Posted on

Linux privilege escalation for beginners

Hello, aspiring ethical hackers. This blogpost is a detailed guide on Linux privilege escalation. Linux privilege escalation comes afterLinux hackingand is part ofPost-exploitationof Linux.

What is Linux privilege escalation?

Privilege Escalation Guide 7 1

Linux privilege escalation is the process of elevating privileges on a Linux system after successfullygaining accessto a Linux system.

Why is it important?

Linux hacking is one of the most important topics in ethical hacking. Why? According to the Statcounter global stats, as of March 2024 operating system market share, the topmost operating systems being used around the world are Linux or its variants. The same report also states that usage of Linux as desktop increased to 4.05% this year. Also note that majority of the servers around the world are Linux servers. So, learning Linux hacking can provide lot of knowledge. But what are the various methods used for hacking Linux systems.

Linux privilege escalation techniques

There are multiple ways by which hackers can elevate privileges on a Linux system. They are,

  1. Exploiting SUID binaries.
  2. Exploiting SUDO privileges.
  3. Exploiting services running as root.
  4. Exploiting misconfigured cron jobs.
  5. Exploiting kernel vulnerabilities.
Linux Privilege Escalation 1

1.Exploiting SUID binaries:

Just like Windows, Linux too has many binaries on the system. These binary files too have permissions just like any file in Windows. Apart from the regular permissions of a file, Linux has special permissions for some binaries.

These permissions are called SUID or SetUID permissions also known as Set Owner User Identification (SUID). This permission allows a user with low privileges to run a binary or script under the power of the original owner of the particular file. So, if a SUID or SetUID bit is set to a particular binary or a root user has created a binary file and has set a SUID bit to it, this file can be exploited to gain root permissions on the target Linux system.

2. Exploiting SUDO rights:

SUDO is a very important concept in Linux. Sudo stands for ‘Super User Do’ and is pronounced as “su dough”. SUDO lets users run commands with root privileges from their own account. Learn more about exploiting SUDO privileges.

3. Exploiting services running as root:

Privileges can also be elevated on Linux by exploiting services running as root. Some services running on Linux are configured to run with root privileges. By exploiting any vulnerability in these services Root privileges can be acquired.

4. Exploiting misconfigured cron jobs:

In Unix system, cron is used to schedule jobs for automation. Some jobs that are misconfigured can be exploited to gain root privileges.

5. Exploiting kernel vulnerabilities:

Vulnerabilities in the Linux kernel can be exploited to gain root privileges.

Posted on

Windows privilege escalation for beginners

Hello, aspiring ethical hackers. In this blogpost, you will learn about Windows privilege escalation. Windows privilege escalation comes after Windows hacking and is part of Post-exploitation of Windows.

What is Windows privilege escalation?

Windows privilege escalation is the process of elevating privileges on a Windows system after successfully gaining access to a Windows system.

Privilege Escalation Guide 1

Why is it important?

According to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. That is the reason why Windows privilege escalation is one of the most important topics of ethical hacking.

Windows privilege escalation techniques

There are multiple ways by which hackers can elevate privileges on a Windows systems. They are,

  1. Exposed credentials
  2. Bypassing UAC
  3. Exploiting services running with administrator privileges.
  4. Windows kernel vulnerabilities.
  5. Misconfigured services.
  6. Windows Registry.
  7. Scheduled Tasks.
Windows Privilege Escalation 1

1. Exposed credentials:

Sometimes, the credentials of user accounts with administrator privileges on a Windows system are exposed. Most people still store Windows credentials on Desktop for easy access (you may not believe this but this is true). So, attackers can login as user with high privileges using these exposed credentials.

2. Bypassing UAC:

User Account Control (UAC) is a Windows security feature that was designed to protect the operating system. Introduced with Windows Vista, it is a mandatory access control enforcement feature. It works by limiting application software to standard user privileges until a user with administrator privileges authorizes an elevation in privileges.

This allows only applications that are trusted by users to be assigned administrator privileges. However, vulnerabilities in this UAC sometimes allows hackers to bypass UAC and get administration privileges on the target system.

3. Exploiting services running with administration privileges:

Some applications installed on Windows by users need administrative privileged on the system to run. If attackers exploit any vulnerabilities in these applications, they can easily elevate their privileges on the Windows system.

4. Windows kernel vulnerabilities:

Windows kernel in Windows (or for that matter any operating system) has the highest privileges assigned to it. If attackers exploit any vulnerabilities in the Windows kernel, they can elevate their privileges on the Windows system.

5. Misconfigured services:

Misconfigurations in services on Windows can also be exploited to escalate privileges on Windows system.

6. Windows Registry:

Windows registry is a hierarchical database that stores all low level; settings of Microsoft Windows. Weak permissions in the Windows registry can also be exploited to elevate privileges.

7. Scheduled Tasks:

Windows Task Scheduler (formerly known as Scheduled Tasks) is used to automate jobs and tasks in Windows just like cron jobs in Linux. Weak file permission setting in Task scheduler can be exploited to elevate privileges on a Windows system.

Posted on

Dirty Cow vulnerability: Beginners guide

Hello, aspiring ethical hackers. This blogpost is a beginner’s guide to Dirty COW vulnerability. Assigned CVEID, CVE-2016-5195, this vulnerability affects Linux kernel version 2.6.21 since 2007. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

What is this Dirty COW vulnerability?

Dirty COW is a Linux privilege escalation vulnerability which is caused due to a race condition in the way the Linux kernel handled copy-on-write functions. The name Dirty COW came from this Copy-On-Write (COW). By exploiting this vulnerability, an unprivileged user can gain access to the read-only memory mapping subsequently elevating their privileges on the system.

Which kernels are vulnerable?

All the Linux kernels from versions 2.x to 4.x before 4.8.7 are vulnerable to this Dirty COW vulnerability. Let’s demonstrate this vulnerability on a Ubuntu 12 system. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

Dirty Cow 1

Download this exploit from Github and extract its contents. It is a C program as shown below.

Dirty Cow 2

Compile this code using inbuilt GCC compiler in Ubuntu system. This exploit creates a new user named ‘firefart’ with root privileges on the target system by writing to the /etc/passwd file. Usually, creating an user with root privileges in not possible for low privileged users on Linux systems. But this is a privilege escalation vulnerability.

Dirty Cow 3

Now, let’s execute the exploit as shown below. It will prompt you to create a new password for the new user “firefart” it is creating.

Dirty Cow 4

Login as the newly created user to see if the exploit was successful in exploiting the vulnerability and creating the news user “firefart”.

Dirty Cow 5

As you can see, a new user named “firefart” has been created on the target system with root privileges.

Posted on

Privilege Escalation guide for beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn in detail and clearly about Privilege escalation. Privilege escalation is an act of gaining elevated access to resources that are normally restricted to an application or user. To understand privilege escalation better, you need to first understand about privileges. Since hacking mostly deals with exploiting of operating systems, let me explain you about how privileges in a operating system are assigned.

Since Operating Systems (OS) are meant for user interaction and perform some specific functions you should have noticed that different users are assigned different privileges on a system.

Let’s see the example of the Windows operating system. Windows OS has generally 7 types of accounts. When I am talking about accounts, I am talking about local user accounts instead of remote or online accounts. A local user account is defined locally on a device (computer) and are assigned rights and permissions on that particular device only. The types of Windows user accounts are given below.

Privilege Escalation Guide 1

When you do a fresh installation of Windows (Windows 7 to 11), the first user account that is created during setup is the Administrator account, As the name suggests, the Administrator account is a default local user account (account created during Windows installation) used for system administration. This account has full control of the files, directories, services and other resources on the local device. As you might have experienced by now, an administrator account can create, delete and assign permissions to other users.

This default Administrator account can neither be deleted or locked but it can be disabled or renamed. Windows setup disables the built-in administrator account after installation of Windows and creates another local account that is a member of the administrators group.

Privilege Escalation Guide 1A
Privilege Escalation Guide 2
Privilege Escalation Guide 3

The newly created user belonging to the Administrator group has same powers as the default administrator account. Since this is too risky if some malicious user gains access to the system as Administrator user, Windows provides option to create an account called standard account. Most organization provide their workers a standard account. A standard account on Windows can run almost all application on a Windows system and perform all other day-to-day computing tasks.

However, to perform some tasks like installing programs or applications, making changes to the registry etc and other operations that require elevated privileges, the standard user is asked for credentials of Administrator of the system through the user Account control. Simply put, you cannot make any major changes to the operating system with standard account.

Privilege Escalation Guide 4

Apart from these two accounts, Windows has some default local user accounts that are automatically created while operating system is installed. They first one you need to learn about is the “SYSTEM” account. This account is used by the operating system and its services running under Windows. This account doesn’t show up in user manager which means you cannot login with this account.

It belongs to Windows and used by all Windows processes. You can view the processes running with this “SYSTEM” privileges from details tab of the Window Task Manager.

Privilege Escalation Guide 5

The ms08_067 vulnerability affected a process svchost.exe that runs with SYSTEM privileges. So, once you exploit it, you automatically get SYSTEM privileges. It can be exploited remotely and grant SYSTEM PRIVILEGS to attackers. No wonder it is considered very CRITICAL.

Another local default user account is the “Network service” account. This account is used by the service control manager (SCM). It is used to present the computer credentials while it is communicating with remote servers. Similarly, Windows has an account called “Local Service” which is also used by the service control manager. It has minimum privileges on the local computer.

Privilege Escalation Guide 6

Linux systems too have different types of user accounts. They are 1) Super user account 2) Regular account 3) System account 4) Service accounts.

Privilege Escalation Guide 7 1

On Linux, the Super User account is the most powerful account and is the default administrator of the Linux system. This account is popularly known as root account. The root account has unlimited control on the Linux system and you can literally do anything you want with this account.

Privilege Escalation Guide 8

The root user in Linux has (#) symbol on their terminal. All other users who are later added are together known as regular accounts. Regular accounts are similar to “standard account” on Windows and to perform administrative actions on the OS, they need to use sudo or su command. Apart from these two accounts, Linux has “system account” and “service account” that are created during the installation of the OS and are by OS processes just like “SYSTEM account on Windows. However, these accounts don’t run with superuser privileges. Service accounts are created whenever a service is installed on the system.

Privilege Escalation Guide 9
Privilege Escalation Guide 10

Since you are now accustomed with privileges and user accounts with different privileges, you can now understand privilege escalation.

What is privilege escalation?

Privilege escalation is an act or process of gaining access to privileges of the other user account using any means or techniques. Normally privileges of user account with higher privileges are targeted by hackers.

Privilege Escalation Guide 11

Privilege escalation is of two types: They are,

  1. Horizontal privilege escalation.
  2. Vertical privilege escalation.

1. Horizontal Privilege Escalation:

In horizontal privilege escalation, an attacker gaining access to the privileges of another user with same rights as him but with access to some other resources. For example, imagine on a Linux system, you gained access as a regular user (user_1). On the same system, there is another regular user (user_2) with same rights as him but with access to the MySQL databases. Elevating privileges to this user (user_2) can give you access to MySQL database.

Privilege Escalation Guide 12
Privilege Escalation Guide 13

2. Vertical Privilege escalation:

In cyber security or hacking, when anyone says “privilege escalation”, they are talking about this type of privilege escalation most of the time. In vertical privilege escalation, an attacker with low privileges tries to gain access to higher privileges.

Privilege Escalation Guide 14
Privilege Escalation Guide 15 1

Techniques used for Privilege escalation

Attackers use various techniques to elevate privileges. Some of the most general techniques are given below.

1. Social Engineering:

In Social Engineering, attackers somehow convince high privileges users to give access their credentials. These techniques include phishing, spear phishing attacks etc. For example, let’s say the attackers gained access to the email of the user with low privileges. From this email, he/she can send an email to the user with high privileges and somehow convince him/her to give any credentials.

In the first week top of September 2023, Okta, a company providing Identity services warned its users of social engineering attacks to obtain super administrator privileges on the organizations using Okta’s services. In these attacks, attackers performed social engineering attacks against IT service desk personnel by calling them and convincing them to reset multi-factor authentication (MFA’s) of high privileged users. Then attackers (allegedly APT Muddled Libra) abused these high privileged super admin accounts to impersonate users of the compromised organizations.

2. Password cracking:

Sometimes attackers crack the passwords of high privileged users to be used in privilege escalation.

3. Exploiting vulnerabilities:

This is one of the popular methods of escalating privileges. In this technique, attackers exploit vulnerability in software installed on the target system to elevate privileges. For example, PrintNightmare, Zerologon, Fodhelper etc in Windows and Dirtypipe, DirtyCow, PWNKIT, Netfilter, Heartbleed and Looney Tunables.

4. Misconfigurations:

In this type of attack, attackers use any misconfiguration on the target system for privilege escalation. These misconfigurations can include weak passwords, setting empty string as password, unsecured network service, open ports and exposed services etc. Examples are exploiting cronjobs and exploiting SetUID bits etc.

Many APT’s and Threat Actors exploit the recently (before patches are applied) released local privilege escalation vulnerabilities to elevate their privileges.

Posted on

CVE-2022-25636 : Linux Privilege Escalation

Hello aspiring Ethical Hackers. In this article you will learn about another Linux Privilege Escalation vulnerability tracked as CVE-2022-25636 and its exploitation. I am saying another because this vulnerability comes immediately after recently discovered Linux Dirty Pipe vulnerability.

CVE-2022-25636 is a vulnerability that affects the Linux Netfilter component. What is netfilter? It is an open source framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Its functions include packet filtering, network address translation and port translation. All Linux Firewall utilities i.e Iptables, nftables, ufw etc use Netfilter in their operations.

Exploitation of this vulnerability can give attackers root privileges on the target system, allow them to escape containers and in worst case induce a kernel panic. This vulnerability affects Linux kernel versions 5.4 to 5.6.10. The target OS include Ubuntu, Debian, RedHat etc.

However, there’s no clarity on which kernel versions are actually vulnerable. In my testing, this failed to work on Ubuntu 21.10 kernel version 5.13.0-10 but worked every time on Ubuntu 21.10 with kernel version 5.13.0-30 (without giving any panic). Let’s have a look at how the exploitation worked for me.

To exploit this privilege escalation vulnerability, anybody needs to have access on the target system with Low User Privileges as shown below.

Linux Netfilter 1

Once I have a shell on the target, I download the exploit from Github as shown below.

Linux Netfilter 2

Next, I navigate into the CVE-2022-25636 directory and compile the exploit as shown below.

Linux Netfilter 3
Linux Netfilter 4
Linux Netfilter 5

Then I executed the exploit as shown below.

cve-2022-25636

As readers can see, I successfully got a shell with root privileges.