Black-Hat Bash scripting part 14
Hello, is that the right thing to say, to a cluster of people that may or may not read this..anyway moving on
Exercise 15: Adding Custom Functionality To LinEnum
Chapter 9 Privilege Escalation
privilege escalation is when a user is able to actions that they are not supposed to be able to perform in their current user’s identity permissions by abusing misconfigurations, taking other accounts or exploiting other vulns by chaining them.
viewing permissions
ls -l /etc/passwd
- rw-r — r —
local accts are able to read the file but only the root user can modify it.
Setting permissions
set, read and wxecute permissions for rhe user u+rwx, read permissions for the group g+r and read permissions for everyone else o+r, using octal represntation using digits 0 through 7, one digit for the user, one for the group and one ofr others such ass 777, 700 or 400
r permission is 4
w “”” is 2
x “”””is 1
no permission is 0.
Creating file access control lists
file access control lists give you the authority to set additional permissions on files and directories. ACLs give you access or deny it to specific users on top of the existing permission scheme.
Viewing SetUID and SetGID
setuid, is special permission to run for executable files of the user who owns the executable. setgid allows users to run executable files with the permissions of the owning group. setuid and setgid will have an s instead of an x in the file permissions.
Scavenging for credentials
privilege escalation is not always a highly sophisticated exploit.
Passwords and Secrets
passwords and secrets like api keys can live in many places on a system. admins may run commands that can contain usernames and passwords, apps may log creds in the log files, and configuration files may contain creds as part of a connection string. you can search for creds in the following areas:
- configuration files under the /etc directory
- env variables
- logfiles
- history files of users
- scheduled tasks, like cron jobs
- script files(bash or py)
- memory
- boot configuration files
- keyrings
- system files such as /etc/shadow
searching for files:
find . -type f -exec grep -i password {} \;
find .-type f -exec grep -I “api_key\|token\|apitoken\|key” {} \;
find . type f -name “*.hashes” -o -name “*.env” -o -name “*.credentials”
Private keys
they can be a huge resource to connect to servers, decrypt files, mitm(man-in-the-middle), which can be found in restricted folders like /root or user’s home directory depending on type and owner.
SSH keys
if not modified, ssh private keys are named id_rsa(rsa cryptosystem), id_dsa(digital signature algorithm), while for public keys it’s usually id_rsa.pub or id_dsa.pub
Exercise 16: Brute-forcing GnuPG Key Passphrases
exercise 17: malcioiusly modifying a cron job
privilege escalation with GTFOBins
Exercise 18: Mapping GTFOBins Exploits to Local Binaries
ways to automate privilege escalation:
- lineum
- unix-privsec-check
- mimipenguin
- linuxprivchecker
- bashark
And with that, ch9 comes to a close, it was not an easy chapter so much techncial know-how and having to pay attention and not lose focus otherwise i would’ve been lost working on the exercises , i have to remind myself going forward there is nothing wrong with looking at the exercise solutions when stuck cause that’s what thy are here, but think of different ways to skin the cat to make the script functional, readable but not elegant cause in a real environment, speed will take precedence to solve a particular problem. Till next time, be blessed.
references:
https://phoenixnap.com/kb/bash-printf
https://www.redhat.com/en/blog/access-control-lists
https://www.haikel-fazzani.eu.org/blog/post/bash-send-http-request
