File permissions

SUID/GUID bit

linprivesc linuxprivesc commonlinuxprivesc adventofcyber2 vulnversity kenobi rrootme linprivesc cowboyhacker archangel blog

This is a permission on Linux allowing users to execute a file with the permission of the owner (SUID) or the group owner (GUID).

# Variants: "-04000" "-4000" | "-4001"
$ find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -g=s -type f -ls 2>/dev/null

Once you found a file with the SUID bit, either there is a known way to exploit it using GTFOBins, or you have to investigate manually.


pkexec - CVE-2021-4034

linuxprivilegeescalation pwnkit polkit djangocatz

Policy Kit (Polkit) is part of the Linux authorization system. It used and installed by default on every major Linux distribution. We can interact with it using the /usr/bin/pkexec SUID file.

Some distributions were vulnerable to CVE-2021-3560 (<v119). See arthepsy PoC (1.1k ⭐), or berdav PoC (2.0k ⭐).

πŸ“š Example Usage: /usr/bin/pkexec bash

➑️ See also: cve_2021_4034_pwnkit_lpe_pkexec on Metasploit.

Manual investigation

mustacchio

If the script hand-made, or not on GTFOBins, then you can use refer to (basic) Reverse Engineering, e.g., the commands below to hopefully find which files and environment variables the script is using

  • strace: see every system call
  • strings: extract every readable string

You may be able to make the script do what you want by editing environment variables or files that it uses.


Executable

When exploiting a command, you will usually want to run another executable. Two commands you will most likely run are:

  • /bin/bash -i: start an interactive bash
  • /bin/bash -p: do not drop privilege (SUID, start the bash as root)

Capabilities

linprivesc linuxprivilegeescalation linux_capabilities cap django_unchained

Capabilities are a level below SUID/GUID permissions. They can be applied on files and processes.

$ grep Cap /proc/self/status
CapInh:	0000000000000000 -- from parent to child; if requested
CapPrm:	0000000000000000 -- capabilities the process can use
CapEff:	0000000000000000 -- capabilities that are currently enabled
CapBnd:	00000000a80425fb -- the capabilities the processes are allowed to use
CapAmb:	0000000000000000 -- from parent to child; with conditions
$ capsh --decode="00000000a80425fb" # human readable

It's possible for an administrator to allow an executable to use some "features" that usually would require root privileges (ex: creating sockets, creating raw TCP packets...).

Find executables with capabilities

$ getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
$ /usr/bin/python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

⚠️ Capabilities are often followed by + and a modifier.

  • Effective (e): the permissions the process can use
  • Permitted (p): the process can use or drop permissions
  • Inheritable (i): permissions are inherited by child processes

To retain permitted capabilities when creating a new process, refer to this thread. In Python, you could use python-prctl.

# Example: binary has 'setuid' with '+p'
# sudo apt install libcap-dev
# pip install python-prctl
import prctl
prctl.cap_effective.setuid=True

➑️ Look for the executable on GTFOBins or HackTricks.

➑️ Use Linux Tracers and alternatives for files not on GTFOBins

There are roughly 40 capabilities:

  • cap_chown: could take over /etc/shadow to edit a password
  • cap_setuid: set current user to be root (0)
  • cap_setgid: set the current group to be root, shadow, docker, etc.
  • cap_dac_read_search: arbitrary file reading, directory listing
  • cap_dac_override: can write to any file
  • cap_sys_admin: can mount filesystems
  • cap_sys_time: arbitrary change the date and time, affect cron tasks
  • cap_kill: kill a process, which may help if we need to restart it
  • cap_fowner: we can change the permissions (chmod) to /etc/shadow
  • cap_setfcap: we can set capabilities on any file
  • cap_linux_immutable: can write to immutable files
  • cap_net_raw: can create raw packets and sniff raw packets
  • cap_net_bind_service: can use ports below 1024
  • cap_net_admin: edit firewall configuration
  • cap_sys_ptrace: can inject a shellcode into a process memory
  • cap_sys_module: add and remove kernel modules
  • ...

To add or remove capabilities, you can use:

$ sudo setcap cap_setuid=eip your_binary
$ sudo setcap -r your_binary
$ sudo setcap --drop=cap_setuid your_binary

Special Groups

linuxprivilegeescalation linuxfilesystemanalysis busqueda gamingserver chillhack marketplace

DO NOT ASSUME ANYTHING. A user not in a group (not in the sudo group, may still be able to perform the action (e.g. run sudo).

  • Users in the shadow group can read /etc/shadow

  • Users in the disk group can read/write any file

Misconfigured system files

linuxprivesc commonlinuxprivesc

If /etc/passwd was intentionally misconfigured or if it is a misconfigured embedded device.

$ cat /etc/passwd
# if you can write it: make your user part of root group
# if you can write it: add a new user that is part of root group
# if you can write it: remove the 'x' to su without password

If /etc/shadow was intentionally misconfigured

$ cat /etc/shadow
# if you can read it: try to brute force the password
# if you can write it: change the root password
# (copy a password or generate one mkpasswd -m sha-512 toto)

If /etc/sudoers was intentionally misconfigured

$ cat /etc/sudoers
# if you can read it: find users that will be useful to compromise
# if you can write it: add yourself in
# your_user    ALL=(ALL:ALL) ALL

Until 1979/Unix V7, passwords were stored in /etc/passwd, so a regular user could read them, and try brute-forcing the password.

$ cat /etc/shadow
- root:x:...
+ root:hashed_password:...
# openssl passwd toto