File permissions
SUID/GUID bit
This is a permission on Linux allowing users to execute a file with the permission of the owner (SUID) or the group owner (GUID).
# Variants: "-04000" "-4000" | "-4001"
$ find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -g=s -type f -ls 2>/dev/null
Once you found a file with the SUID bit, either there is a known way to exploit it using GTFOBins, or you have to investigate manually.
pkexec - CVE-2021-4034
/usr/bin/pkexec
a file installed by default on every major Linux distribution with a SUID bit could be exploited to get root. See arthepsy PoC (0.9k β), or berdav PoC (1.7k β).
Pkexec is one of the programs that are part of PolicyKit (polkit).
β‘οΈ See also: cve_2021_4034_pwnkit_lpe_pkexec
on Metasploit.
Manual investigation
If the script hand-made, or not on GTFOBins, then you can use refer to (basic) Reverse Engineering, e.g., the commands below to hopefully find which files and environment variables the script is using
-
strace
: see every system call -
strings
: extract every readable string
You may be able to make the script do what you want by editing environment variables or files that it uses.
Executable
When exploiting a command, you will usually want to run another executable. Two commands you will most likely run are:
-
/bin/bash -i
: start an interactive bash -
/bin/bash -p
: do not drop privilege (SUID, start the bash as root)
Capabilities
Capabilities are a level below SUID/GUID permissions.
It's possible for an administrator to allow an executable to use some "features" that usually would require root privileges (ex: creating sockets, creating raw TCP packets...).
Find executables with capabilities
$ getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
$ /usr/bin/python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
β οΈ Capabilities are often followed by +
and a modifier.
- Effective (
e
): the permissions the process can use - Permitted (
p
): the process can use or drop permissions - Inheritable (
i
): permissions are inherited by child processes
To retain permitted capabilities when creating a new process, refer to this thread. In Python, you could use python-prctl.
# Example: binary has 'setuid' with '+p'
# sudo apt install libcap-dev
# pip install python-prctl
import prctl
prctl.cap_effective.setuid=True
β‘οΈ Look for the executable on GTFOBins or HackTricks.
β‘οΈ Use Linux Tracers and alternatives for files not on GTFOBins
There are roughly 40 capabilities:
-
cap_chown
: could take over/etc/shadow
to edit a password -
cap_setuid
: set current user to be root (0
) -
cap_setgid
: set the current group to be root, shadow, docker, etc. -
cap_dac_read_search
: arbitrary file reading, directory listing -
cap_dac_override
: can write to any file -
cap_sys_admin
: can mount filesystems -
cap_sys_time
: arbitrary change the date and time, affect cron tasks -
cap_kill
: kill a process, which may help if we need to restart it -
cap_fowner
: we can change the permissions (chmod
) to /etc/shadow -
cap_setfcap
: we can set capabilities on any file -
cap_linux_immutable
: can write to immutable files -
cap_net_raw
: can create raw packets and sniff raw packets -
cap_net_bind_service
: can use ports below 1024 -
cap_net_admin
: edit firewall configuration -
cap_sys_ptrace
: can inject a shellcode into a process memory -
cap_sys_module
: add and remove kernel modules - ...
To add or remove capabilities, you can use:
$ sudo setcap cap_setuid=eip your_binary
$ sudo setcap -r your_binary
$ sudo setcap --drop=cap_setuid your_binary
Special Groups
Users in the adm
group are able to read all logs. Log management utilities such as logrotate may be vulnerable. See also: logrotten.
Misconfigured system files
If /etc/passwd
was intentionally misconfigured or if it is a misconfigured embedded device.
$ cat /etc/passwd
# if you can write it: make your user part of root group
# if you can write it: add a new user that is part of root group
# if you can write it: remove the 'x' to su without password
If /etc/shadow
was intentionally misconfigured
$ cat /etc/shadow
# if you can read it: try to brute force the password
# if you can write it: change the root password
# (copy a password or generate one mkpasswd -m sha-512 toto)
If /etc/sudoers
was intentionally misconfigured
$ cat /etc/sudoers
# if you can read it: find users that will be useful to compromise
# if you can write it: add yourself in
# your_user ALL=(ALL:ALL) ALL
Until 1979/Unix V7, passwords were stored in /etc/passwd
, so a regular user could read them, and try brute-forcing the password.
$ cat /etc/shadow
- root:x:...
+ root:hashed_password:...
# openssl passwd toto