Saturday, October 29, 2016

Getting to the root@hostname:~# of the problem

What is privilege escalation?

Let's look at the subject in a less technical fashion first. What does it mean to elevate one's privileges? It's being able to do something that you do not have privileges for, for example: The wife of a powerful CEO can elevate her privileges by convincing her husband to do something for her that she normally couldn't do. This could be money, power, valuable items, etc.

In terms of hacking or computer security (two sides of the same coin) we either need a program to execute our own code with higher privileges or we need to prevent any program from executing user-supplied code at higher privileges than the user is allowed; or more specifically, the hacker is allowed.

Whenever someone asks about or googles for 'linux privilege escalation' there is one blog that everyone cites: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/. This blog post is very thorough and hits on an important point; Enumeration is key. You only need one avenue by which to raise your privileges and there are many, many different ways to do so.

I recommend going through g0tmi1k's blog and understanding what each command does and how it can be used for privilege escalation. Once you understand the methodology, there are a few things I personally recommend when attempting to escalate your privileges.

  1. 'sudo su root' - This is by far the easiest privilege escalation I've ever seen but, when you have sudo privileges you are simply using them to change your user to the root user and boom! You're root.
  2. Cracking root user privileges. If you don't believe that random passwords are used for root accounts, then that means a user set the root password and can potentially be brute forced. However, this is obnoxiously noisy, just for your reference. 
  3. Use the Linux Exploit Suggester built into Kali Linux to find exploits based on the kernel version. https://github.com/PenturaLabs/Linux_Exploit_Suggester
  4. Use the Linux Privilege Checker which automates G0tmi1k's blog enumeration process and suggest potential exploits. https://www.securitysift.com/download/linuxprivchecker.py
Lastly, the difference between a script kiddie and a professional hacker will be the depth of understanding of these scripts, methodologies, and privilege escalation exploits. If one doesn't work on a kernel it says it should work with, learn why.

Hack Responsibly. Hack Professionally.

No comments:

Post a Comment