Getting a low level shell in a server is actually not a very big deal I’d say. Trust me when I say it , but people undervalue post exploitation quite a lot. Some pentesters are happy with a low level shell but that shouldn’t be the case. Your goal should always be to become root . Here are a few reasons why your aim should be to become root in any linux server:
- Complete control over the server
- Only root can control ports 0–1024 which include the port 80 (web server), 22(ssh) which are the most important ports in a server
- Ability to attack all websites in the same server.
- Come on , linux is awesome and it’s fun!
These are the some of the few reasons why your brand value as a pentester would increase if you are very good at privilege escalation. I’d say it really tests your working of a particular operating system and that’s really the difference between you and a script kiddie.
Now coming to the point. The good news is that there are so many good sources online which will guide you really well about how to become good in privilege escalation. Note I am only here to explain some of the ways to get started or signs where you can easily become root. I expect you to do some online research and practice ctfs to get better with it because really everything is available online if you understand the vulnerable vector.So without further ado , here are a few things to look out for if you are in a linux machine:-
- One of the first things I do is to check executable files with suid permissions. A file with suid permission means it will run with higher privilege (root). So that means when we execute that file , we execute as root. So if we manage to get a shell , the shell is automatically root. One of the most notable examples is nmap version 3.81 . Nmap users will know that to make the best out of nmap, you need to be root , so system admins used to keep it with suid so that a normal user runs it with root privileges. Now 3.81 had an interactive mode , through which you can gain a root shell. So it was removed in the subsequent versions. But it is actually still possible to exploit it using nmap scripting engine. This is also possible with commands like cat, find,grep, etcetra. This according to me in my experience is the most common way to escalate privilege.
- If that fails, I’d suggest to check your sudo permissions. For those who are unaware of what sudo permissions are, they are simply programs which will run as root when you type sudo before executing it. For example typing only “vi hii” will open a file hii in vi editor whereas “sudo vii hii” will open the file with root user rights if the admin has given vi sudo rights. This is super useful in escalating privileges. Not only vi, there are a handful commands like find,nano,grep,cat,vim etcetra .It gets better if you don’t even need a password to run these!
- Now if we were looking at a realistic scenario, probably the most common would be a kernel privilege escalation vector. Few kernels of linux vulnerable to privilege escalation are, versions 4.4.0 ,4.13.9 , etcetra. Googling kernel name should let you know if it’s vulnerable or not. Also there is a very popular and critical vulnerability by the name dirty cow which used the same way. If you wanna know more about it , go ahead and google it!
- Privilege escalation can also happen if the path variable is not configured properly. What did I just say right there? Linux users will know that whenever they want to use a script, they would have to type ./scriptname and also have to ensure that we are in the same directory as the script. Seems restrictive right? If you configure the path variable for the script, then it can be invoked from anywhere just by typing scriptname .One keypoint to remember is that this exploitation is in sync with suid permissions. In my opinion, this is more common in ctf than in real life.
- Sometimes running processes with root permissions can also be a way of escalating privileges. Example is mysql which generally runs as root can be an avenue of privilege escalation
- A very small mistake which system admins make is by making the crontab file writable by any user. The crontab file is responsible for cronjobs. A cronjob is a linux command which is periodically executed accordingly as given in the file and time. Making this writable by any user can result in a low level user become root as crontab is owned by root.
I know. I didn’t give any live examples on how to exploit these. I would like my readers to search each and everything I mentioned above. You will notice how much you will learn about linux in the process. I’ll be honest with you,privilege escalation was a very weak skill of mine, infact it still is . But the amount I have learnt while trying them out is incredible. In order to get a good grasp , I suggest to solve vulnhub and hack the box ctfs as they are excellent for learning.
This is probably my smallest article, but the point of this article is to get the people who are not good at privilege escalation atleast some idea. You’ll notice once you start solving a few ctfs , it will automatically click, atleast I hope so!