four for the group and we have a four for the other always equals only read permissions and this is a reading only area oh wow nerdy humor i'm not on earth though we look for an existing exploit and

write an existing binary with a reverse shell in this case there is an export for it so this is the one that i ran it's called xm appropriate permissions i run it and here it is i am root this password is in is a plain text based database that contains information for all user accounts on the system it is owned by root and has 644 permissions by default i root our users with certain privileges and readable by all system users but only root can modify it so what i didn't hear if i wanted to exploit it is um what i did is created a hash in my local box right because the format requires me to

do so

a new line into the edc password file to create a new user so this is what it looks like

i switched to my newly created user and boom i was rude once again

here with linux what you can do is but this double sign it appends to the existing file appending just means you add it and this is just going to basically right to it as i was mentioning earlier if a target is running a cms system um it is recommended to look at the configuration files as they can often contain sensitive information such as credentials not necessarily just credentials but like i said they can also be for example operating system versions or application versions caches usernames for other machines something very helpful cron jobs a cron job is a linux utility used for scheduling tasks that can be executed at a specific time this type of tasks run with the security

level of the user who owns them the configuration for cron jobs is stored in the crown tab which is known as pop apps so if we browse directly to the contact directory this is where we're looking this is what we want wishes this is always going to be in linux this last couple of lines are what caught my eye try okay where's this file if i'm supposed to write to it i gotta know where it is and i found it so what i did in here is completely wipe this file blank okay just i don't want anything on it so i rewrote you know like the starter bell and this line i am writing my shell this is my um

you know like local host this is the computer where i wanted to connect it back to i wanted to use okay and the reason why i'm doing cad override dot um sh is because i want to make sure that everything that i wrote is in there so i can see it in here and then this is my listener and i can see that since this is a contest terminal amount of time it started running and i got my bridge you're not reverse shell that you most commonly are going to use for them backups backups with permissions misconfigurations can contain sensitive information such as private keys a private key is used to identify you to any server

you're connecting to so it must match the public key stored in the service authorized keys for the account that you're trying to connect to so you have to have a match to it to your destination some common directories where backups should be fun find our temp bar and root this is what a private key would look like in a case like this so we copy it and it's going to give us access and here i'm just permissions um and i'm trying to ssh to it i'm giving the appropriate permissions in here of my victim post i'm already root so i'm just going to try to show you guys this file looking into it this is my private key

i wanted to give it any kind of you know like random name but i couldn't think of anything so i was just like yeah i see you well i'm rude so you want to be able to always always look into your ssh ssh folder because if you have access to it then it just means you have to do is to get the root key

sources um privilege escalation cheat sheets um i know that this is just kind of tricky when because it's recorded but if y'all have any questions or anything that wasn't clear enough or anything that i could help you guys with definitely reach out to me um i love beings they're really funny so yeah again for joining me and another thing i wanted to say is to it's you know like just thank you to the besides group um for baking my presentation wanted to do this and i'm really excited so yay awesome thanks