NOTE: this requires the ability to edit the LD_PRELOAD environmental variable. LD_PRELOAD, also know as preloading, is a powerful and advanced feature in the Linux dynamic linker that allows users to inject (preload) shared object files into the address space of a process (before it starts executing).Īs an attacker, we can exploit this functionality by injecting our own malicious preload library into ANY binary that we can run with sudo privileges. Now we can take this password back to the victim and su root to elevate our privileges! su root Exploiting Sudo Commands – LD_PRELOAD Injection In a quick 8 seconds hashcat was able to crack the root hash and recover the password. root_hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -o root_cracked You can get a few shortened versions of rockyou, as well as many more good wordlists from SecLists. If we do not succeed, we can build up to a bigger wordlist. For this reason, we can use a shorter version of rockyou to speed things up. Since Unix SHA-512 hashes are decent, this will take a couple hours to try and run through all of the rockyou.txt file. This tells us that we have a SHA-512 Unix OS hash. Next, we need to search for the cracking mode for this type of hash, and then we can proceed to crack it. After we copying this over to our attacker machine, it should look like this: Since we only want the hash itself, we need to copy only from the $6$ to the ends of the SHA-512 string. Now that we have extracted the root hash from the shadow file, we need to crack it. To do this, we would need to check the help page using the -h or –help switch. Had we NOT been so lucky with our Google search, the next step would be to search for intended functionality that can be abused. It works! We can see here that it extracted the root hash from the /etc/shadow file. Testing the exploit… sudo /usr/sbin/apache2 -f /etc/shadow Fortunately for us, the first line of the shadow file contains root’s hash! It looks like this exploit outputs the first line of any file. The first two links look pretty promising, and by checking the first one we can see it shows that apache2 has a file read vulnerability! To start, we can check Google by searching “ apache2 sudo privilege escalation“ Or, we could keep digging to see if we can exploit this somehow. Since the binary is not on GTFOBins, we could assume it is not vulnerable. However, in this case, when we filter on “apache” we get no results (no exploits available!) Just as we saw in Part-1, the first thing we should check when we find that we have sudo privileges on a standard binary, is if the binary has an exploit available on GTFOBins. In our first example, we will be targeting the apache2 binary found in the sudo -l output above: (ALL : ALL) NOPASSWD: /usr/sbin/apache2 Let’s jump in! Exploiting Sudo Commands – Abusing Intended Functionality Instead, we will need to understand how the programs work in order to exploit them. In each of the examples in this post, we will NOT find our exploit on GTFOBins. In addition to the four binaries that we exploited on the victim already, there were three other entries in the users sudo -l output.įor the second part of this post, we will be focusing on these three commands for our privilege escalation examples. Prior to enumerating and exploiting sudo privileges in the first post, we had (as an example) gotten an initial foothold on the victim after finding credentials and SSH’ing as standard user cain. How to exploit four different standard binaries utilizing GTFOBins: nmap, rsync, bzip2, and dd.Enumerating sudo privileges using tools (LinPEAS).How to manually hunt for sudo privileges.In Part-2, we will shift our focus over to more advanced exploitation topics, such as: Abusing intended functionality (binaries not found on GTFOBins), LD_PRELOAD, token reuse, and two CVE’s that target specific versions of sudo.īefore we jump into the exploit examples, let’s quickly recap what was covered in Part-1. If you have not checked out Part-1 yet, I strongly suggest starting there before reading this post. In this post, we will be continuing with Part-2 on how to escalate privileges by abusing the sudo binary / privilege. Want to stay up to date with the latest hacks?.Reviewing the CVE-2023-22809 Exploit Script.Searching for Public Exploits on Google. Hunting for Sudo Token Reuse Conditions – LinPEAS.Manually Hunting for Sudo Token Reuse Conditions.Exploiting Sudo Commands – Sudo Token Reuse.Exploiting Sudo Commands – LD_PRELOAD Injection.Exploiting Sudo Commands – Abusing Intended Functionality.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |