Module 10: Linux Privilege Escalation

Attacking the Users

Becoming a User

In Linux, users are identifed by UID and GID.

Inspecting the /etc/passwd file

offsec@linux01:~$ cat /etc/passwd | grep offsec
...
offsec:x:1000:1000:offsec,,,:/home/offsec:/bin/bash

Passwd file fields explained

Login Name: "offsec" - Indicates the username used for login.
Encrypted Password: "x" - This field typically contains the hashed version of the user's password. In this case, the value x means that the entire password hash is contained in the /etc/shadow file (more on that shortly).
UID: "1000" - Aside from the root user that has always a UID of 0, Linux starts counting regular user IDs from 1000. This value is also called real user ID.
GID: "1000" - Represents the user's specific Group ID.
Comment: "offsec,,," - This field generally contains a description about the user, often simply repeating username information.
Home Folder: "/home/offsec" - Describes the user's home directory prompted upon login.
Login Shell: "/bin/bash" - Indicates the initial directory from which the user is prompted to login.

Checking our user's sudo permissions

offsec@linux01:~$ sudo -l
Matching Defaults entries for offsec on linux01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User offsec may run the following commands on linux01:
    (ALL : ALL) ALL

All privileged operations using sudo and sui are logged by default to /var/log/auth.log

Inspecting sudo related events

offsec@linux01:~$ sudo cat /var/log/auth.log | grep "sudo:"
...
Aug 16 15:28:19 linux01 sudo:   offsec : TTY=pts/0 ; PWD=/home/offsec ; USER=root ; COMMAND=list
Aug 16 15:28:35 linux01 sudo:      bob : TTY=pts/0 ; PWD=/home/offsec ; USER=root ; COMMAND=list

Unlike Ubuntu/Debian, Linux distributions such as CentOS and Fedora store authentication logs in /var/log/secure.

Blocked attempt to read /etc/shadow

bob@linux01:/home/offsec$ sudo cat /etc/shadow
[sudo] password for bob:
Sorry, user bob is not allowed to execute '/usr/bin/cat /etc/shadow' as root on linux01.

Reviewing the log entry for the blocked attempt

offsec@linux01:~$ sudo cat /var/log/auth.log | grep shadow
Aug 16 15:39:08 linux01 sudo:      bob : command not allowed ; TTY=pts/0 ; PWD=/home/offsec ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow

aureport can be used to efficiently inspect very detailed logs generated by the audit daemon.

Enabling aureport detailed keylogging

session required pam_tty_audit.so enable=*

Running aureport to fetch user's keylogs

offsec@linux01:~$ sudo  aureport --tty
[sudo] password for offsec:

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
...
4. 08/17/21 05:30:02 2183 1002 pts0 153 bash <up>,<up>,<^U>,"ssh bob@localhost -i /home/alice/stolen_id_rsa",<ret>,"exit",<ret>

Searching for the UID identified

offsec@linux01:~$ grep 1002 /etc/passwd
alice:x:1002:1002::/home/alice:/bin/bash

A more accurate and controlled approach would be to inspect the auditd logs.

Inspecting audit TTY events

offsec@linux01:~$ sudo cat /var/log/audit/audit.log | grep "type=TTY" | grep " uid=1002"
type=TTY msg=audit(1629358931.307:4407): tty pid=34388 uid=1002 auid=1002 ses=375 major=136 minor=0 comm="ssh" data=657869740D
type=TTY msg=audit(1629358932.867:4413): tty pid=34376 uid=1002 auid=1002 ses=375 major=136 minor=0 comm="bash" data=73736820626F62406C6F63616C686F7374202D69202F686F6D652F616C6963652F73746F6C656E5F69645F7273610D657869740D

The data can be decoded via xxd.

Decoding the hex-encoded commands

offsec@linux01:~$ echo "73736820626F62406C6F63616C686F7374202D69202F686F6D652F616C6963652F73746F6C656E5F69645F7273610D657869740D" | sed 's/0D/20/g'  | xxd -r -p
ssh bob@localhost -i /home/alice/stolen_id_rsa exit offsec@linux01:~$

Backdooring a User

User config files tend to reside in the home directory and shouldn't be editable by other users. Two specific configuration files are responsible for executing aliases and bash functions (.bashrc) and setting environmental variables (.profile).

Weak .bashrc permissions discovered

alice@linux01:~$ ls -asl /home/bob/.bashrc
4 -rw-r--rw- 1 bob bob 3771 Aug 27 03:24 /home/bob/.bashrc

"Backdooring" (PoC) bob's .bashrc

alice@linux01:~$ echo 'echo "hello from bob .bashrc"' >> /home/bob/.bashrc

Triggering the "backdoor" with a new login

kali@kali:~$ ssh bob@192.168.51.12
...
hello from bob .bashrc
bob@linux01:~$

Now from a defender's perspective, we can enable auditing rule to detect these. We can use auditctl to watch configuration files for any write and attribute change operations.

Configuring audit rules for privilege escalation detection

offsec@linux01:~ sudo auditctl -w /home/bob/.bashrc  -p wa -k privesc

offsec@linux01:~ sudo auditctl -w /home/bob/.profile -p wa -k privesc

Verifying the audit rule

offsec@linux01:~$ sudo auditctl -l
-w /home/bob/.bashrc -p wa -k privesc
-w /home/bob/.profile -p wa -k privesc

Audit rules configured through auditctl will not be persistent across reboots. To make them permanent, rules have to be added to the /etc/audit/rules.d/audit.rules file.

Inspecting the auditd rule report

offsec@linux01:~$ sudo aureport -k

Key Report
===============================================
# date time key success exe auid event
===============================================
1. 08/30/21 07:29:46 privesc yes /usr/sbin/auditctl 1000 232
2. 08/30/21 07:29:51 privesc yes /usr/sbin/auditctl 1000 239
3. 08/30/21 07:44:20 privesc yes /home/offsec/SOC-200/Linux_Server_Side_Attacks/Shellshock/bash-4.3/bash 1002 287

To enhance analysis, the aureport tool supports the -i option that interprets user IDs and translates them into usernames.

The auid value is assigned every time a user logs in and is unchanged for the duration of that session.

Attacking the System

Abusing System Programs

Effective UID/GID was introduced which represents the actual value being checked when performing sensitive operations. Set-UID (SUID) allows programs to execute as a separate effective user.

Revealing the SUID flag on the passwd binary

offsec@linux01:~$ ls -asl /usr/bin/passwd
68 -rwsr-xr-x 1 root root 68208 Apr 16  2020 /usr/bin/passwd

In this case, with the Set-UID flag on the user owner permission set, it's stating that this binary should be run as the user owner. In this case, root.

Configuring root-monitoring audit rules

offsec@linux01:~$ sudo auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root_cmds 

offsec@linux01:~$ sudo auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root_cmds

The two rules above log any activity of processes, either on x86 or x64 architectures, with effective UIDs equal to zero (root) that are also invoking the execve system call, which is ultimately responsible for executing programs throughout a shell.

Inspecting root shell activity

offsec@linux01:~/SOC-200/Linux_Privilege_Escalation$ sudo ausearch -k root_cmds -i -x bash
----
type=PROCTITLE msg=audit(09/01/21 14:15:25.022:535) : proctitle=/usr/bin/bash
type=PATH msg=audit(09/01/21 14:15:25.022:535) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=133267 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/01/21 14:15:25.022:535) : item=0 name=/usr/bin/bash inode=24444 dev=08:05 mode=file,775 ouid=offsec ogid=offsec rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/01/21 14:15:25.022:535) : cwd=/home/offsec/SOC-200/Linux_Privilege_Escalation
type=EXECVE msg=audit(09/01/21 14:15:25.022:535) : argc=1 a0=/usr/bin/bash
type=SYSCALL msg=audit(09/01/21 14:15:25.022:535) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56243a5e2b28 a1=0x56243a5e2b50 a2=0x56243a5e2b60 a3=0x7fbb814b2850 items=2 ppid=2176 pid=2177 auid=offsec uid=root gid=offsec euid=root suid=root fsuid=root egid=offsec sgid=offsec fsgid=offsec tty=pts0 ses=2 comm=bash exe=/home/offsec/SOC-200/Linux_Server_Side_Attacks/Shellshock/bash-4.3/bash subj=unconfined key=root_cmds

Extra Mile I

Extend the audit_key_search.py script to extract and print out the euid field. Once done, print an extra warning if the euid is zero and the auid is a standard user.

Weak Permissions

Linux File Permission Table for /etc/passwd

FORMAT

OWNER

GROUP

OTHER

symbolic

rw-

r--

binary

110

100

octal

If you find scripts, cronjobs, etc. with write permissions to everyone then that's a no-no.

Audit rule to monitor all files in a folder

offsec@linux01:~$ sudo auditctl -w /home/offsec/SOC-200/Linux_Privilege_Escalation/cron_scripts/ -p wa -k cron_scripts

Analyzing the cronjob script modification from audit logs

offsec@linux01:~$ sudo ausearch -k cron_scripts -i
...
type=PROCTITLE msg=audit(09/06/21 04:17:06.509:53254) : proctitle=nano /home/offsec/SOC-200/Linux_Privilege_Escalation/cron_scripts/clear_history.py
type=PATH msg=audit(09/06/21 04:17:06.509:53254) : item=1 name=/home/offsec/SOC-200/Linux_Privilege_Escalation/cron_scripts/clear_history.py inode=535 dev=08:05 mode=file,777 ouid=offsec ogid=offsec rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/06/21 04:17:06.509:53254) : item=0 name=/home/offsec/SOC-200/Linux_Privilege_Escalation/cron_scripts/ inode=33119 dev=08:05 mode=dir,775 ouid=offsec ogid=offsec rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/21 04:17:06.509:53254) : cwd=/home/alice
type=SYSCALL msg=audit(09/06/21 04:17:06.509:53254) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x5653835f5540 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=34529 pid=34571 auid=alice uid=alice gid=alice euid=alice suid=alice fsuid=alice egid=alice sgid=alice fsgid=alice tty=pts1 ses=4883 comm=nano exe=/usr/bin/nano subj=unconfined key=cron_scripts

The audit rules provided in this module should be taken as a baseline. Further rules should be customized and tailored depending on the environment being defended.

Monitoring /etc/shadow with audit watch rule

offsec@linux01:~$ sudo auditctl -w /etc/shadow -p war -k etc_shadow

Analyzing the /etc/shadow audit logs

offsec@linux01:~$ sudo ausearch -k etc_shadow -c cat -i
----
type=PROCTITLE msg=audit(09/06/21 09:03:03.839:56382) : proctitle=cat /etc/shadow
type=PATH msg=audit(09/06/21 09:03:03.839:56382) : item=0 name=/etc/shadow inode=265001 dev=08:05 mode=file,640 ouid=root ogid=shadow rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/21 09:03:03.839:56382) : cwd=/home/alice
type=SYSCALL msg=audit(09/06/21 09:03:03.839:56382) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffc438c873f a2=O_RDONLY a3=0x0 items=1 ppid=36778 pid=36786 auid=alice uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5195 comm=cat exe=/usr/bin/cat subj=unconfined key=etc_shadow

Extra Mile II

Run the audit_key_search.py file to search for password file dumping events. After inspecting the audit logs we might notice an auid value of 4294967295. This string corresponds to a specific numeric value in POSIX. What value does it represent?

PreviousModule 9: Linux Server Side Attacks NextModule 11: Network Detections

Last updated 11 months ago