Jake Williams - Linux privilege escalation for fun profit and all around mischief

without further Ado I'm hand it over to our speaker

will Don't Clap yet you guys have no idea what you're in for so it could be horrible see so uh oh that was actually the wrong start slideshop this is not off to an awesome start hold on a second we'll start from the beginning where we should have started originally hey what's that where's your Schoo ball yeah that that's hey they stopped that because people were getting injured right the Schoo balls were a were a horrible actually they were awesome but but then people started getting injured so what's that uh no they stopped them because people were getting injured is is the reason they stopped them because people got progressively worse and worse schmoo ball or better and better depending on

which end of it you were on uh schmoo ball launchers uh some of them were gas assisted uh which technically uh the DC police weren't a fan of either uh and so uh the year that it would ran at uh I was over at the Hyatt and they had shukan plus the National Catholic girls high school basketball championship was at our hotel uh the Overflow hotel across the street they run a BDSM conference at so it was awesome I mean it was it was probably the best schoon ever but it was also the last year for Schoo balls uh so yeah no Schoo balls uh this this year I'll be doing a Linux privilege escalation uh somebody said

wow this is out of your depth uh out of your depth out of your out of your normal uh normal things you do don't you normally just do malware and uh I said wow okay I guess clearly I need to Branch out more right malware and forensics is what I was told that I that I did primarily but uh want to do a little bit about Linux pil escalation uh my company rendition infosec uh does a lot of work in the penetration testing and instant response sphere you guys can come up here and happily set up front here I do not need these monitors please don't block the uh thing come on down further because there's people trying to fill in

behind you happily just sit down here you can even turn around and watch those monitors right there's monitors right there it's awesome just fill in right uh so uh in addition I said we do a lot of that inster response and penetration testing and from a pen testing standpoint oh my goodness we see all kinds of problems on Linux servers all day long and as I started putting this together I was working with Brandon McCrillis uh he's back there somewhere W your hand around yeah Brandon and uh we were kind of gaming this out we just flew back in after midnight last night for uh from another conference that we were doing uh some uh Network forensic stuff

at we were kind of gamifying out like hey how what do we need to take out of this talk right it wasn't a question of what do we put into a talk like this it was like there's no way this is going to fit an hour particularly demos and so uh we think we've got this nailed down here pretty well also we've got some iTunes gift cards as well as the from rendition as well as some other uh other giveaways so if you tweet tweet at rendition SEC or at malor Jake uh well I guess rendition SEC is what Brandon's going to be looking for he'll grab the the best three tweets from the talk and uh iTunes

gift cards right plus we have other stuff from is it Clubhouse Clubhouse and a land turtle I don't know if you guys know about the land turtle but this is the best thing going because one they're freaking awesome and two they're sold out uh because muik has been doing some really interesting work with them and they've sold out at hack five I have no idea when they're going to be uh back from back order uh but this is like your one and only chance to get one of these so I don't know what we're going to do to to test for this one but we'll see uh so you don't care who I am uh let's see

the agenda let's talk I mean you don't or you wouldn't be here right so uh or you just care about the talk anyway prle escalation motivations right what are we doing here uh look I want to get through uh obviously tearing apart some Linux machines Unix machines you name it we're going to work on Linux today because that's what runs best in my VM but know that most of these techniques just work right and they're going to work regardless whether it's Linux or Unix or HP or or IR or whatever weird sko if you haven't have sko in your environment actually if you have sko in your environment just set a fire in the server room uh that's probably about the

best way to get rid of it but but short of that uh realistically this stuff's still going to work uh we're going to talk about uh colonal issues uh root program issues stuff that shouldn't be set uid and set GID and I actually move this to the end of the presentation we'll do some more work there talk about trivially vulnerable setu ID programs look at some cron jobs talk about scripts with weak permissions uh it's kind of our overview of where we're going by the way uh yesterday uh this is another one of my wonderful employees brainchild uh some of somebody tweeted out that this was I think it was bsides Augusta tweeted out that this was a

James Brown themed event and I said what the heck if this gets 100 retweets I'll happily do a James Brown impression a bad James Brown impression every time we pop a root shell now most of the demos are towards the end so stand tight I'm not going to rig on the promise here uh we'll still be uh still be doing some bad James Brown Impressions unfortunately most of the James Brown stuff that I found besides singing which I am not going to do was James Brown drunk on CNN talking about beating his wife uh or getting a horse or something along those lines so I thought about bringing some props like a lead pipe and

a fake gun and then I thought no that's probably not going to work well uh definitely not with ASU and not with bsides Augusta uh so let's talk about FR escalation motivations you don't have root on the box but you want it uh did some work with HB Gary back in the day how many folks knew about HB Gary how many folks knew about HB Gary before they got hacked right exactly right they lots of hands go down there and so hbgary you probably know is running a a Linux server they called it a support server folks that upload files here and do all kinds of wonderful stuff and and uh turns out lots of people would shell

on the box and some people I guess we'll call them Anonymous I don't know that we ever knew who exactly they were it's kind of the name there uh they decided they want a root on the box and they took it all right of course that's an obvious motivation you don't have root but you want it uh only root users can really effectively hide nobody else can really drop a root K can hide in plain sight sure read write any file persist between reboots you want to bind a low-numbered port right so like a TCB Port 80 for instance has a low number below 1024 Port you got to have root CES to do it some privilege escalation notes uh I

don't use binary exploits uh we do a lot of pen testing I don't want to say I don't use binary exploits but man do we ever work to not do that uh it's uh Ed scotus has a great pentesters pledge effectively goes something like never use an exploit when you can use PS exact right and I'm kind of in the same mode here with uh with Linux I I'm not going to use an exploit if something way more graceful works and the reality is In N Out of 10 of our last pen tests at rendition something else has worked really really well uh we've only had to resort to Binary exploits in in one or

two cases over the last couple of years because the reality here is every time you run a binary exploit you are risking a crash there there's no two ways about it and as a consultant I really try not to crash my clients's machines right even processes on their machines nobody likes that uh it turns out even when you say but you signed off on the scope of work nobody's cool with it still I've tried it it doesn't work don't do it right uh so we want to do that as a very very last resort uh some purple desolations a waiting me this is another good note because sometimes maybe I get to write a file to the KRON D directory

uh that's unfortunate well it's unfortunate that you let me write something to the KRON D directory uh when is that going to run well next time KRON runs right or in some cases when KRON D restarts uh to reread that directory depending on your system configuration uh as you know Linux systems and Unix systems sometimes stay up for a long long time so this may be a a long waiting game but if you're a if you're a nation state uh you know for instance I don't know China uh or I don't know maybe there's some other nation state we could think about that might be in the room here uh but if you're a nation state and you're willing

to wait that kind of time then uh and you got the long game uh hey you know we'll take advantage of this now again if there's a binary exploit to come back behind us I'm not going to wait a year uh to gain roote on a box but if that's all I can do then then okay we'll work with that right uh we have to wait for KI to restart maybe I overwrite a restart same thing going on there so what about kernel issues this is a Captain Obvious kind of moment here uh I love kernel issues as much as the next guy VM splice uh certainly VM splice exploits are cool P Trace exploits are

really cool uh we see a lot of P Trace floating around over different Linux versions I don't understand what it is about P Trace but apparently it is way hard to get right uh P Trace if you're not familiar you should definitely take this home and go look at P Trace uh P Trace is a Linux debugger and effectively P trce allows you to debug programs now we're going to talk about in a minute set u ID programs run as the user that owns the file now if you're running a debugger which means you're in god mode allowing you to run a set uid binary in the debugger where you're in god mode where the binary runs this rout

would be a tremendously stupid idea and the Linux developers despite uh having a huge affinity for penguins are not idiots right and despite having their own servers hacked still not idiots right and so they've actually looked at this and they've said okay cool anytime we run a set uid binary in Trace we're not actually going to run it as root well it turns out that the way that they end up having to do that is it runs this route for just a split second before it drops permissions I say Split Second like a split nanc and if you're a computer science student or a student of the game here uh you well know then that

that's a race condition right and there have been a lot of times where Linux has screwed that up and there are lots of peach race vulnerabilities that involve that involve different race conditions in different scenarios uh where and and turns out a lot of our Linux kernel exploits actually do rely on those race conditions as well so one of the first things I'm going to do when I'm looking at a Linux system uh Brandon's talking later today about some of the Voiceover IP systems uh that we run into lots of Internet of Things I think his talk is named the internet of terrible uh basically redefining iot I absolutely love that uh but the uh a lot of the iot

devices run Linux under the hood uh we keep seeing the uh I was at Lowe's a couple of days ago and saw a fridge a fridge running Linux tell me why your fridge needs to run Linux I have no idea as it turns out though I kid you not in my fridge at home I have something called egg minder if you haven't seen an egg minder Amazon that thing because it's freaking awesome uh it actually is a an iot device uh that holds eggs and tells you over a smartphone app by the way again running Linux uh over smartphone app over your Wi-Fi how low you are on eggs so while you're at the store you can go look and see how many

eggs you but it even tells you which egg you need to use next and when your eggs are going bad because nothing sucks like making a four egg omelette breaking the first three into the pan and then find out that fourth one is not okay right you've just wasted the other three eggs I had to Rite out a three egg omelette then a no egg omelet which is actually pretty nasty anyway so uh again looking at all the stuff running Linux we want to know what version is it running if it's an iot device odds are good God help us odds are good it's probably Linux 2.6 maybe uh yeah usually two six uh for

whatever reason I guess it's a long development times most the exploit mitigations aren't in place but we're going to look for the full Coral version with uname minus a we're also going to look at Etsy release and Etsy issue now there's an Etsy issue and Etsy is.net it depends on your actual dist of Linux which one you're going to have but this is going to tell you is it you buntu is it red hat sometimes these particular distributions make some configuration error that we can capitalize on again I don't like to work harder than I have to uh if there's a everybody that's will ever work with me knows I am extremely lazy and I am not going to work any

harder than I have to to get the job done uh if there's some misconfiguration here that we can take advantage of that's where we're going first right uh so let me Google that for you and we'll go look for known issues those kernels as well as the releases now if I find a binary exploit in the kernel are we going to go hit that no we're going to catalog that away as a last resort now so let's not do that uh so again just cuz you find a colel export doesn't mean you should use it I talked about that it might not be stable uh may may cause an actual immediate crash uh I've teach the 504 course for

Sans there's some privilege escalation stuff in there we'll say hey if you're in the back trying to find a seat you can scootle down to the front and make your way around the the other stairs there and sit on stairs everybody's happy there all tight and and awesome together anyway so might not be stable you might get an immediate crash you might get Ro CR the box and we run the 504 course that's what that's what happens all the time folks find a criple justication and they're like bam right and and they exploit the machine and Bam it falls over and and they're like but I got root we're like cool but did you do

anything they like no like did you alert the uh did you alert the instant responders they're like no and I'm like yes think again right we totally alert the instant responders because you crash the box and nothing says nothing says hey calling instant responders like not having the machine available Okay so the explo might have undesirable artifacts that get you caught VM splice is a great example of this this was an awesome viral memory splice this actually has to do with being able to overwrite Kernel memory from user space which as you might imagine is a really really bad feature as it work for for the Linux operating system to have uh you can then take uid zero privileges

which is which is rude uh now this one works pretty reliably but it also generates a bunch of garbage in syis log and it is really OB obious garbage in CIS log and it's it's one of those that after you've seen it once or twice you're like hey Ray Charles can see what's going on here some attack bounc box of VM spce right uh so look the privilege of uh privilege escalation it's it's really following modified versions of aam's Razor right we all know A's Ray where this is basically the simplest explanation is usually true we kind of roll back and say hey let's go with the simplest exploit first because or simple technique vers as it turns out because

simpler is always better uh root program issues uh so if you're running Services as root stop right uh you would think I checked my watch this morning it turns out it's 2016 I haven't fallen into worm bow or something it is it's 2016 and yet we continue to see Services running this route uh last year rendition was doing some work with a large medical company and large medical organization and found out their IV pumps were running a web server as root you shouldn't run a web server forever matter of fact I run any Services as root generally network available servers but running a web server is Ruth particularly when you have unauthenticated CGI is really

phenomenally bad idea right uh and then I thought it can't get any worse than this until wait for it we found the defibrillator with the web server running as root and riddle me this Batman why does defibrillator need a web interface and if you run over to a hospital hit over here they can actually explain it to you because somebody in in medicine explained it to me very quickly like duh it's obvious that we need remote monitoring capabilities to alleviate the number of ACLS certified nurses and I'm like I don't understand thing you said just like you don't understand what I meant when I said this thing shouldn't have a weapon or Bas comes down saving you money which is

what we're all about with Obamacare and stuff hey look bottom line they're trying to get back uh ultimately kind of scale back the number of nurses that they need available on the floor uh they've got some crazy stuff and this isn't just I mean it's your fridge it's your uh it's my egg minder right it's it's you name it it's everything out there we've got way too many services still running this route now I'm not talking about your okay wait I hope I'm not talking about your production Linux and un servers if you've got something that was built in the last decade hopefully uh you're not so running stuff as Ro and yet you still see it

particularly iot devices these other Linux colel devices that you put on your network and run I'm going to leave a couple of vendors out of this but we're working an instant response right now that involves a backup vendor and this one this one's freaking scary all of your backups uh are going on to a device that has a VNC server running this route that you the user cannot disable and it's VNC and that's my first problem because it's BNC and it's BNC right but it's running as root and so now I'm super annoyed anyway and so this is something that people are paying a lot of money like six figure backup solution uh for your

and it's supposed to be point and awesome and and all kinds of awesome stuff but again you can't as a user turn that off and again the Dam's running as word horrible horrible idea look we can do a binary exploit of a root root own program this is way better than a kernel exploit if I fail I'm not going to crash the machine in most cases the service Falls over and it restarts this is an ideal place for me to be because hopefully nobody notices that that service just fell over and if I get on the box eventually all right then uh if I get on the box eventually I can go ahead then hopefully clean up my logs

this is a great time to tell you that you should absolutely configure external logging we recommend that you have a sem in place uh all the time put a security event information management system in place if you really want to make an attacker poop his pants right make sure that you do external logging because that makes the attacker think very very very very hard about what they're going to do next right so buyer exploits again much much better here for roton program than going after the Cent what about bad path configuration don't put dot in your path that's your current working Uh current working directory we see this all the time it's it's mindblowing uh

it's like shooting yourself in the foot repeatedly there's a crazy number of ways that this can go wrong uh sometimes your system is looking for a command that may not be somewhere in path if you have to do this uh one don't do it for root right that that's that's number one and two put dot at the end of the path so that it only is access if the command isn't found anywhere else in general just don't do it and when you find it beat somebody about the head with some large blunt object right whoever set that stuff in place because 10 times out of 10 we're going to exploit that what are truly vulnerable set ID Programs El

trce is the cats meow for finding problems here right so we love El trce uh we're going to run El Trace set uid and setgid programs that we find there are a ridiculous number of these that are homegrown and use the systems this call a lot of our systems administrators have figured out that they cannot set scripts to be set u ID and they have a help desk function I actually used to be help desk health desk a little bit health desk and then shortly afterwards I was a systems administrator and I did not because I knew some of the people on the heal desk want to give them Rude access to my systems and very quickly though I

figured out that they needed some access to files that only root have and I figured pseudo would be the way to do this right so I'm like cool I'll give them pseudo access but not overall pseudo access and I found out man there's a crazy number of problems with that that we're going to cover on the back end here and so I'm like cool I'll just write a script and I'll set it to be set you ID and it turns out that Linux smartly does not allow scripts to be set you ID they kind of set back and they're like whoa that's a bad idea let's not do that and go ahead and Google that problem and the first eight

results that come up somewhere down at the bottom of the page there's one on stack Overflow and I checked this morning it's like don't eing do that right but but the top eight results are hey here's how to write a trivial C program which can be set you ID that calls your script right and so the idea here is rather than your script being set you ID the C program that set you ID and runs this grp calls your script as root right and this completely bypasses the Linux protection model and look out of way the Linux unit developers here there's no way to fix this right I mean they put enough safeguards in place this

is like you driving that rental car you take that Bowie knife out and you just punch it into the airbag before you start going take the seat Bel off and drive into a telephone po right all the protections were there to save you right so hey awesomeness right uh what about cron oh by the way here great uh great screenshot if you're looking for one here uh go find uh notice the output file Here Right Temp ging security hole right we're looking for our set u ID program so there are legitimate setu ID programs ping for instance is a set u ID program he raw sockets uh he was a regular user can fre across so that's a

good thing but ping has to be able to right uh what about password we have to be able update Etsy Shadow we don't want regular users doing that but but in general the problems that we running with a set u ID or all the other crap systems administrators put on the system some of these third party installations I'm not going to get sued so I'm not going to mention any names like orle or sbas or any of the other third party software that may or may not install vulnerable set ID configurations none of them do my lawyer told me not to say any of those okay so anyway cron jobs right so you can pron files or can you read

pron files owned by other users in some distributions the answer is yes right out of the box you can read all the pron files uh this doesn't mean that I can do anything immediately but it does mean that I can read all the problems this gives me a hint for where to go next right can I can I then go and look at any of the directories there to see can I write to any of those directories can I overwrite if for instance a chrom Job Calls a script is that user writable may not be World writable but is it group writable for a group that I am in and if the answer is yes we win right because

the next time that Cron job fires it's going to run commands of my Sho right so can I write to the cron D directory in that case I have to wait for cron to restart possibly reboot or the next time one of the system admins changes the cron jobs there's a lot of opportunities here that we have uh that we have available what about weak permissions on scripts in general I'm looking around for scripts that I think are going to be called by R one of the first places that I go here in later versions of the later versions of Linux I start dumping the system D configuration now we all know system D was created by the devil uh so

for older versions of Linux we go and look at the SC andd uh directory start looking at the scripts that are available there when we find the scripts there we start looking through and see where do the where do the folks that wrote These scripts not specify the full path for the executables that they're calling for instance as opposed to let's say for instance the command you want to run is C do they call C or do they call SLB slash a hat are we full fully qualifying the path or we just guessing here right if we're guessing that's a potential place where we can gain some uh we'll just say manipulate the environment right we can't always do

this but sometimes we can and so then in that case possibly a different C than the one that the script author intended could potentially be called we don't want to just check the scripts call by F users many of these call other scripts uh now one thing that you got to know on Linux is that in many cases in units in many cases are Sur don't end with a sh so by convention we would expect them to end with a sh there's no requirement that they do and so a lot of times we'll find an ex computable you'll see it being called from some uh from some configuration script you go take a look in there and you realize this thing is

itself actually a script right either C out more less we'll talk about those in a little bit uh or maybe just run the file commanding in it see is it actually an elf binary or binary uh depending on your platform or is it actually a script in which case see there's script in which case are there possibilities that we can write to that or what other dependencies does it have we to recursively walk through these dependencies we're looking for something that we can impact change on from our current position weak permissions on biners and this this one almost goes without saying well in most Linux environments you're not going to be able to write uh

directly write binaries uh too bad so sad again these third party installs and stuff that system admins put together oh my goodness uh it's it's like uh it's awesome uh we recently found one where found a system where user local bin had been reset to where world rable and we like that now not all the files inside user local bin were World writable but the actual directory itself was World writable this on bun systems so we know for a fact that didn't come from the factory like that this is a place where a system admin had screwed up not realized what they had done and uh failed to unscrew the permissions we capitalize on that of course because why

would you right uh so it turns out that local bin was in the path ahead of some other stuff that shouldn't have been uh I know darn right and so by just adding some files there again the next time Root ran a number of commands uh they ran our commands instead of the commands they intended to run giving us shell on the box right so we're happy about that if you a run life to find World writable binaries that we can just over right it's much more common to find directories with bad permissions than the actual the actual files and Stu we'll quickly talk about weak permissions on LD Lo if you're not familiar with LD preload this is another

Google it I don't have time to walk through all the interfaces of LD preload it's like looking at a VCR manual to figure out when you can use this and when you can't uh but it is something worth putting into your bag of trips effectively the idea with LD preload if you were here for last year's bid AUST I gave a talk on exploiting Windows systems uh using D side loing so effectively dll path hijacking is what we covered the most of uh but with this effectively what you're doing is you're trying to load a regular program loads but it loads malicious libraries instead of the ones the system intends very very common on Windows is it turns out

reasonably common on Linux as well uh with LD preload what we're looking to do here we set this environment variable and we say here where to fine copies of libraries we would like you to preload into memory in case you need a special version of a library different from the ones that are normally on the system and this can give us tremendous uh give us tremendous access here because as this as binary that's possibly running with elevated privileges runs it's actually loading our version of our library which of course is been executing code uh this means we win and we gain root permissions the bad news here well I'll take it back let's talk from the

defender standpoint most of us are Defenders not pentesters actually what's what's the let's the split here how many folks are pentest SL attack folks how many folks are Defenders how many people won't raise your hand for anything okay here we go okay so so I'm go for the defense standpoint right cuz I think that's the majority of the room here minus all the B and dager folks would raise their hand for anything but uh the LD preload look from a defense standpoint this is awesome uh Linux developers looked and they said hey it's a set uid program it's going to run with room permissions and we probably shouldn't let that happen right because as you can imagine

that that would be that would be really really bad uh so they said hey if it's going to run as brot uh run with brot permissions because it's set u ID don't honor the LD preload variable at all and a lot of folks set back and they say cool you can't gain root permissions with LD preload that's not what I said at all what I said was you can't use this with set u ID programs but often times you can manipulate the environment that some of these startup scripts are called in and that's because they're poorly written you can manipulate the environment in which case you can preload into commands that are running as rout just not necessarily set you ID

binaries and doing this sometimes is like little like a r Goldberg machine right so so I don't have time to run through all the intricacies out here we are going to go pop some shells in a minute cuz that's more fun to me talking plus I'm starting to lose my voice here that's no fun for anybody uh so but again keep this in your bag of tricks go research this this is a great blast when all those fails uh sometimes I got to be honest I've had some spots I'm kind of like we could probably keep chasing this down but I am going to go run a binary ACC right so so just to know how

difficult this is sometimes this may be a case where we po a binary foral exploit before before I spend too much more time what about set uid and set GID amazing number of system admins do not understand what should be set u ID and set ID uh any command Pudu this is really cool too a lot of folks don't have Pudu permissions to go to go Sue but they have Pudu permissions to go do other things this is where we get the majority I might say about 80% of our purp escalation comes from here uh because we find that system admins particularly folks when we able to compromise a help desk account or a uh

administrative you name it whether it's the accounting department or the whatever there's that one guy that knows Linux right he's going to help out right so what'll end up happen is the system admins will come in and they'll they'll set up some Pudo limited Pudo permissions for for this person so they can tail a file or just do some general awesomeness and it turns out that this can have horrible horrible impacts right we're going to talk about a couple of these here uh obviously any command in sudu that can edit or overwrite files is an obvious risk if I can overwrite files as root I can overwrite Etsy Shadow which means I can overwrite Root's

password or I can be really crafty and I can just overwrite my uid and make it Zer and that means that Linux will check my password and say yep you're good to go and it'll sign my account uid zero which means I'm root right so I don't have to sudo again I'm basically just rooted that so we don't want to allow our attackers to overwrite files at any point if we allow our attackers to overwrite files our t or if we allow our users to overwrite files at any point in that case our users effectively can gain root permissions at will uh users restricted suudu access of course again with these writing file options can use

those to gain unrestricted group permissions we see tons of obscure editors with set u ID bit set I have seen Nano done with set u ID which is mind belong Pico uh this is really really stupid don't don't do this right uh if you have an editor with set u ID permission set that means that attackers SL users uh can just go run the editor and they automatically gain root cural we've also seen attackers leave this as a back right so we've seen attackers that have changed the permissions on change permissions on Pico or some other editor that's not used very often by anybody uh and basically what we'll do then is set that a set u ID and then if

you boot them off the box at some point and they're back on limited permissions or with limited permissions they just Nano or Pico uh Etsy shadow and they're back to R right or any other file that they want for that matter they're in god mode right so this is something to look for from an instant response standpoint it's also something to look for from a general security stand we want to make sure this didn't happen uh and In One Security assessment that we did we said hey wow this this is really dumb you shouldn't do this and the admin's like we didn't we're like danger Will Robinson right so one of those you guys remember Waton space where that guy

walks around danger danger Will Robinson he's got the dryer events for r dry hes for arms and what a horrible robot anyway look we sincerely hosis some admins are stupid enough to have set ID permissions on editors but we know better we've seen it a couple of times folks that really work and traditionally what happens here is these are windows admins who have inherited a couple of Linux machines normally these are they start out as appliances they lose support for the appliances because whoever produced originally got bought out by Google or some other company like you guys are on your own right and so one of the last passions that manufacturer puts out is the you now

have unrestricted shell access go for it because you are truly on your own right so my windows admins pick these up and they're like hey I got to figure it out here's how to get around this problem I was having and unfortunately you can Google just about anything and we tried this before we're like where did you come up with this they're like we Googled it and this was the suggestion we're like there is no way that's the top oh that is a top suggestion that's a top first page of suggestion and it's it's really bad don't don't trust me read on Google right I mean in fact I'm almost thinking about like writing a bad

system admin advice right and like DNS cash poisoning some of my targets and so basically they go like how do I secure my Cisco router and I'm like winner right and provide them with really bad I don't know see that would be a longer game to play but but hey maybe one day right so don't don't don't suebi or any other editor right uh look this is so dumb as ubid any you know what ubid means ubid so stupid we had to drop the St right can't even charge the full number of letters for this just don't do it right uh any editor for that matter but Di in particular and let me show you

why this is really really a bad idea uh so I've got a terminal up here this is uh this is my user Jake uh we're going to go ahead and we're going to go ahead and make it bigger first that seems like a good plan to uh good plan to go with yeah that'll work okay can every read that in the back good to go yeah okay so uh so I've got my uh got my Jake account here I'm going to go to sudu minl because I want to see what Jake can actually do let's assume for a minute that Jake had a horrible password like password by the way if you were following me on Twitter earlier this

week you probably saw that we actually did set up a server with the admin and password as the username and password and let people to face it we were going for some actually got some really interesting uh really interesting stuff there uh anything out on the internet the cool part was some of the most interesting hits that we got didn't have a refer from Twitter right so which seems to indicate that they were found on you know just scanning the internet type thing rather than we went to Mike bank's talk earlier today uh you know that uh well lots of people do lots of crazy stuff in Honeypot type scenarios we got a lot of interesting interesting

data there so let's assume this guy has a really bad a really bad password fire that guy anyway we' got to Ben cat and B Echo and B LS B cat feels like you should be able to c a file out as grot and redirect the output of that and it turns out Linux isn't that stupid right there are a couple of older Legacy Unix systems that are that stupid Linux is not right so when you do that greater than sign to overwrite and output file uh Linux every recent version of Linux anyway uh even the 2 six variance of of Linux they will end up doing a subshell for that and that subshell was not run

with set uid permissions so good news right there the suu permission so good news there we can't use cap to effectively just destroy the Box same thing for Echo LS we've seen this one there's not a whole lot to be figured out to do with ls uh we talk about VI though a minute ago now look I know that I could just VI any file that I want as a matter of fact let's try this I'll try to do a VI Shadow it says permission denied but if I sue do VI Shadow what take a picture oh you're not my ashes is Trivial it is password so so go password local my VM here you're not

going to happen right so from Tao mic but you're not going to so anyway I can do a poll in here uh in this case so you're probably familiar with VI or you may not be familiar with VI whatever look I could change the password hash to a known password and and do something awesome here this is already known it's password that's not the cool part what's cool is when you type shell because you run shell commands from VI don't ask me why but but somebody thought that was a great idea and you can and the problem here is that that's a privilege escalation the point that we type shell now we're Roots if you're familiar with

the little symbols here not root and pound sign means you are root right and that's that's a bad day if you're inst responder slot we'll just call this a resume updating event right so uh okay so don't do VI right don't do Vi at that point we got a full root shell uh we want to go ahead and and and not not fail miserable that that's that's kind of one of my goals in life I don't always uh I don't always win but most of the time we try not to fail miserable so don't do VI oh I said I was going to James Brown I feel good I can't do many of those anyway so

uh less right less certainly is is safe then VI is dumb but but less is probably okay not so much as it turns out less is actually an editor most people don't think of less as an editor less is actually an editor this is something that a lot of system admins do not know we're like hey why did you why did you Su to an editor they're like L is an editor like who less is definitely an editor now if you're on a Ubuntu system you're probably safe just by the fact you're on a Ubuntu system mon Ubuntu uses Nano as a default editor and so if you haven't changed the default Editor to Bei probably safe here because Nano

doesn't allow your own subshell commands but if it happens to be that you're excuse me that you're less sorry default editor is VI or you're on pretty much any other Linux distribution right where the default editor is vim Les it turns out is a is also a huge huge vulnerability so we'll go and Pudu less let's do a Pudu not sudu sudu L ET Shadow no James Brown impressioning this time because I'm I'm going to burn on time here right but so so what are we going to do here well it turns out when I press the V key it drops into an editor which happens to be VI in this case and then we shell and again we're

back to root right okay so this is bad right so don't do this either another great way to pop a root shell you allow somebody to less a file and the reason you do this as it turns out uh in most cases is because you've got a some file that's owned by roof but the help desk or some other user needs to be able to see this we see this like in the accounting department where they have to be able to run back through the logs or something again this is all kinds of bad for you let's let's try to avoid let's try to avoid this and again the reason I'm doing this here is that most people

don't don't really understand the uh I don't really understand the trade space and the threat space here uh for the uh for the landscape for the vulnerabilities okay so last I'm not going to jump back in the slides here too much make bigger that not that big was trying to avoid the jumping in and out of there okay so we don't do more more is just as dumb right so I've had folks like well less is an editor but more doesn't contain an editor it's like you're right about that more do something even stupider so sudu more Etsy Shadow and with the fact that I'm doing Etsy Shadow doesn't matter if we're sudu we can do whatever we want

and we're still going to gain uh root permissions it's going to be a file you create it be any file it can be a binary file for all I care It ultimately doesn't matter what the name of the file is right uh okay it has to be long enough for the page in let's do this let's do bar log okay pass you long if you actually get a page I set any file that was a loot obviously right but something that at least creates a full page of output or I could just scroll my screen down uh to where it was only four or five lines big and that will cause it the page as

well right so uh anyway here I'm going to go ahead and type the exclamation mark the bang excuse me the question when I do a question mark if you look up there notice the bang Command right and so more while not being an editor will allow you to run an editor if you choose to so we'll go ahead and just run do bash and so now we're back to right and so this again also a idea and we see this all the time look if you take nothing else away from the stock you should go take a look at your suo file because you're going to find some stuff I'll bet somebody in this room uh who's

doing some stuff on Linux and probably on probably built into some of the appliances that you paid great money for are some of these things built into suu commands right you don't want this well I want this you don't want this right because my kid she walked out here my my kid needs to go to college right and ultimately in order for her to do that I have to do lots of great response in order for you to do that you have to get haed and so I strongly encourage you to take nothing away from this talk not go because again my kid needs to go to college okay so what else can we do uh

it's horrible well Rel living an America right another James Brown fres no no okay well anyway so I can't beat anyway so okay so uh we think of a good reason we can't think of a good reason for cop or move uh to be in sudu anywhere at all here period right there's no reason for this no reason for this but but it turns out that it is all the time if you find this in your PUD file get rid of it burn it with fire something right because if you can cop or move a file you can overwrite any file on the system first off your attackers can copy as he shattered with something else that they

can then read That's obviously not not not an awesome move there uh also your attacker SL admins by the way if they can copy your move uh are some really interesting ways that they can destroy the disc and actually do some destructive impact as well right so that's a really interesting one there uh you know again my kids H polish one needs a boost U but in general I don't want it to be at your your expense right fine we see this one regularly and and the purpose the state purpose that we hear is that our system admins want our help desk to be able to go purge files so we have a web server and a web server

are vulnerable web servers it turned out some came in and created some really large files Ed up all the dis space and so one of the things that my help desk might do is they might run fine uh with sudu permissions to go find files larger than 1 Gigabyte in the VAR dubdub duub folder right or VAR temp or V temp whatever and then exact remove command against those turns out that once you give once you give the uh user slacker Pudu permissions to find they can do whatever they want and let's do a Pudu and the way find is supposed to work right I could say find root and let Ro Etsy so Etsy and we would find all the files

there right I can even do an exact LSUS L and this little brace here with the trailing semicolon says go LS minus L we'll just do an LD here as in case and so we can go through and get long directory listings and all that so we can exact commands against those files or we just get a root problem so either way right it's up to you uh you can do whichever you prefer right just remember find is running this group find can EXA other commands on behalf of find and it turns out here that that find is is executing bash it turns out it's actually doing it for your file that it finds but that's not important because

bash does some special system call that ultimately means you only get one copy of Ash so we only have to exit once that's nice okay I said that we only have to exit Okay so I fail on this one oh I remember we did differently last time okay look we're going to have to get

impr well the demo gods are not with me today right so and that was password in case cared okay so uh okay so don't Su your script interpers this is also stupid and and this is another mindblowing piece we see it all the time I die a little bit inside every time I see a script interpreter set pursu new permissions uh regularly again system ad we have this awesome python script that goes and cleans up files and does all this awesome stuff and and it has to be suit so that we can still get some of the uh so we can still run and and clean up root you know root owned files or you

name it the problem is when you Su do python I can do whatever I want with python as rud same thing for Pearl and Ruby and Lua and and pretty much anything else we want to do how do you exploit Pearl two words exec bsh let's take a look at so we Su monell and our system administrator here unfortunately was eating L pain chips for breakfast and he has put Pearl into the u i put Pearl into the Pudo list we'll go ahead and Pudo Pearl and ultim looks like nothing's happening here what's really happening is Pearl's waiting for uh Pearl is waiting for a uh basically waiting for some input and so we'll say

exec in dash semicolon and we hit that it still looks like nothing's happen but the reality here is now Pearl is waiting for an end of file waiting for some number of commands plus an eof in order to send an eof press control D and I have right so if you have Pearl so that you're able to run some awesome so that you're able to go run some scripts and root even though you're not root understand you're giving away root right it's not and the problem is here a lot of folks when they see this sudu stuff again The Limited Pudu permissions now what they're thinking is from a system admin perspective I'm not giving away

and when they put their prep model together they say I'm not giving a super user access it's limited super user access limited to only these few commands and as we're seeing here that's not the reality there are a tremendous number of commands that are like giant landmines on Linux right meaning the command is there uh but when you step on it you lose your foot right and if you're lucky that's all you lose right okay so let's take a look at let's take look at python ah Ruby let's do Ruby uh Ruby is almost as easy uh with Ruby we're going to ex bin bash don't put a semicolon here rby doesn't like semicolons and and again

we're right so don't do that either right gotcha so so don't do that either python as it turns out is only moderately more difficult all right so you're going to have to know more than like that to to do python I we'll try python here see if I can remember this let's see I think it was import import OS and os. system uh so os. system uh SL bin SL bash yep that was it and so you can't remember this get out of the infos right the cognitive blow is much higher than this and so look the reality is here we walked through what now a dozen different 10 different ways some number of different ways uh because we're

living in America and I feel great no I feel good I can't remember anyway James Brown is clearly is not going to happen here I tried I tried just know right anyway uh so through a dozen different ways here or several different ways at least to get root uh there are a number of others the bottom line here is these are the most common ones that we see on systems today where people have screwed up limited Pudo permissions sometimes uh sometimes we'll get on and we'll see that U we had cases where where we get on and a particular user doesn't have something awesome in sudu uh you may be one social engineering phone call away

from getting that right so so don't keep that out or don't take that out of your back pocket either uh just explain that you need to be able to L this particular file it's possible that somebody's dumb enough to let you do that right I'm not saying that that's actually happened anywhere anyway uh we definitely are not going to name any any any names there so here again you're going to have to control D twice to get out of there but you should be able to handle that as well let's see else do I have here I think this is going to bring me close to the end yeah I think I Pearl and python

Ruby yeah did that did that that's it all right that's all I've got I got 10 minutes for questions uh Brandon do you have you have winners of gift cards I do you do who are the winners Wade Adams Wade Adams where's Wade Wade awesome man come up grab a gift card what was the Tweet what was the Tweet who knows I'm sure it was something it was something there we go could be random pick right we have any questions by the way too while he goes through and picks out the gift card winners fire who's next winner number two is Mela Squires where's M there we are I would know you if I saw could

see who else obscure obscure Twitter oh you're obscure ra he was trying to in h was you were until now right so thanks okay so any questions before break for the uh okay well then there's no questions no joke oh sorry sit down if You' been a rattlesnake I'd be dead so go oh yeah a is totally exploitable sorry I had a in there and we just walk a can be used to create seal processes it doesn't drop the the student permission it's total explo yeah almost every yep yes that was a great question the back uh if this is the first thing you try on a p test how many levels like what percentage of time you have to elevate

your TTP like find something a little more so if this is the person the sudu is the first so I walk you through everything that we do let me step back there for the for the ttps I've walked you through on the slides here everything that we do sud is the first thing we go to right but the other stuff we do as well we look for scripts be permissions we look for CR unfortunately those aren't instant gratification things they're not cool to watch me pop a shell right cuz often times I'll I'll do the exploit and then I'll kind of f my thumbs for a little bit a few hours later I get a call back right and so

that's I mean that would be cool but you guys would be long gone by the time we got the shell nobody would clap and I would feel bad so we're going to go to the Su minus L and that's that's going to get us uh I think brand about 60 70% of the time I think I agree okay here we go like ran into my right hand man comes to knocking stuff over in weird ways so look when that doesn't work we're going to go to trivially exploitable set uid programs and that's about another 15 to some odd percent I think we're pushing up towards 90 95 is my math is my math may be bad I

don't know whatever look bottom line uh that's our start we go to Tri exploitable set ID programs next and then We're Off to the Races y what's the one thing that can solve most of our problems what's that what's the one thing that can solve most of our problems the one thing that can solve your problems give heru seriously James Brown said dancing dancing anyway hey so before everybody breaks I forgot I have the clubhouse and the land turtle uh are we doing random pick for this stuff or what who who asked me about James Brown who asked me about James Brown no joke seriously well you're you're not local so you're not taking the clubhous

here you go so I know I know but that was too good that too good to pass up so I'm looking for some local that can use a clubhouse Clubhouse pass a person I saw gol over there you

win talk more about lb escalation that other awesome stuff come hit the booth rition infos we're hiring we're hiring I'd love to seal some people away from cpvs and nsas and other other great places sec come talk to me we pay better than they do

we have more fun