Friday, 15 April 2011

A quick guide to Linux privilege escalation

One thing I noticed on the Offensive Security PwB course is that a most students struggle with privilege escalation, especially on Linux. Here are some of my thoughts on Linux privilege escalation.

This is a massive subject, so I will stick to giving a few key pointers, and leave further study up to the reader.

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.

Having learned about and performed a lot of privilege escalation over recent months, there are several reasons I can think of that can make this especially difficult on Linux.

1) Linux has always been designed as a multi-user operating system, which means that many features have been included over the years, to make privilege escalation more difficult (as well as secure default-configurations).

2) There is a huge diversity of Linux distributions, and builds, so there are no "one size fits all" exes that you can just download and run.

3) Many Linux Distributions have integrated application-updates (something which does not happen on Windows). This means that (if configured correctly) the operating system AND most of the applications will get updates automatically.

4) Many Offsec students are from a Windows background, where privilege escalation is often not needed. This is either because ordinary user accounts are in the local Administrator group, or because there are many Windows remote-exploits which give direct System or Administrator access and do not require escalation.

5) Linux configuration issues can sometimes be hard to spot, especially if you are not very familiar with Linux file-rights and access-control methods.


So, if you are learning how to perform privilege escalation on linux, you should expect it to be more difficult than Windows.

Linux privilege escalation is difficult, it's supposed to be, but practice can make it easier.


Enumeration is key
Linux privilege escalation is all about:

1) Enumeration, more enumeration, and more enumeration
2) Sorting through data, analysis and prioritisation
3) Knowing where to find exploit code
4) Customisation and compilation skills
5) Confidence that comes from lots of trial and error


Ideas; What information do you need to find?
Here is a list of some of the information an attacker would be looking to find in order to maximise their chances of successful privilege escalation on Linux.
(It's not comprehensive, but it is a good start)

Enumeration of the operating system
  • What is the distribution type, and version?
  • What is the Kernel version?

Enumeration of services and applications
  • What services are running, and in which user-context?
  • What are the versions of the running services?
  • What applications are installed, and what versions?
  • Do any of these services have vulnerable plugins or configurations.
  • What jobs are scheduled?
  • Pay particular attention to anything running as root

Enumeration of the file-systems
  • What configuration files can be read/written in /etc/ ?
  • What information or content can be found in /var/ ?
  • Is it possible to write files to places that are in another users path?
  • Identify SUID and GUID files
  • Identify world-readable and world-writable files
  • How are file-systems mounted?
  • Are there any unmounted file-systems?

Enumeration of confidential information
  • What sensitive files can be found?
  • Are there any passwords in; scripts, databases, configuration files or log files?
  • What user information can be found?
  • Can private-key information be found?
  • Examine files in user home directories (if possible)

Enumeration of communications and networking
  • What NICs does the system have?
  • What are the network configuration settings?
  • What other hosts are communicating with the system?
  • Are there any cached IP or MAC addresses?
  • Is packet sniffing possible, and if so what can be seen?
  • Is SSH tunnelling possible?

Preparation for exploit code
  • What development tools/languages are installed/supported?
  • What areas can be written to?
  • Where can code be executed?
  • How can files be uploaded?

Finding exploit code

The only way to learn how to do privilege escalation is to practice, and keep trying.
Be good!


Mitigations

From a defensive stance, you need to ask yourself very similar questions
  • Have you made any of the above information easy for an attacker to find?
  • Is the system fully patched? (Kernel, operating system, and all applications)
  • Are services running with the minimum level of privileges required?
  • Bastille Linux is a set of scripts that can be run to harden a Linux system
    • (checking for some of the above issues, and many more besides)

16 comments:

  1. this wargame could be interesting:
    http://intruded.net/shellstorm2010.html

    if you enjoy learning by doing!

    ReplyDelete
  2. Very nice explanation and great blog! Thank you.

    ReplyDelete
  3. Great write up. Definitely can use this right now.

    ReplyDelete
  4. تعتمد شركة ركن البيت على افضل الخدمات الاساسية المميزة التى تساعد فى الوصول الى افضل النتائج المميزة التى تؤدي الغرض المطلوب حيث لدينا شركة تنظيف بالرياض تساعد فى تحقيق افضل ما هو مطلوب في خدمات النظافة بعيد عن اعمال التنظيف اليدوية التي تستخدم اساليب فعليك ان تتعاون وتتصل بنا في شركتنا حيث يمكنك الاستعانة بخدمة تنظيف الفلل من خلال التواصل مع قسم شركة تنظيف فلل بالرياض التي تحقق كل ما هو جيد في اعمال التنظيف والسعى الى التنظيف من الالف الى الياء كما يوجد لدينا خدمات اخري في النظافة مثلا تنظيف الخزانات التي تحتاج الي مختص فني في تقديم اعمال نظافة الخزنات من خلال شركة تنظيف خزانات بالرياض
    التي لديها خدمة متخصصة في القضاء علي البكتريا والرواسب التي توجد في قاع الخزانات من خلال شركة تسمي المتميزة في التعقيم والتظهر للحصول علي كل ما هو صحي من خلال شراء اغلى انواع المنظفات والمساحيق والمعطرات المميزة التى تساعد فى الوصول الى اى نتيجة يرغب العميل بها فشركة ركن البيت هى افضل الشركات التى تهتم باعمال التنظيف لمنزلك التي توجد لديك مثل خدمة شركة تنظيف مسابح بالرياض مهما كانت مساحته ومهما كانت درجة الاتساخ فلاتتردد فى التعامل معنا لدينا خدمات اخري يمكنك متابعتها مثلا بعض الناس يعتمدون علي شركة مكافحة حشرات بالرياض والتي تعتبر من افضل الخدمات الاساسية داخل مدينة الرياض التي تحتاج عناية شديدة في اعمالها من خلال تعاملها مع قسم شركة رش مبيدات بالرياض والتي يستخدم مبيدات طبيعية والتي تقتل جميع الحشرات المنزلية مثل الصراصير والنمل الابض والفئران بالاضافة الى ان الشركة تهتم بتوفير افضل الخدمات الاساسية فى اعمال الرش فاذا كنت فى اى مكان وتعانى من وجود حشرات فعليك التخلص منه من خلال شركتنا المتميزة

    ReplyDelete
  5. OUT OF FINANCIAL MESS WITH THE HELP OF LEXIELOANCOMPANY@YAHOO.COM

    I have been in financial mess for the past months, I'm a single mum with kids to look after. My name is Renee Joan Rothell, and am from Ridley Park, Pennsylvania. A couple of weeks ago My friend visited me and along our discussion she told me about Mr Martinez Lexie of ( Lexieloancompany@yahoo.com ); that he can help me out of my financial situation, I never believed cause I have spend so much money on different loan lenders who did nothing other than running away with my money. She advised, I gave it a try because she and some of her colleagues were rescued too by this Godsent lender with loans to revive their dying businesses and paying off bills. so I mailed him and explain all about my financial situation and therefore took me through the loan process which was very brief and easy.. After that my loan application worth 78,000.00 USD was granted, all i did was to follow the processing and be cooperative and today I am a proud business owner sharing the testimony of God-sent Lender. You can as well reach him through the Company website: http://lexieloans.bravesites.com OR text: +18168926958

    ReplyDelete
    Replies
    1. May the Blessings of the Lumber Cartel (TINLC) be upon you!

      Delete
  6. This is a page that i haven't visited in the past, and finding it today makes me realize how lucky i am. It would be my greatest wish to keep seeing more of this from you, you have a way of portraying information without making the reader struggle getting the message. Advertising articles writing services you can purchase at very affordable prices.

    ReplyDelete

  7. نستخدم افضل المكينات المخصصه في تنظيف الموكيت والسجاد الخاص بالمساجد والتي تعمل عن طريق تنظيف موكيت المساجد بالمنظفات الحديثه لكي نصل الي اعلي مستوي من التنظيف

    كما ان جودة التنظيف الخاص بتنظيف الموكيت تعتمد علي نوعيته مع استخدام المكينات الحديثه وبالاضافه الي الايدي العامله المدربه حديثا

    شركة تنظيف مساجد بالرياض


    ReplyDelete

  8. عزيزي عميل مدينه الخرج نوفر لك افضل خدمات التنظيف المختلفه من منازل ومجالس وغيرهما وايضا نوفر لك مكافحة الحشرات بالخرج لنوفر لك افضل سبل الحصول علي منزل نظيف وخالي من الحشرات وذلك بافضل الفنيين وامهرهم
    شركة تنظيف خزانات بالخرج
    شركة تنظيف بالخرج
    نستخدم افضل المكينات المخصصه في تنظيف الموكيت والسجاد الخاص بالمساجد والتي تعمل عن طريق تنظيف موكيت المساجد بالمنظفات الحديثه لكي نصل الي اعلي مستوي من التنظيف
    كما ان جودة التنظيف الخاص بتنظيف الموكيت تعتمد علي نوعيته مع استخدام المكينات الحديثه وبالاضافه الي الايدي العامله المدربه حديثا
    شركات مكافحة حشرات بالخرج
    شركة رش مبيدات بالخرج

    ReplyDelete