Linux PE

Linux PE

Today's privilege escalation is brought to you by the GRand Unified Bootloader. Not only is this the doorway into you Linux kernal, its a wide open window to the escalation of privileges.

This a combination of Linux PE labs from my recent Ethical Hacking class. I did all of my labs on a?Kali 19 virtual machine.

To escalate locally, I booted Linux, and when the GRUB loaded up, I pressed "E" to enter the grub editor. I down arrowed to the line labeled Linux, and searched for the letters RO, and changed them to RW. This changed permission from read only to read write. Then I moved the cursor over behind where it says quiet and typed - splash init=/bin/bash - and hit ctrl +x to get back to booting. This finished booting Linux and brought up the rescue shell with root privileges. From here I created a user named pwned with the adduser command. Input a password and left the rest blank. adduser pwned sudo - put my user into the sudoers file. sync - Wrote the files in memory to persistence storage. And finally a reboot. Boom I had a sudo user, on the box and man it felt good.

With root privileges, I ran unshadow /etc/passwd /etc/shadow > (filename). This gathered up all the hashes and user names into a handy dandy file to use JTR on. From here I ran john (filename) --wordlist=(use a wordlist like rockyou.txt, or one created from CUPP or your favorite flavor) sat back and let it run. This printed out all the cracked passwords to the screen and john.pot file. I then compared?the freshly obtained creds, to the sudoers file, and found one with full root privileges named tom. A quick log out, and log back in with the sudo account tom. From there I ran killall pwned to kill all processes associated with the account and then deluser --remove-home pwned to delete the user and home directory. There was no reason for this account to exist any longer. It was nice knowing you pwned. As a wise man once told me "Get the creds, abuse the creds."

There's still an existing issue with logs out there... pesky logs recording everything. Well I started by checking the logs for any mention of my temporary user. cat /var/log/auth.log | grep pwned and not to anyone's surprise there were a few logs containing the account creation and deletion and some sniffing around. I decided to try something, cat /var/log/auth.log | grep -v pwned and KACHOW there was no mention of pwned anywhere. the -v flag allowed me to read the logs excluding any with the word pwned. This is what I wanted. cat /var/log/auth.log | grep -v pwned > /home/john/tempfile created this list in a file. mv /home/john/tempfile /var/log/auth.log moved the file I just created to the auth.log, overwriting the existing log. I had to double check so cat /var/log/auth.log and there it was, a log with no mention of my previous misdeeds.?

I am walking away from this having used the grub editor to create an account with sudo privilege, logged in and used john the ripper, to crack the hashes on the box, removed the previous malicious user, and then covered my tracks. I know not every Linux distro will have all of the tools used. I did learn, i can cat the shadow and passwd filess into another file throw it on a usb and then run JTR on it on my own device. Then use the creds without needing to install anything on the local device I was breaking into.

Let's talk about mitigation for a moment. First and foremost, do not leave your devices logged in and unattended. Second, you can always encrypt the grub. it was pretty straight forward. grub-mkpasswd-pdkdf2 which will then prompt you to create a password. Then it spits out a hash. In a second terminal window, nano /etc/grub.d/40_custom to open the 40_custom file. At the bottom of the text create a new line, set superusers="(your superuser)" and in the line under that, add password_pbkdf2 {your super user} {Hash}. The hash begins with grub.pbkdf2.sha512 and continues until the end. ctrl o and ctrl x to save and exit. Run grub-mkconfig -o /boot/grub/grub.cfg to apply the grub encryption.