Privilege escalation on a server

linux
hacking

#1

Server doesn’t have gcc installed I’m trying a privilege escalation but it seems not possible because of that… These are exploitable entry points:

The following exploits are applicable to this kernel version and should be investigated as well
    - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c**
    - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
    - 2.x sock_sendpage() Local Root Exploit 2 || http://www.exploit-db.com/exploits/9436 || Language=c**
    - 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver) || http://www.exploit-db.com/exploits/9479 || Language=c**
    - 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c**
    - 2.x sock_sendpage() Local Ring0 Root Exploit || http://www.exploit-db.com/exploits/9435 || Language=c**
    - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c**
    - Linux RDS Protocol Local Privilege Escalation || http://www.exploit-db.com/exploits/15285 || Language=c**
    - 2.6.x ptrace_attach Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8673 || Language=c**
    - 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) || http://www.exploit-db.com/exploits/926 || Language=c**
    - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c**
    - 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c**
    - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c**
    - < 2.6.36.2 Econet Privilege Escalation Exploit || http://www.exploit-db.com/exploits/17787 || Language=c**
    - 'pipe.c' Local Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/10018 || Language=sh
    - <= 2.6.37 Local Privilege Escalation || http://www.exploit-db.com/exploits/15704 || Language=c**
    - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c**
    - 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation || http://www.exploit-db.com/exploits/9844 || Language=python
    - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c**
    - 2.4/2.6 sock_sendpage() Local Root Exploit [2] || http://www.exploit-db.com/exploits/9598 || Language=c**
    - < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit || http://www.exploit-db.com/exploits/14814 || Language=c**
    - 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) || http://www.exploit-db.com/exploits/9545 || Language=c**
    - < 2.6.37-rc2 ACPI custom_method Privilege Escalation || http://www.exploit-db.com/exploits/15774 || Language=c**
    - 2.4/2.6 sock_sendpage() Local Root Exploit [3] || http://www.exploit-db.com/exploits/9641 || Language=c**
    - 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/895 || Language=c**

And most higher exploit with major probability of success are:

The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
    - 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c**
    - 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c**
    - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c**

Installed tools on this machine are:

[+] Installed Tools
/usr/bin/awk
/usr/bin/perl
/usr/bin/python
/bin/vi
/usr/bin/vim
/usr/bin/find
/usr/bin/wget
/usr/bin/ftp

The only shell script available (https://www.exploit-db.com/exploits/10018) seems not working on this machine showing as output the following content:

https://pastebin.com/S7Q2ncxi

Any suggestion about how to successfully do a privilege escalation here?


(exploit) #2

If GCC isn’t there, compile it in your own machine, then run it there, maybe?
(Take your time to choose the best exploit in that list, because the worst thing that can end up happening is a panic in the remote server. If none of them seems to not corrupt sensible data or simply doesn’t recover, then I’d suggest writting your own exploit).


#3

to write a script by yourself to perform a privilage escalation you should find a vulnerability just like these already found by researchers . I don’t see any difference with a my own exploit and those already developed. Anyway coding a privilage escalation script is not simple at all. Also, i don’t think compile on my pc and then excecute them on the server it’s a good idea due to architecture difference of built apps using native language like c. p.s i’m able to enumerate users on the machine but not able to get hashed password of course


(exploit) #4

I still do think that compiling on your own machine would do the trick, because I indeed tried it multiple times.(Just find a way to make it work.)
About finding the vulnerabilities, not really, you should only check CVE records and do some research.
The difference you was unable to see in the exploits already built is that, it heavily depends on the kernel it was built for, imagine if it had no protections activated, and the server does have these. Bingo, a panic(If it works in the first place).
Writting an exploit is not simple? Sure, but I only said it as a last resort(you can maybe only modify an available one too).


(EternalEclipse) #5

due to architecture difference of built apps using native language like c

Run uname -a and compile it on a machine with the same architecture, add -static to not depend on libc and external libraries and you should be good to go.


#6

thank you, i’ll try… i got your suggestion… there is also any another way also for example through enumeration to got the root in your opinion?


(Leader & Offsec Engineer) #7

Setuid bits?

They usually show up something.


(EternalEclipse) #8

#9

never did that … what should show up?


(EternalEclipse) #10

SetUID or SUID is basically a way for someone to tell Linux “If someone executes this file, have the program run under the owner’s account”. This is usually enabled for programs like ping, because it uses raw sockets for sending and receiving ICMP packets, and that requires root privileges. So by flagging /bin/ping as SUID, any user can run it and it will always execute with root privileges.

This can sometimes be dangerous because if the SUID program does something stupid with user input, an attacker can manipulate it gain root privileges.

I think @pry0cc is suggesting scanning the system for files that have the SUID bit on.
You can do this by using the following command:

find / -perm -u=s -type f 2>/dev/null

#11

I got the technique… and for example assuming that ping is vulnerable to this technique… how is possible to read and write file manipulating it?


(EternalEclipse) #12

Well, it depends what the program does and where it receives your input / what ways you have of affecting it’s execution.

A simple example would be: the program copies a string from argv[1] to a 512 byte long buffer on the stack or heap. Or maybe if it runs an external executable without complete path, you can make it run your executable instead somehow by changing the PATH environment variable.

Usually it’s a bit more complex than that, but that’s the gist of it. If you want to practice and play with local SUID exploitation, I suggest looking into older CVEs. I also recommend solving Exploit-Exercises’ Nebula VM.


#13

I tried this another way there are some dirs that I have access that have drwxrwxrwx permssions… so I tried a symlink attack with ln -s / ./my_directory/system , then when I try to ls ./my_directory/system/root should work but I still have permission denied… Why it doesn’t work in your opinion?


(system) #14

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.