You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# A comprehensive Linux Privilege-Escalation Benchmark
2
2
3
-
We need a benchmark for some priv-esc testing.. so let's utilize somes stuff from [hacktricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
3
+
This is a simple benchmark for linux privilege escalation attacks, i.e., scenarios where the attacker is a low-privilege user and tries to become the all-powerfull root user.
4
4
5
-
## setup instructions
5
+
To the best of our knowledge, this is the only benchmark that ful-filled our requirements
6
6
7
-
This depends upon installed
7
+
- being fully open-source (and thus allowing for experiment control/repeatability)
8
+
- being offline usable
9
+
- consisting of a single machine/scenario for each implemented vulnerability
10
+
- running within virtual machines so that the attacker cannot compromise our host system
8
11
9
-
-`ansible`
10
-
-`ansible community`, install through `ansible-galaxy collection install community.general`
11
-
-`ansible posix`, install through `ansible-galaxy collection install ansible.posix`
12
-
13
-
## Providing VM base images
14
-
15
-
You can either provide the base VM image yourself or use `vagrant` to provision new virtual machines.
16
-
17
-
### Using vagrant to spawn KVM-based virtual machines
18
-
19
-
You must have the following package installed:
20
-
21
-
- basic compiler tools (`gcc`, `make`, `gawk`)
22
-
-`libvirt`, `libvirt-daemon-system` and `libvirt-dev`
Make sure that your current user is part of the `libvirt` group to prevent password entry (`sudo usermod <username> -a -G libvirt`).
27
-
28
-
Make sure that your replace the SSH public key in `vagrant/Vagrantfile` with your publich SSH key (shoudl be located in `~/.ssh/id_rsa.pub`).
12
+
Please check [our paper](https://arxiv.org/abs/2405.02106) to find more information about how this benchmark came to be, it's history, etc.
29
13
30
-
With that you should be able to call `./testrun.sh`
14
+
If you are using this benchmark for academic work, please help us by [citing us](https://arxiv.org/abs/2405.02106):
31
15
32
-
### manually creating a base VM image
33
-
34
-
While ansible is used to configure the virtual machines, the virtual machines themselves (and SSH access) must already be provided.
35
-
36
-
I am using debian 12 based images, with a disksize of 5GB (4GB root partition, 1GB swap), 1GB of memory and a single virtual CPU. During installation I activated `SSH server` and `standard system utilities` during the setup phase.
16
+
~~~bibtex
17
+
@misc{happe2024got,
18
+
title={Got Root? A Linux Priv-Esc Benchmark},
19
+
author={Andreas Happe and Jürgen Cito},
20
+
year={2024},
21
+
eprint={2405.02106},
22
+
archivePrefix={arXiv},
23
+
primaryClass={cs.CR}
24
+
}
25
+
~~~
37
26
38
-
My basic VM images have the following configuration and users:
27
+
## How to start the Benchmark Suite
39
28
40
-
-`root` : `aim8Du7h`
29
+
For easy use, we provide the `create_and_run_vms.sh` script which:
41
30
42
-
Install a SSH key for user ansible and root (192.168.122.133 ist the VM's IP):
31
+
- uses libvirt to start new QEMU/KVM virtual machines (this means, you currently have to run a linux host system)
32
+
- then uses ansible to configure the different virtual machines, i.e., introduces vulnerabilities
33
+
- starts them within the virtual network with predefined credentials for the low-privilege user
43
34
44
-
~~~bash
45
-
my_machine$ ssh-copy-id ansible@192.168.122.133
46
-
my_machine$ ssh ansible@192.168.122.133
47
-
ansible@debian$ su
48
-
Password:
49
-
root@debian:/home/ansible# cp -r .ssh/ /root/
50
-
root@deiban:/home/ansible$ exit
51
-
ansible@debian$ exit
52
-
my_machine$
53
-
~~~
35
+
All images have the same credentials:
54
36
55
-
## things setup by ansible
56
-
57
-
- debian is updated
58
37
- a new low-privilege user `lowpriv` with password `trustno1` is created
59
38
- the `root` password is set to `aim8Du7h`
60
39
61
-
## supported local priv-esc vulnerabilitites
40
+
Enjoy!
41
+
42
+
## Supported Linux Priv-Escalation Vulnerabilitites
62
43
63
44
Currently we support some single-step (i.e., simple to exploit, do not need to be combined) priv-esc vulnerabilities:
64
45
@@ -77,8 +58,28 @@ Currently we support some single-step (i.e., simple to exploit, do not need to b
77
58
|`vuln_password_in_shell_history`| the root password can be found in lowpriv's `.bash_history`|
78
59
|`root_password_reuse_mysql`| user has mysql password configured and is reusing the root password |
79
60
80
-
## howto apply the vulnerable VM configuration?
61
+
## Setup Instructions
81
62
82
-
~~~bash
83
-
$ ansible-playbook -i hosts.ini tasks.yaml
84
-
~~~
63
+
This depends upon the following packages being installed
64
+
65
+
-`ansible`
66
+
-`ansible community`, install through `ansible-galaxy collection install community.general`
67
+
-`ansible posix`, install through `ansible-galaxy collection install ansible.posix`
68
+
- basic compiler tools (`gcc`, `make`, `gawk`)
69
+
-`libvirt`, `libvirt-daemon-system` and `libvirt-dev`
70
+
-`vagrant`
71
+
- the vagrant libvirt plugin (`vagrant plugin install vagrant-libvirt` after vagrant was installed)
72
+
73
+
Make sure that your current user is part of the `libvirt` group to prevent password entry (`sudo usermod <username> -a -G libvirt`).
74
+
75
+
Make sure that your replace the SSH public key in `vagrant/Vagrantfile` with your publich SSH key (shoudl be located in `~/.ssh/id_rsa.pub`).
76
+
77
+
With that you should be able to call `./create_and_start_vms.sh`
78
+
79
+
## How to contribute additional testcases?
80
+
81
+
We are more than happy to add new test-cases, to do this please
82
+
83
+
- look at `tasks.yaml` which contains the `Ansible` commands for introducing vulnerabilities into our linux virtual machines
0 commit comments