Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Little Help with Privilege Escalation Please

  1. #1
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    4

    Default Little Help with Privilege Escalation Please

    Hi Guys,
    I am new to using backtrack and I just went to a class to learn how to pen test. I am trying to complete a lab and part of the lab entails escalating your privileges to root after you gain access to the box. The target box is a Redhat 2.4.8-20 box and I currently only have regular user privileges. I am using Backtrack 4 as my "attack" server. I need to obtain the /etc/shadow file so that I can brute force it. I have tried to use Hydra, but I have not been able to get the root password. I have also tried looking for a program running as root to attempt to read the file, but I am afraid I am a little bit lost. Any help would be GREATLY appreciated.

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Little Help with Privilege Escalation Please

    There are various ways to escalate privileges on Linux, but the simplest methods usually involve exploiting kernel functions or programs/services already running as root. Given the age of that kernel version its likely you will be able to find a privilege escalation exploit for the Linux kernel on Exploit-db that will work.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    4

    Default Re: Little Help with Privilege Escalation Please

    Thanks. I see that it is mostly shellcode. DO I need to use Metaspoloit to get it to work? The only exploits I have ever used have been the ones in Metasploit. I am not sure how I would get this to work.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Little Help with Privilege Escalation Please

    Mostly shellcode? There should be an exploit wrapped around that shellcode if you are looking in the right area of exploit-db (e.g. the Local exploits area and not the Shellcode area).

    Each of these will run in their own way depending on the format of the exploit. If its a C/C++ program compile and run it, if its written in an interpreted language like perl, python, ruby or a shell script run it with the appropriate interpreter. Some exploits will include instructions on how to run them, for the others you need to work it out yourself. No one said using exploits found in the public domain would be easy ... or safe by the way. You should examine the exploit to see how it works before running it, because it may do more than you expect...

    Ive never checked myself, but there may also be privilege escalation exploits for Linux in Metasploit, so you should check that out.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    4

    Default Re: Little Help with Privilege Escalation Please

    Thanks. I have been searching through the exploits and I have tried a few but I cannot get any of them to work. I think I may be newer than a newb here :-) When I took this class they showed us how to read the /etc/shadow file with a program called efax. the VM I have for this lab does not have this installed. Are you aware of another program I could use to accomplish this?

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Riferimento: Little Help with Privilege Escalation Please

    It's a text file, you can read it with any text editor/viewer. cat, vi, nano, kate, kedit, etc. You might want to check out the New to Linux sticky in the Beginners forum, this type of stuff is considered Basic Linux skills.

    Just simply reading the shadow file may not be very helpful to you though, in a penetration testing scenario you usually gain access to /etc/shadow in order to crack passwords in it - the passwords are not stored in clear text format, but in a non reversible hashed format. And under normal circumstances the shadow file can only be read by root...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    4

    Default Re: Little Help with Privilege Escalation Please

    Thanks. I thought if I could redirect the output to another file I could use that to as the file to run a password cracker against. I have the basic Linux skills down (how to read, edit a file etc) I am just unsure how to run certain exploits. I looked in the exploits-db under local exploits and I found a few, but I just don't know how to run them because they seem to be entire programs. I am not a programmer at all. My IT skills are in telecommunications so this whole thing is new to me.

    Thanks for all your help. I appreciate it.

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Little Help with Privilege Escalation Please

    Quote Originally Posted by nmslatte1985 View Post
    Thanks. I thought if I could redirect the output to another file I could use that to as the file to run a password cracker against. I have the basic Linux skills down (how to read, edit a file etc) I am just unsure how to run certain exploits.
    You may want to look into Linux file system permissions. Under most Linux distributions the shadow file is owned by root and permissions are set so that only the owner can read the file. The result? You need at minimum the ability to read a file as root to be able to get at the content of the shadow file - either to read it directly or to redirect it's contents to another file.

    Have you checked the permissions and ownership on the shadow file on this system?

    Quote Originally Posted by nmslatte1985 View Post
    I looked in the exploits-db under local exploits and I found a few, but I just don't know how to run them because they seem to be entire programs. I am not a programmer at all. My IT skills are in telecommunications so this whole thing is new to me.

    Thanks for all your help. I appreciate it.
    Most privilege escalation exploits are run from a shell and they then give that shell root privileges. Some work slightly differently, but for the most part thats what happens. So you just need shell access on the system, then you transfer the privilege escalation exploit there and run it, and if it works your shell should end up wth root privilege.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Junior Member
    Join Date
    Oct 2010
    Posts
    45

    Default Re: Little Help with Privilege Escalation Please

    Quote Originally Posted by lupin View Post
    Most privilege escalation exploits are run from a shell and they then give that shell root privileges. Some work slightly differently, but for the most part thats what happens. So you just need shell access on the system, then you transfer the privilege escalation exploit there and run it, and if it works your shell should end up wth root privilege.
    Can you give an example of this kind of exploit? Thanks!

  10. #10
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: Little Help with Privilege Escalation Please

    Hey buddy, for the priveledge escalation that you are trying to accomplish, im not familiar with linux exploits for this but i know meterpreter will happily do this for you in windows. Maybe meterpreter has priveledge escalation exploits for linux? Maybe someone can let me know if meterpreter includes some exploits for linux priv escalation or you can try it yourself and see wut happens.

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 08-19-2010, 04:42 PM
  2. HELP - Escalate privilege in (well configured) Windows.
    By The Dan in forum OLD Pentesting
    Replies: 22
    Last Post: 10-11-2008, 10:20 PM
  3. Privileges escalation
    By frankibo in forum OLD Pentesting
    Replies: 31
    Last Post: 02-14-2008, 11:07 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •