Privilege escalation - Linux
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
Privilege escalation is a critical step in the post-exploitation phase, where attackers elevate their access to a higher privilege level. This guide will focus on practical techniques and commands to identify and exploit various privilege escalation vulnerabilities in Linux. It includes tools, methods for finding sensitive information, exploiting misconfigurations, and utilizing kernel vulnerabilities. Every method will have corresponding commands to enhance its practicality.
These tools are essential for finding and exploiting privilege escalation vulnerabilities:
LinPEAS: Privilege Escalation auditing script.
Linux Exploit Suggester: Suggests potential exploits based on system vulnerabilities.
Pspy: Monitors processes without root access.
Gather system information:
Check running processes:
Check kernel version: Kernel Exploits
List users on the system:
Check available shell history:
Check if any folder in the PATH is writable:
Check environment variables for sensitive information:
Search for kernel exploits using scripts (e.g., DirtyCow):
Check for specific kernel exploits like DirtyCow:
Check if the sudo version is vulnerable:
Look for kernel errors or issues related to signature verification:
Check System Information (Date, System Stats, CPU Info)
Date and Time: (Helps you synchronize your actions with scheduled jobs or detect potential time-based misconfigurations)
CPU info: (Identifies the system architecture to tailor exploits to the specific processor type)
Check for printers: (Identifies networked printers, which could be exploited for lateral movement or sensitive data interception)
Check for writable files:
Common files where passwords are stored:
Old Passwords in /etc/security/opasswd
Last Edited Files
In-Memory Passwords
Dump memory to search for passwords:
SSH Key
Search for SSH keys on the system:
Cron Jobs
Check cron jobs:
If you find a writable cron job, you can inject your own commands.
Systemd Timers
List systemd timers that could be manipulated:
SUID binaries run with elevated privileges:
Create a SUID Binary
If you can create a SUID binary, you can escalate privileges:
Compile and set SUID:
Capabilities
List Capabilities of Binaries
Linux capabilities allow binaries to perform privileged operations:
Edit Capabilities
If you find writable binaries with capabilities:
Interesting Capabilities
Look for binaries with capabilities like cap_setuid, cap_dac_override, or cap_sys_admin that can help escalate privileges.
Look for sudo privileges without requiring a password:
Use LD_PRELOAD to exploit vulnerable binaries:
Doas is an alternative to sudo. Check if it's configured:
Writable Files
Writable /etc/passwd
If /etc/passwd is writable, you can modify it to create a new user:
Writable /etc/sudoers
If writable, add a new sudo rule:
NFS Root Squashing
If root squashing is disabled, mount the NFS share and escalate privileges:
Shared Library Exploits
ldconfig
Check for writable paths in ldconfig:
RPATH
RPATH allows binaries to specify search paths for libraries. If vulnerable, this can be exploited by injecting malicious libraries.
Docker and LXC/LXD
Docker
If the user is part of the docker group, they can escalate privileges:
LXC/LXD
Exploit LXD by importing an image:
Hijack TMUX Session
If a TMUX session is running as root, hijack it:
CVE-2022-0847 (DirtyPipe)
Exploit DirtyPipe for privilege escalation:
CVE-2016-5195 (DirtyCow)
Exploit DirtyCow for privilege escalation:
CVE-2010-3904 (RDS)
RDS socket vulnerability:
CVE-2010-4258 (Full Nelson)
Full Nelson exploit for privilege escalation:
CVE-2019-14287
This exploit allows for privilege escalation if a misconfigured sudo is in place:
CVE-2012-0056 (Mempodipper)
Mempodipper is a kernel exploit for privilege escalation:
Find SUID Binaries ()