Interesting Groups - Linux Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Sometimes, by default (or because some software needs it) inside the /etc/sudoers file you can find some of these lines:
This means that any user that belongs to the group sudo or admin can execute anything as sudo.
If this is the case, to become root you can just execute:
Find all suid binaries and check if there is the binary Pkexec:
If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec
.
This is because typically those are the groups inside the polkit policy. This policy basically identifies which groups can use pkexec
. Check it with:
There you will find which groups are allowed to execute pkexec and by default in some linux disctros the groups sudo and admin appear.
To become root you can execute:
If you try to execute pkexec and you get this error:
It's not because you don't have permissions but because you aren't connected without a GUI. And there is a work around for this issue here: https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903. You need 2 different ssh sessions:
Sometimes, by default inside the /etc/sudoers file you can find this line:
This means that any user that belongs to the group wheel can execute anything as sudo.
If this is the case, to become root you can just execute:
Users from the group shadow can read the /etc/shadow file:
So, read the file and try to crack some hashes.
staff: Allows users to add local modifications to the system (/usr/local
) without needing root privileges (note that executables in /usr/local/bin
are in the PATH variable of any user, and they may "override" the executables in /bin
and /usr/bin
with the same name). Compare with group "adm", which is more related to monitoring/security. [source]
In debian distributions, $PATH
variable show that /usr/local/
will be run as the highest priority, whether you are a privileged user or not.
If we can hijack some programs in /usr/local
, we can easy to get root.
Hijack run-parts
program is a way to easy to get root, because most of program will run a run-parts
like (crontab, when ssh login).
or When a new ssh session login.
Exploit
This privilege is almost equivalent to root access as you can access all the data inside of the machine.
Files:/dev/sd[a-z][1-9]
Note that using debugfs you can also write files. For example to copy /tmp/asd1.txt
to /tmp/asd2.txt
you can do:
However, if you try to write files owned by root (like /etc/shadow
or /etc/passwd
) you will have a "Permission denied" error.
Using the command w
you can find who is logged on the system and it will show an output like the following one:
The tty1 means that the user yossi is logged physically to a terminal on the machine.
The video group has access to view the screen output. Basically you can observe the the screens. In order to do that you need to grab the current image on the screen in raw data and get the resolution that the screen is using. The screen data can be saved in /dev/fb0
and you could find the resolution of this screen on /sys/class/graphics/fb0/virtual_size
To open the raw image you can use GIMP, select the **screen.raw
** file and select as file type Raw image data:
Then modify the Width and Height to the ones used on the screen and check different Image Types (and select the one that shows better the screen):
It looks like by default members of root group could have access to modify some service configuration files or some libraries files or other interesting things that could be used to escalate privileges...
Check which files root members can modify:
You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a chroot
into that volume. This effectively gives you root on the machine.
Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to run a privileged container and escape from it as explained here:
If you have write permissions over the docker socket read this post about how to escalate privileges abusing the docker socket.
Usually members of the group adm
have permissions to read log files located inside /var/log/.
Therefore, if you have compromised a user inside this group you should definitely take a look to the logs.
Inside OpenBSD the auth group usually can write in the folders /etc/skey and /var/db/yubikey if they are used. These permissions may be abused with the following exploit to escalate privileges to root: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)