In this article, we learn how to easily do Privilege Escalation in Linux using simple binaries such as GTFObins or GTFOBinaries.
When diving deeper into privilege escalation, it's essential to understand key concepts like file permissions, users, groups, SUID (Set User ID), sudo, shell access, root privileges, and file read/write permissions. These fundamentals help identify weak points in system security.
Understanding why privilege escalation occurs often stems from common misconfigurations. Misconfigurations such as incorrect file permissions, improper SUID/SGID settings, or over-privileged sudo rights can all lead to security vulnerabilities, allowing unauthorized users to elevate their privileges. Identifying these issues is critical when working in a Unix/Linux environment. Don't worry if you don't know we will lean together.
What do we discuss in this article?
> GTFOBin
> Privilege Escalation
> Common Misconfiguration
> Mitigation
GTFOBins
GTFOBins is an extensive resource, offering a curated list of binaries and commands that can be leveraged for privilege escalation, often showcasing lesser-known or undocumented methods. Each binary is accompanied by detailed information, including its typical location, required user privileges for execution, and practical examples for escalating privileges.
As an open-source initiative, GTFOBins benefits from the contributions of security experts and enthusiasts globally, constantly evolving to include the latest binaries and techniques. This ongoing effort makes GTFOBins an indispensable tool for penetration testers, security analysts, and system administrators aiming to identify and mitigate privilege escalation risks in Unix/Linux environments.
As What GTFOBins say
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
The project collects legitimate functions of Unix binaries that can be abused to get to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
It is important to note that this is not a list of exploits, and the programs listed here are not vulnerable per se, rather, GTFOBins is a compendium about how to live off the land when you only have certain binaries available.
Privilege Escalation
Privilege escalation refers to the process by which an attacker exploits vulnerabilities in a system or application to obtain higher levels of access than originally intended by the system administrator. There are two main types of privilege escalation:
Horizontal Privilege Escalation: In this scenario, the attacker gains access to another user’s account with the same level of privileges. For example, if a user’s credentials are compromised, the attacker can use those credentials to log in as that user and perform actions within the same permission level.
Vertical Privilege Escalation: This type involves the attacker elevating their privileges to a higher level than their initial access rights. This could mean gaining administrative or root-level access, which grants the attacker significantly more control over the system or network.
Common Misconfigurations on Linux
1. SUID
SUID, or Set-User-ID, is a special permission in Linux and Unix systems that lets a file run with the privileges of the file's owner, no matter who is executing it. Typically, when you run a program, it operates under your own user privileges. But if the SUID bit is enabled, that program executes with the permissions of the file's owner—commonly, the root user. This can allow regular users to perform tasks they otherwise wouldn't have access to, which can be useful for certain system utilities, but if it is improperly misconfigured then it will open for privilege escalation.
How to Find those files?
find / -type f -perm -4000 2>/dev/null
let's decode the above code
find: Help to search from /root directory, it will search through the entire filesystem.
type -f: define that we want only files excluding directories.
-perm -4000: this is for permission type, the -4000 will search for files that have SUID bit Set, 4 represents the file that has SUID permission set that can run with root privilege.
2>/dev/null: this is used to redirect the error message to /dev/null, so that the output will be clear without any error.
we can see that no output can run with root privilege.
Exploit
There are many possible ways to exploit suid binaries
1. Shared Object Injection
This can be exploited by making a file which has missing or modifying it to run /bin/bash to spawn a shell.
2. Environment Variable
Find the SUID that relies on environment variables e.g., dynamic libraries, paths, or user-defined settings
This environment variable forces the loader to load a specific shared library before any others. If the binary is vulnerable, you can preload a malicious shared library (mylib.so) and run it with the binary's privileges.
3. Abusing Shell Feature
When a SUID binary uses a shell (such as running a script), it might not properly drop privileges when starting the shell. This gives an attacker a chance to execute arbitrary commands with elevated privileges.
Many commands can exploit SUID using GTFObins.
When Sudo is misconfigured, it can lead to privilege escalation. If a binary is allowed to run with sudo
without requiring a password, it can be exploited to gain root access or escalate privileges.
It can be run with root privileges Exploit
1. You can see /etc/passwd using less and then crack hash using john tool to get the password.
2. Search on GTFObins then use let us take an example of FTP that does not require a password, search on GTFOBins for FTP>Sudo then Get the command to copy and paste You get a shell.
sudo ftp
!/bin/bash
3. Path Injection
Path injection happens when a user can control the system’s $PATH
environment variable. If a program is running as root and executes other binaries without specifying the full path, a malicious user can insert their own binary into the $PATH
to get executed instead.
Exploit
1. Crate a malicious file example make fake ls command
echo "/bin/sh" > /tmp/ls
chmod +x /tmp/ls
2. Modifity the $PATH variable to your malicious file location
export PATH=/tmp:$PATH
4. Linux Capabilities
Linux capabilities break down the root user’s privileges into distinct units that can be granted to executables, rather than granting full root privileges. Misconfigured capabilities on binaries can be exploited for privilege escalation.
Exploit
If a binary has the capability CAP_DAC_READ_SEARCH
, it can read any file, bypassing normal permission checks
This information is helpful to you make sure to save bookmarks of our blog for more amazing content and join our Telegram channel to get the latest updates. Want to be a certified hacker and gain hands-on offensive hacking experience from zero to hero?