File permissions

SUID/GUID bit

linprivesc linuxprivesc commonlinuxprivesc vulnversity kenobi rrootme linprivesc cowboyhacker

This is a permission on Linux allowing users to execute a file with the permission of the owner (SUID) or the group owner (GUID).

# Variants: "-04000" "-4000" | "-4001"
$ find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -g=s -type f -ls 2>/dev/null

Once you found a file with the SUID bit, either there is a known way to exploit it using GTFOBins, or you have to investigate manually.


pkexec - CVE-2021-4034

linuxprivilegeescalation

/usr/bin/pkexec a file installed by default on every major Linux distribution with a SUID bit could be exploited to get root. See arthepsy PoC (0.9k ⭐), or berdav PoC (1.7k ⭐).

Pkexec is one of the programs that are part of PolicyKit (polkit).

➑️ See also: cve_2021_4034_pwnkit_lpe_pkexec on Metasploit.

Manual investigation

mustacchio

If the script hand-made, or not on GTFOBins, then you can use refer to (basic) Reverse Engineering, e.g., the commands below to hopefully find which files and environment variables the script is using

  • strace: see every system call
  • strings: extract every readable string

You may be able to make the script do what you want by editing environment variables or files that it uses.


Executable

When exploiting a command, you will usually want to run another executable. Two commands you will most likely run are:

  • /bin/bash -i: start an interactive bash
  • /bin/bash -p: do not drop privilege (SUID, start the bash as root)

Capabilities

linprivesc linuxprivilegeescalation linux_capabilities cap

Capabilities are a level below SUID/GUID permissions.

It's possible for an administrator to allow an executable to use some "features" that usually would require root privileges (ex: creating sockets, creating raw TCP packets...).

Find executables with capabilities

$ getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
$ /usr/bin/python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

⚠️ Capabilities are often followed by + and a modifier.

  • Effective (e): the permissions the process can use
  • Permitted (p): the process can use or drop permissions
  • Inheritable (i): permissions are inherited by child processes

To retain permitted capabilities when creating a new process, refer to this thread. In Python, you could use python-prctl.

# Example: binary has 'setuid' with '+p'
# sudo apt install libcap-dev
# pip install python-prctl
import prctl
prctl.cap_effective.setuid=True

➑️ Look for the executable on GTFOBins or HackTricks.

➑️ Use Linux Tracers and alternatives for files not on GTFOBins

There are roughly 40 capabilities:

  • cap_chown: could take over /etc/shadow to edit a password
  • cap_setuid: set current user to be root (0)
  • cap_setgid: set the current group to be root, shadow, docker, etc.
  • cap_dac_read_search: arbitrary file reading, directory listing
  • cap_dac_override: can write to any file
  • cap_sys_admin: can mount filesystems
  • cap_sys_time: arbitrary change the date and time, affect cron tasks
  • cap_kill: kill a process, which may help if we need to restart it
  • cap_fowner: we can change the permissions (chmod) to /etc/shadow
  • cap_setfcap: we can set capabilities on any file
  • cap_linux_immutable: can write to immutable files
  • cap_net_raw: can create raw packets and sniff raw packets
  • cap_net_bind_service: can use ports below 1024
  • cap_net_admin: edit firewall configuration
  • cap_sys_ptrace: can inject a shellcode into a process memory
  • cap_sys_module: add and remove kernel modules
  • ...

To add or remove capabilities, you can use:

$ sudo setcap cap_setuid=eip your_binary
$ sudo setcap -r your_binary
$ sudo setcap --drop=cap_setuid your_binary

Special Groups

linuxprivilegeescalation

Users in the adm group are able to read all logs. Log management utilities such as logrotate may be vulnerable. See also: logrotten.

Misconfigured system files

linuxprivesc commonlinuxprivesc

If /etc/passwd was intentionally misconfigured or if it is a misconfigured embedded device.

$ cat /etc/passwd
# if you can write it: make your user part of root group
# if you can write it: add a new user that is part of root group
# if you can write it: remove the 'x' to su without password

If /etc/shadow was intentionally misconfigured

$ cat /etc/shadow
# if you can read it: try to brute force the password
# if you can write it: change the root password
# (copy a password or generate one mkpasswd -m sha-512 toto)

If /etc/sudoers was intentionally misconfigured

$ cat /etc/sudoers
# if you can read it: find users that will be useful to compromise
# if you can write it: add yourself in
# your_user    ALL=(ALL:ALL) ALL

Until 1979/Unix V7, passwords were stored in /etc/passwd, so a regular user could read them, and try brute-forcing the password.

$ cat /etc/shadow
- root:x:...
+ root:hashed_password:...
# openssl passwd toto