All Gitbook

Linux

LogoBasic Linux Privilege Escalation - g0tmi1k

dotfiles .xxx

Applications frequently store user-specific configuration files and subdirectories within a user's home directory, typically only writable by the user themselves or root.

/bin/bash

.bash_profile is executed when logging in to the system initially. This happens when logging in to the machine itself, via a serial console or SSH.

.bashrc is executed when a new terminal window is opened from an existing login session or when a new shell instance is started from an existing login session.

We can modify .bash_profile or .bashrc to set environment variables or load scripts when a user initially logs in to a system. Can be useful when trying to maintain persistence, and escalate privileges... e.g. echo "touch /tmp/bashtest.txt" >> ~/.bashrc

VIM

Unrestricted VIM environment -

a) ! can exec shell cmd
echo "!touch /tmp/test.txt" >> ~/.vimrc
b) stealthier
echo "#!/bin/bash" >> ~/.vimrunscript
echo '' >> ~/.vimrunscript

echo ":silent !source ~/.vimrunscript" >> ~/.vimrc
sudo vi

VIM handles its configuration files differently for a user in a sudo context depending on the distribution of Linux.

Ubuntu and Red Hat, VIM will use the current user's .vimrc configuration file even in a sudo context. (if the user runs VIM via sudo, our script being sourced will also run as root)

In other distributions, such as Debian, in a sudo context, VIM will use the root user's VIM configuration. We can add an alias to the user's .bashrc file as below shows -

In Debian

The alias replaces a standard sudo call with one that will force sudo to persist the user's VIM settings, so that the shell script being loaded will then also run as root when user runs VIM via sudo

echo 'alias sudo="sudo -E"' >> ~/.bashrc
apply the change
source ~/.bashrc

If sudo -l shows NOPASSWD on vim command to open specific file, we can just run su vi the_file and use :shell directly to gain root shell without root password

Note that many administrators now require the use of sudoedit for modifying sensitive files. This process makes copies of the files for the user to edit and then uses sudo to overwrite the old files. It also prevents the editor itself from running as sudo. Having said this, it is also not uncommon to find that system administrators simply add VIM to the allowed commands in the sudoers file instead.

Restricted VIM environment that blocks shell command -

~/.vim/plugin/settings.vim
:if $USER == "root"
:autocmd BufWritePost * :silent 
:endif
PreviousMimikatz Abusing KerberosNextAV Bypass

Last updated