Linux

Privilege Escalation

• linpeas
  • Get it from releases page, or curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
  • NOTE: This remvoes the need for LinEnum and linux-exploit-suggester-2
• LinEnum
• linux-exploit-suggester-2
  • Not to be confused with the original, which was last updated in 2014
• linux-smart-enumeration
• unix-privesc-check
• sudo_killer
  • Find fun sudo perms
• traitor
  • Auto-exploit vulnerabilities to get a root shell
• suid3num
  • Find interesting suid binaries
• pspy
  • Monitor processes w/o root

Exploits

• Dirty COW
• CVE-2022-23222
  • eBPF privilege escalation in kernel version 5.8 <= 5.x < 5.10.83
  • TODO: May require a specific kernel setting
  • Also see: NIST NVD entry
• PwnKit (CVE-2021-4034)
  • Affects polkit <= 0.92
  • Also see: NIST NVD entry
• NimbusPwn
  • Specifically, bug in networkd-dispatcher
• DirtyCred
  • UAF vulnerability in Linux credentials handling
  • For more POCs: 2022-LPE-UAF
• CVE-2021-3156 (Sudo Baron Samedit)
  • Heap-based BOF in sudo versions 1.8.2 < 1.8.32 and 1.9.0 <= 1.9.5
  • Also check out this exploit writeup (and of course the original)
• How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables

References

• Linux LPE
• Qualys' Writeup on Polkit
• DirtyCred Slides

PWK

See this repo for BOF help: https://github.com/gh0x0st/Buffer_Overflow

Post-Exploit

General

• moonwalk
  • Watch your back
• pamspy
  • Credentials dumper via eBPF

Rootkits

• TripleCross
  • eBPF rootkit
  • This is the most fully featured I've seen thus far
• boopkit
  • Backdoor/rootkit (eBPF + TCP)
  • Also see: bad-bpf
• BPFDoor
  • APT backdoor triggered by malformed packets to a specific port
  • Also see: A peek behind the BPFDoor

Process Tracing/Injection

• 3snake
  • Extract information from newly spawned processes
• dlinject
  • Inject a shared library into a process, but without ptrace
  • Python!
• Cexigua
  • Code injection w/o ptrace
• linux-inject
  • Code injection w/o ptrace
• Linux ptrace introduction AKA injecting into sshd for fun

LD_PRELOAD

• "This will only hurt for a moment": code injection on Linux and macOS with LD_PRELOAD
• Memory Malware Part 0x2 — Crafting LD_PRELOAD Rootkits in Userland

LDAP

• ldapsearch
  • Linux utility for LDAP queries
• ldapper
  • Easier LDAP queries
  • In particular, see queries.py
• ldapdomaindump
  • Dump an AD domain

SSH

• Dropbear SSH
  • Mini SSH server + client
• sshame
  • SSH pubkey brute force
• sshkey-grab
  • Requires gdb
  • Also see: Stealing unencrypted SSH-agent keys from memory
• ssh-mitm
  • Hijack SSH sessions, phish FIDO tokens, snag passwords + (forwarded), snag/manipulate files
• sshame
  • Brute-force SSH pubkey auth
• sshkey-grab
  • Grab keys from agent
  • Also see NetSPI's article

PAM

• Creating a backdoor in PAM in 5 line of code
  • Also see: linux-pam-backdoor
    • WARNING: Requires network connectivity so that it can fetch the PAM source code, though the main mechanism is pretty simple to recreate with a custom script.
• Exfiltrating credentials via PAM backdoors & DNS requests
  • In particular, see the section on LD_PRELOAD
  • This is more geared towards exfiltration of credentials, but it could also be used as a starting point for hooking pam_sm_authenticate
  • This could generate some noise, but who's checking for SSH restarts?

Articles

• Linux Stealth Rootkit Malware with EDR Evasion | SandFly