Linux Privilege Escalations By Sawan Bhan

~Reviewed by Bishakha Jain

WHAT IS PRIVILEGE ESCALATION?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an OS or application to achieve an higher access to resources that are normally protected from an application or user. The result could lead to unauthorized actions.

OBJECTIVE

In this blog, we will talk in detail as what security issues could lead to a successful privilege escalation attack on any Linux based systems.

Linux Permission Model

Linux has inbred from UNIX the concept of ownership and permissions of files. File permissions are used to protect systems against malicious tampering.

  1. In the above two screenshots, we can see that the file ‘p.txt’ only has read & write access by the owner ‘root’.
  2. We can see the permission denied error when I tried reading the file when I tried to access as “sawan”.

Security Professionals usually perform Privilege Escalations to either Read/Write any sensitive file or to insert a permanent backdoor.

                         “Privilege Escalations are POST EXPLOITS”

TECHNIQUES USED FOR PRIVILEGE ESCALATION

  • KERNEL EXPLOITS
  • EXPLOITING SERVICES WHICH ARE RUNNING AS ROOT
  • EXPLOITING SUID EXECUTABLES
  • EXPLOITING SUDO RIGHTS/USER
  • EXPLOITING BADLY CONFIGURED CRON JOBS
  • EXPLOITING USERS WITH ‘.’ IN THEIR PATH

In this blog, we are just going to cover the Kernel Exploits. We can un-shield other techniques on my upcoming blogs.

KERNEL EXPLOITS

Assumption: We have a shell on the remote system but we don’t have ‘root’ privileges.

Let’s go get ‘root’ access on the system.

Exploiting a vulnerable machine using DIRTYCOW

VULN Operating system used for this demo: https://old-linux.com/

  • Whoami current user

  • Uname –a Kernel Version

Or https://pastebin.com/JCUCdkJN (I have customised this  c programme for this demo)

 

 

Quick read before we start the demo:

  1. After running the exploit you should be able to login with the newly created user.
  2. To use this exploit modify the user values according to your needs.
  3. The default is “rootsawan”.
  4. Compile with: gcc -pthread dirty.c -o dirty –lcrypt
  5. Then run the newly create binary by either doing:
  6. ./dirty or ./dirty my-new-password
  7. Afterwards, you can either “su rootsawan” or “ssh rootsawan@…”

DEMO

  • Compile and Execute the EXPLOIT

Step-1 Compilation using gcc

 

Step-2 Setting a password of your choice for a root user that dirty cow just created

  • #ROOT PERMISSION GRANTED

The user “rootsawan” created by by the dirty-cow script has got the root privilges on this linux machine.

Countermeasures

  • The kernel should be patched and updated.

 

Spread the love