LabEx
Log In Join For Free

Linux Privilege Escalation via Brute Force

Beginner

Introduction

In this lab, we will explore two methods and corresponding tools for obtaining the root user password through brute force attacks on Linux systems. The lab will help you understand the underlying principles and avoid common pitfalls during the process.

Using sucrack to Brute Force the Root Password via su Command

In this step, we will learn how to use the sucrack tool to brute force the root user's password through the su command.

The su command is used to switch to another user's identity on Linux systems. Except for the root user, other users need to provide the target user's password when using this command.

The tool we will use for brute forcing the su command is sucrack. sucrack is a multi-threaded Linux tool designed to brute force local user passwords through the su command.

Since the su command requires user input from a TTY shell, a simple shell script cannot accomplish the brute force attack. sucrack is written in C language and supports multi-threading, making the brute force process highly efficient.

You can check the official website of sucrack for more information.

In a real-world scenario, the target machine may not have internet access, so you can install sucrack using one of the following two methods:

  • Download the sucrack source code and upload it to the target machine, then compile and run it.
  • Download the sucrack source code, compile it locally, and then upload the compiled binary to the target machine.

In this lab, we have already installed sucrack for you.

  1. Before attempting the brute force attack, we will set up the lab environment:

    Open a terminal and navigate to the project directory:

    cd /home/labex/project

    Run the script env_setup_1.sh to set up the lab environment:

    ./env_setup_1.sh

    This script switches us to the unprivileged www-data user. Our goal is to obtain the root user's password through brute force.

    We have a pre-prepared wordlist at /tmp/common-wordlists.txt for demonstration purposes. You can also use your own wordlist.

  2. The syntax for brute force attacking the su command using sucrack is:

    sucrack -w <threads> [-u <username>] <wordlist>

    The parameters are:

    • -w: Specifies the number of threads
    • <wordlist>: Specifies the wordlist file
    • -u: Specifies the username to brute force. If you do not specify a username, sucrack will brute force the root user's password by default.

    Let's try to brute force by running the following command:

    sucrack -w 20 /tmp/common-wordlists.txt > ~/sucrack.log && reset

    The output of the brute force attack is redirected to the sucrack.log file.

    Note: The reset command is used to clear the terminal screen becase sometimes after using sucrack, the terminal may display not properly.

  3. This brute force attack may take some time. After some time, check the sucrack.log file to confirm the password:

    cat ~/sucrack.log

    Expected output:

    password is: really

  4. Then, we can switch to the root user using:

    su - root

    Enter the password really to switch to the root user.

    really

  5. Create a file named success_1.txt in the /root directory to confirm that you have successfully switched to the root user:

    echo "Success_1" > /root/success_1.txt

    You can check the /root/success_1.txt file to confirm that you have successfully switched to the root user.

You have learned how to use sucrack to brute force the root user's password!

Using hydra to Brute Force the Root Password via SSH

In this step, we will learn how to use the hydra tool to brute force the root user's password through the SSH protocol.

With the previous step, we should still be the root user, and for this step we need to switch to the labex user. You can switch to the labex user by running the following command:

su - labex

  1. Make sure the directory is set to /home/labex/project:

    cd /home/labex/project

    Run the script env_setup_2.sh to set up the lab environment:

    ./env_setup_2.sh

    As with the previous step, after executing this script you'll switch to the www-data user.

  2. Before attempting to brute force the SSH protocol, we need to check if the target machine allows the root user to log in via SSH. You can check this by running the following command:

    cat /etc/ssh/sshd_config | grep -i permitrootlogin

    If the output shows PermitRootLogin set to yes, then we can proceed with the brute force attack. Otherwise, there is no need to attempt it.

  3. The tool we will use for brute forcing the SSH protocol is hydra. hydra is a renowned brute force tool that supports various protocols, including RDP, SMB, HTTP, MySQL, and more. hydra is pre-installed on Kali Linux and our lab's Ubuntu environment.

    The syntax for brute forcing the SSH protocol using hydra is:

    hydra -l root -P passwords.txt -t 4 -V <IP> ssh

    The parameters are:

    • -l: Specifies the username
    • -P: Specifies the wordlist file
    • -t: Specifies the number of threads
    • -V: Displays the progress and details of the brute force attack

    Let's try to brute force the root user's password using the /tmp/common-wordlists.txt wordlist and save the output to the hydra.log file:

    hydra -l root -P /tmp/common-wordlists.txt -t 64 -V 127.0.0.1 ssh > ~/hydra.log

    After some time, the root user's password is successfully cracked.

    Check the hydra.log file to confirm the password:

    cat ~/hydra.log

    Example output:

    ...
[22][ssh] host: 127.0.0.1   login: root   password: penguin
1 of 1 target successfully completed, 1 valid password found
...

  4. Now that we have the root user's password, we can switch to the root user by running the following command:

    su - root

    Enter the password penguin to switch to the root user.

    penguin

    You should now be the root user. You can confirm this by running the following command:

    whoami

    The output should be root.

  5. Create a file named success_2.txt in the /root directory to confirm that you have successfully switched to the root user:

    echo "Success_2" > /root/success_2.txt

    You can check the /root/success_2.txt file to confirm that you have successfully switched to the root user.

Note: If you are using a version of hydra older than v9.0, it may report false positives when brute forcing the SSH protocol. You can check the hydra version by running hydra -v.

Summary

In this lab, we learned two methods for brute forcing the root user's password on Linux systems: via the su command using the sucrack tool, and via the SSH protocol using the hydra tool. We covered the installation, usage, and step-by-step procedures for each method, helping you understand the underlying principles and avoid common pitfalls. This lab provides valuable hands-on experience in privilege escalation techniques, which can be applied in various scenarios.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy