Privelege Escalation - Elaboration, Exploitation, Extenuation on Windows, Linux and OSX

Abstract
Local Privilege Escalation is a method to exploit the available vulnerabilities in the codes or services handling methods which leads to convert our privileges from Standard or Guest user TO Root or Administrator user to perform various tasks for the system. This leads to the violation of the permissions or privileges as the normal user can do anything as they got shell or permissions of the root. Anyone can retrieve the vulnerability and exploit it to gain the high level access.

Understanding Permissions
In computer, the Privileges is the permissions, right or features given to the user or group of the system for running and performing particular tasks need to be run as a particular user or group. Like, a Admin user has the permissions to the particular service running and writing both but a standard only runs the service and not have the permissions to write to the configuration or files of the particular services.

Users and Groups :

Root account : This is also called superuser and would have complete and unfettered control of the system. A superuser can run any commands without any restriction. This user should be assumed as a system administrator.

System accounts : System accounts are those needed for the operation of system-specific components. These accounts are usually needed for some specific function on your system, and any modifications to them could adversely affect the system.

User accounts : User accounts provide interactive access to the system for users and groups of users. General users are typically assigned to these accounts and usually have limited access to critical system files and directories.

Understanding Privileges and Permissions :

Read - a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.

Write - a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory.

Execute - for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.

    -rw-r–r--  1 root root     25 June  5 04:23  confidential.txt

In this example, the file owner has read and write permissions only.
-    The first three characters (rw-) define the owner’s permission to the file.
-    The next three characters (r–) are the permissions for the members of the same group as The file owner (which in this example is read only).
-    The last three characters (r–) show the permissions for all other users and in this example it is read only.

Introduction to Privelege Escalation
Anyone who knows about the vulnerability in code flow of the running service or program, then, they can escalate their privileges to the root or Admin.
Various methods are used to escalate their privileges like Powershell, Executable binaries, Metasploit modules etc. Anyone makes their ways to configure victim’s machine or server settings to work or interact with the services. They need to check their permissions of the current user like File Writable, File Readable, Token generation, Token Stealing etc. Hackers can maintain access and control all the services and make them more vulnerable to be exploitable anytime. Windows and Unix systems leads to be vulnerable if the services and permissions will not be maintained properly and have permissions which is world-writable and anybody can write their scripts for execution purposes. This could lead to a very large damage or vulnerability in terms of network services and they can even trap your confidential data or change the flow of the data which may be big lose.

Example: If we land in the shell of the Guest user and need to get the privileges of the Standard user, then, we recon the services or programs running by the standard user and writable or manageable by the Guest user. We got a service running as Standard user and loads its script from a world-writable dir, then, we can change the script with our payloads and got the shell or privileges of the standard whenever the service loads our script.

Benefits for a Hacker
If a hacker lands in a system with the privileges of the guest or standard user, they can retrieve the information of the running services or the programs which is vulnerable to the privilege escalation vulnerability and running by the Admin user or have the permission of the Administrator group, hacker can take advantage of the vulnerable application to execute their codes or services to take control over the target system.

Example: If a service running as Administrator and vulnerable with buffer overflow, then, attacker can overflow it to get the Administrator shell of the target machine and may be able to install the services to maintain their access to the system. 

Proof of Concepts 

Scenario 1 :  Target OS - Windows 8.1 x64 bit   Exploit - MS16-135.ps1

Working - Attacker first need to enumerate the vulnerabilities available in the target machine which they can use to enumerate running purposes and lead to the advantage for us to escalate our privileges. There are multiple scripts or tools available online for the kernel vulnerability enumeration like Watson.exe, Sherlock.ps1 etc., but we use Sherlock.ps1 for the working.

We need to download the recon script from the github of the Rasta-Mouse and save it to our target system. We open and check the script, it is a powershell script and their is a function called Find-AllVulns, which scan all the vulnerabilities available and exploitable on the target machine.

We open Command Prompt and load Powershell with execution policy enabled for the scripts using powershell.exe -exec bypass. Now, import our script using Import-Module ./Sherlock.ps1.

Running the exploit.

We open another Command Prompt and load powershell with execution policy enabled. We directly run the script using .\MS16-135.ps1.




 As soon as the script completes its working and execute code in the vulnerable service, we get a Command Prompt of the NT Authority/SYSTEM which is the root user of the Windows.
  
Mitigation from this type of attack
This type of attack can be performed remotely or directly accessible system by the attacker. For the mitigation from this type attacks, network administrator or system user need to now:
  • Check the privileges of the services or programs running in the network whether it is runnable or writable by other users.
  • If a program needs to be run as Administrator user and also runnable by standard user or Guest user for some purposes, then, they should check the writable permissions of the directories or configuration file of the services or programs.
  • Disable powershell for the Standard and Guest user, if needed, then it should be run in Constraint Mode for the Standard and Guest User to mitigate or decrease the damage.
  • Powershell v2 should be disabled to protect the Powershell Constraint Mode.
  • Update your system and kernel version from time to time to remove the available vulnerabilities in the Windows features.
  • Always choose the best system configuration and disable services or programs which are not needed.
Scenario 2 :   Target OS -  Kali 19.2 Exploit - Exploiting suid with ENV variables

Working of shell with ENV variables
Shell of the systems work on the ENV variables and checks for the available commands on the basis of the directories listed in the value separated by ‘ : ’ colon.
Example : PATH=/usr/local/bin:/usr/sbin:/usr/

As we exploit the PATH variable and make the target program to run our script to give a reverse shell as root.

We first need to enumerate the vulnerability on the target machine which could be used to escalate our privileges and exploitable.

 


We checks for the ssh script ‘/etc/ssh/sshrc’ which is responsible for the script execution on the new login. We got a file in the home directory of the user which is executed.


On listing, it shows that the file has suid permissions. On reading the strings of the executable file, we see that it executes a terminal command ‘service test restart’ based on the PATH variable of the current shell.

We read the value stored in the PATH variable and checks for the location of the service command. It is stored in the dir /usr/sbin. We checks for the writable dir for us as the directories listed in the variable.

As the system directories is misconfigured and their is a directory ‘/usr/local/bin/’ which is configured to be writable by all and the directory is listed before the command directory of service command.

We create a reverse shell in the /usr/local/bin with the name service as the program runs the following command. We make executable.

We start up a listener on the port specified and login to the ssh in another shell. When we successfully logged in to the target machine, our script runs and we will get a reverse shell as root user.

Mitigation from this type of attack
Their is multiple checksums and processes available to check the vulnerabilities and stop them before the damage of the network. This could to the complete data lose or infrastructure lose.
  • Network Administrator should check the program or service permissions correctly if they are misconfigured or not. If they misconfigured due to some issues, then it needs to be resolved as soon as possible as this could lead a large damage.
  • Proper script functionality and user permissions verification required for the proper and safe working of the services.
  • You can also use docker containers or virtual machines for the remote services like login to the client user, as to mitigate or decrease the misconfiguration detection by the attacker and exploiting of the services.
  • Proper verification or check of the user who is responsible for the network devices or systems.
  • Time to time assessment of the machines needed for the changing of the permissions or any small harm which could lead to be more harmful in the future.
  • Check for running services which is needed only and remove the programs or services which are not needed or complex the working of the network.
  • Decrease the use of multiple scripts for different purposes as this is difficult for us to check the proper permissions of the script running.

Scenario 3 :   Target OS -  Mac OSX 10.14 Exploit - CVE-2019-8513

Started our MacOSX as normal user.

Taking the remote connection.

For getting the root privileges we use the exploit.

Load our lpe module ( libxpc mitm ) in the metasploit and set the options available.

As the script execution completes, we got our reverse shell with higher privileges enables.

Mitigations from this type of attack
We should take proper mitigation techniques to protect our Mac devices from the attacker.
  • Check before executing scripts whether it is verified or not.
  • Always check the firewall configurations to block all unvalid or malicious outgoing request.
  • Always check the script execution from another processes whether it doing something different from the default services.
 References
  1. https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1
  2. https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Sample-Exploits/MS16-135/MS16-135.ps1
  3. https://i.ytimg.com/vi/7PpYavvu-6k/maxresdefault.jpg

Article Link: https://blog.lucideus.com/2019/07/privelege-escalation-elaboration.html