CompTIA PenTest+

11.0 Linux Exploits

• 11.1 Common Linux/Unix-Based Vulnerabilities

• 11.2 Password Cracking in Linux
• 11.3 Vulnerable Linux Components
• 11.4 Linux Accounts
11.1 Common
Unix/Linux- • Vulnerabilities Common to the *Nix family
Based • Linux Operating System Vulnerabilities

Vulnerabilities • Frequently Exploited Linux Features

Vulnerabilities Common to the
*Nix Family
• General risks:
• Physical, administrative, coding, and social
engineering
• All *nix kernels written in a variant of C
• Same issues with input validation and bounds-
checking
• A greater number of developers cause inconsistency
in implementing secure coding practices
• Apple iOS: Very strict approval and installation
process
• Linux and Android: Allow side-loading apps
• Uses standard protocols and technologies
• Susceptible to cross-platform exploits
Linux Operating System
Vulnerabilities
• Linux distributions are versions of the open source
Linux operating system kernel that is packaged with
other components such as installation programs,
management tools, and other software
• Similar categories of vulnerabilities as in Windows:
• DoS
• Information disclosure
• Buffer or heap overflow
• Privilege escalation
• Remote code execution
• Memory corruption
• Security feature bypass
• Directory traversal
Feature Description Exploit
ret2libc • Existing function in the C library https://www.exploit-
• Eliminates the need for the attacker to inject their db.com/docs/english/28553-linux-classic-
own shell code to take control of a target return-to-libc-&-return-to-libc-chaining-
• Allows arbitrary code execution and escalation of tutorial.pdf
privilege
Insecure sudo • Under certain conditions, this vulnerability allows • Exploit-db.com contains 24 sudo-related
attackers to by-pass protections and execute exploits
commands that would normally require a password,
resulting in privilege escalation
Sticky bits • Permission bits set on directories • https://www.exploit-db.com/exploits/16216/
• Only the owner can delete or rename files in the • https://www.thegeekdiary.com/what-is-suid-
directory sgid-and-sticky-bit/
• Useful in the shared directories /var/tmp and /tmp • https://gist.github.com/anonymous/1016522
• Sticky bit exploits can be disruptive and cause DoS 4

Frequently Exploited Linux Features

Feature Description Exploit
SUID executables • SUID allows a user to run a command as another user • https://www.pentestpartners.com/securit
• Used by administrators to change a user's password y-blog/exploiting-suid-executables/
• Allows an application to run as the owner, an SUID
permissions bit is set to allow this
• Many executables use SUID, but are poorly coded and
can allow an attacker to escalate privilege

Dirty COW Bug • A race condition in mm/gup.c leverages incorrect • https://www.exploit-db.com/

handling of copy-on-write (COW) feature by kernel exploits/40839/
memory subsystem /proc/self/mem • https://www.exploit-db.com/
• Allows writing to private, read-only memory mappings exploits/40616/
• Affects Linux kernel 2.6.22 < 3.9 (x86/x64.
• CVE-2016-5195

Frequently Exploited Linux Features (cont’d)

Feature Description Exploit
Five Year Bug • A race condition created by raw mode PTY • https://www.exploit-db.com/exploits/
local echo permits privilege escalation 33516/
• Affects Linux kernel 3.14-rc1 < 3.15-rc4 (x64).
• CVE-2014-0196

Remote Root • Insecure second checksum in udp.c can give • https://www.rapid7.com/db/vulnerabilities/panos-

Flaw a remote attacker total control of a system cve-2016-10229
using UDP traffic
• Affects pre-4.5 Linux kernel
• CVE-2016-10229

Frequently Exploited Linux Features (cont’d)

Activity: Exploiting
Common Linux
Features
11.2 Password
Cracking in • Cracking Linux Passwords
Linux
 • Originally stored in cleartext in
/etc/passwd
• Currently stored as hash values in
/etc/shadow; hashing algorithm
depends on the misdistribution

Cracking Linux Passwords

Attack Method Tools

• Metasploit module post/linux/gather/hashdump

Dump the hashes from a compromised • John the Ripper, etc.
machine and send them to a password cracker • RainbowCrack
• Hashcat
Dump cleartext passwords currently stored in
Mimipenguin—https://github.com/huntergregal/mimipenguin
memory
Pass the hash if the passwords take too long to
crack. Works particularly well against Samba Metasploit module auxiliary/scanner/smb/smb_login
with LM or NTLM authentication
• Meterpreter keyscan_start and keyscan_dump commands
Install a physical or software-based keylogger
• USB keyloggers
Use social engineering to obtain user • Kali Social Engineering Toolkit (SET)
passwords • WiFi-Pumpkin
Boot the target computer into single user mode • Reboot and edit GRUB to enter single user mode, then change the root
to reset the root password password

Cracking Linux Passwords

(cont’d)
Activity: Cracking
Linux Passwords
 11.3 • Default Configurations in Linux
Vulnerable • Linux Service and Protocol Configurations
• Linux File System
Linux • Linux Permissions
Components • Sensitive Linux Files
• Privilege Escalation in Linux
Default Configurations in Linux
• User home permissions
• Default permission is 775
• World-readable and world-writable directories and files
• Default permission is 644
• Insecure mount or export options
• Default mount points include rw, suid, dev, exec,
auto, nouser, and async.
• Services and applications with weak defaults
• Communication protocols that are not secure
• Default passwords
• Many open ports
 Linux Service and Protocol Configurations
Exploit Description
• Exploits how the popular EXIM mail server uses the gethostbyname function in the
GNU C library (glibc)
GHOST • Gives an attacker remote control over the entire system
CVE-2015-0235
• Affects nearly all distributions that have EXIM installed
• Metasploit module exploit/linux/smtp/exim_gethostbyname_bof
• Exploits a vulnerability in how the Bash shell handles external environment
Shellshock variables
CVE-2014-6271, CVE-2014-6278 • Exploit-db.com contains 15 exploits
• Metasploit has 10 exploit modules; search shellshock
• A platform-independent information disclosure vulnerability in the OpenSSL
encryption library
Heartbleed • Can induce the server to also echo back random data from memory, including login
CVE-2014-0160 credentials and session cookies
• Metasploit module auxiliary/scanner/ssl/openssl_heartbleed,
https://gist.github.com/eelsivart/10174134
• A platform-independent MITM attack that forces web servers and browsers to
POODLE negotiate down from the stronger TLS to the weaker SSL 3.0
CVE-2014-3566, CVE-2014-8730
• https://github.com/mpgn/poodle-PoC
Linux File System
• Virtual tree structure
• Base level is / (root)
• Top-level directories for most distros:
• bin—binaries
• boot—system boot files
• dev—a virtual directory of device files
(like USB sticks, webcams)
• etc—config files
• home—users’ personal directories
• lib—libraries (application code snippets)
• media—where inserted removable
media is mounted
• mnt—(legacy) where storage or
partitions are manually mounted
Linux File System (cont’d)
• opt—where software you compile
often ends up
• proc—a virtual directory that contains
information about running processes
• root—home directory of the root
superuser
• usr—shared application files
• sbin—applications only the
superuser can run
• srv—data for servers
• sys—virtual directory about
connected devices
• tmp—temporary files
• var—logs
Linux File Systems (cont’d)
• Linux Bash is case sensitive and is not
MS-DOS
• Use a forward slash (/) to separate path
levels
• Everything, including running
processes,
is treated as a file
• Files with spaces in their names are
enclosed
in quotes
• Bash uses colors for different file types
 Linux Permissions
• File types:
• - = Regular File
• d = Directory (folder)
• l = Symbolic Link
• b = Block Special Device
• c = Character Device
• s = Unix Socket
• p = Named Pipe
• To view permissions, enter ls –
l
• Entities: u, g, o
• Permissions: r, w, x, -
• Octal permissions: 4, 2, 1, 0
 Linux Permissions (cont’d)

• To assign permissions, use chmod

• chmod 777 myfile
• chmod 644 myfile
• chmod 740 myfile
• Special permission bits
• setuid/SUID
• setgid/SGID
• Sticky bit
File Description
GRUB (/boot/grub) Most commonly used bootloader package that loads the Linux kernel
/etc/passwd List of all local accounts
/etc/shadow Password hashes for all local accounts
/etc/group List of all local groups
/etc/gshadow Password hashes for local groups
/proc/cmdline Kernel parameters
/etc/rc.* Run commands

Sensitive Linux Files

File Description
/etc/profile Sets system-wide environment variables on user shells
/etc/hosts Host-name-to-IP mappings—checked before DNS for name resolution
/etc/resolv.conf Lists DNS servers for system to use
/etc/pam.d Password and lockout policies
~/.bash_profile, ~/.bash_login,
~/.profile, /home/user/.bashrc, Possible locations to insert a script that will run when the shell starts
/etc/bash.bash.rc, /etc/profile.d

Sensitive Linux Files (cont’d)

 Activity: Exploiting
the Linux File System
Vulnerability/ Technique Description
/etc/passwd, /etc/shadow Obtain a copy of files to crack root or privileged user passwords

Weak process permissions Find processes with weak controls and inject malicious code into those processes

• Compromise end user applications and plug-ins such as OpenOffice, VNC, and
User application compromise Adobe Flash Player
• Use social engineering to get the end user to open a file or browser page
SetUID binaries Locate applications that can be run as root
Locate services that are owned by or running as root and attempt to compromise
those services

Privilege Escalation in Linux

Vulnerability/ Technique Description
Search for sensitive information in Samba shared folders, as it is common for them
Shared folders
to have few or no restrictions
Kernel and service exploits Find exploits that target the kernel and privileged services
Use Bash shell from Metasploit to attempt to upgrade to the more versatile
Meterpreter upgrade
Meterpreter
Netcat upgrade Use Netcat shell to attempt to upgrade it to a fully interactive TTY or Meterpreter
Exploit cron jobs Exploit badly configured cron jobs to gain root access
Missing patches and Search for missing patches or common misconfigurations that can lead to privilege
misconfigurations escalation

Privilege Escalation in Linux (cont’d)

Activity: Escalating
Privilege in Linux
11.4 Linux
Accounts • Default Accounts in Linux
Default Accounts in Linux
• root—superuser account that can do anything
• adm—used for diagnostics and monitoring
• mail—handles email; used by sendmail and postfix
daemons
• news—used for Usenet news
• www-data—default website user
• nobody—assigned by the NFS daemon to a mounted
NFS share whose owner is not a local user
• sshd—used for unprivileged operations by the SSH
daemon
• lp—used for the printer system
• ftp—used for anonymous FTP access
• uucp—controls ownership of serial ports
Command Result
cat /etc/passwd See all local accounts
sudo cat /etc/shadow See all password hashes

grep jason /etc/passwd Search for a particular account

getent passwd 0 See who has UID 0 (root)

getent group root See who is in the root group
See who is in the wheel group (able to run the su command to
getent group wheel
change to root)

See who is in the adm group (able to monitor the system and read
getent group adm
log files)

Commands to View Default Accounts

Activity: Exploiting
Linux Accounts
 Linux Exploits Review
• Learn more about Linux by looking at Windows
vulnerabilities and exploits and search Linux
equivalents
• Consider using common Linux features in your
exploits, not just Metaploit and ones found online
• When cracking passwords in Linux, consider using a
combination of techniques:
• Cracking offline copies of /etc/passwd and
/etc/shadow
• Dumping hashes
• Brute forcing network services
• Using SMB exploits against the Samba service
• Use nmap and online research to identify
vulnerable services and protocols
• Use sticky bits, SUID, and SGID to attack Linux file
systems by targeting directories and sensitive
files/data and weak permissions
Linux Exploits Review (cont’d)
• After compromising a low-level Linux account, use
password cracking, kernel exploits, SUID binaries,
shared directories, weak permissions, poorly
configured cron jobs, and suggested Metasploit
modules to escalate privilege
• Check to see which privileged default and service-
added Linux accounts that can be targeted for
password cracking or hash dumping
• Look for service and protocol versions, weak
directory permissions, and weak mount points that
can be targeted
• When attacking mobile devices, use physical access,
social engineering/app side-loading, lack of basic
security practices, and software exploits to
compromise the target
• Use hardware-based attacks against devices if you
have physical access to the devices