Little Help with Privilege Escalation Please

[nmslatte1985]

Hi Guys,
I am new to using backtrack and I just went to a class to learn how to pen test. I am trying to complete a lab and part of the lab entails escalating your privileges to root after you gain access to the box. The target box is a Redhat 2.4.8-20 box and I currently only have regular user privileges. I am using Backtrack 4 as my "attack" server. I need to obtain the /etc/shadow file so that I can brute force it. I have tried to use Hydra, but I have not been able to get the root password. I have also tried looking for a program running as root to attempt to read the file, but I am afraid I am a little bit lost. Any help would be GREATLY appreciated.

[lupin]

There are various ways to escalate privileges on Linux, but the simplest methods usually involve exploiting kernel functions or programs/services already running as root. Given the age of that kernel version its likely you will be able to find a privilege escalation exploit for the Linux kernel on Exploit-db that will work.

[nmslatte1985]

Thanks. I see that it is mostly shellcode. DO I need to use Metaspoloit to get it to work? The only exploits I have ever used have been the ones in Metasploit. I am not sure how I would get this to work.

[lupin]

Mostly shellcode? There should be an exploit wrapped around that shellcode if you are looking in the right area of exploit-db (e.g. the Local exploits area and not the Shellcode area).

Each of these will run in their own way depending on the format of the exploit. If its a C/C++ program compile and run it, if its written in an interpreted language like perl, python, ruby or a shell script run it with the appropriate interpreter. Some exploits will include instructions on how to run them, for the others you need to work it out yourself. No one said using exploits found in the public domain would be easy ... or safe by the way. You should examine the exploit to see how it works before running it, because it may do more than you expect...

Ive never checked myself, but there may also be privilege escalation exploits for Linux in Metasploit, so you should check that out.

[nmslatte1985]

Thanks. I have been searching through the exploits and I have tried a few but I cannot get any of them to work. I think I may be newer than a newb here :-) When I took this class they showed us how to read the /etc/shadow file with a program called efax. the VM I have for this lab does not have this installed. Are you aware of another program I could use to accomplish this?

[lupin]

It's a text file, you can read it with any text editor/viewer. cat, vi, nano, kate, kedit, etc. You might want to check out the New to Linux sticky in the Beginners forum, this type of stuff is considered Basic Linux skills.

Just simply reading the shadow file may not be very helpful to you though, in a penetration testing scenario you usually gain access to /etc/shadow in order to crack passwords in it - the passwords are not stored in clear text format, but in a non reversible hashed format. And under normal circumstances the shadow file can only be read by root...

[nmslatte1985]

Thanks. I thought if I could redirect the output to another file I could use that to as the file to run a password cracker against. I have the basic Linux skills down (how to read, edit a file etc) I am just unsure how to run certain exploits. I looked in the exploits-db under local exploits and I found a few, but I just don't know how to run them because they seem to be entire programs. I am not a programmer at all. My IT skills are in telecommunications so this whole thing is new to me.

Thanks for all your help. I appreciate it.

[lupin]

Thanks. I thought if I could redirect the output to another file I could use that to as the file to run a password cracker against. I have the basic Linux skills down (how to read, edit a file etc) I am just unsure how to run certain exploits.

You may want to look into Linux file system permissions. Under most Linux distributions the shadow file is owned by root and permissions are set so that only the owner can read the file. The result? You need at minimum the ability to read a file as root to be able to get at the content of the shadow file - either to read it directly or to redirect it's contents to another file.

Have you checked the permissions and ownership on the shadow file on this system?

I looked in the exploits-db under local exploits and I found a few, but I just don't know how to run them because they seem to be entire programs. I am not a programmer at all. My IT skills are in telecommunications so this whole thing is new to me.

Thanks for all your help. I appreciate it.

Most privilege escalation exploits are run from a shell and they then give that shell root privileges. Some work slightly differently, but for the most part thats what happens. So you just need shell access on the system, then you transfer the privilege escalation exploit there and run it, and if it works your shell should end up wth root privilege.

[Sys7emR00t]

Most privilege escalation exploits are run from a shell and they then give that shell root privileges. Some work slightly differently, but for the most part thats what happens. So you just need shell access on the system, then you transfer the privilege escalation exploit there and run it, and if it works your shell should end up wth root privilege.

Can you give an example of this kind of exploit? Thanks!

[lupin]

Can you give an example of this kind of exploit? Thanks!

Here. And here. Here too.

Just search exploit DB for local Linux exploits mentioning privilege escalation (or just privilege, like this search).