Linux
Gathering Info
whoami
id
groups
cat ~/.bash_historyuname -aCheck for passwords in environment variables
envFind files
Files owned by your user
Victim
find / -user $USER 2>/dev/nullFiles owned by group
Victim
find / -type f -group $GROUP 2>/dev/nullFind passwords
Victim
Weak File Permissions
Readable /etc/shadow
Weak File Permissions - Readable /etc/shadow
Writable /etc/shadow
Weak File Permissions - Writable /etc/shadow
Writable /etc/passwd
Weak File Permissions - Writable /etc/passwd
Cron Jobs
Have permission to overwrite the contents of the file
Change path to a different file since it's not using absolute path
Victim
Possible other places crons are running
Victim
Cron Jobs - File Permissions
Examples
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.
View the contents of the system-wide crontab.
Victim
There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.
Locate the full path of the overwrite.sh file.
Victim
Note that the file is world-writable.
Victim
Cron Jobs - PATH Environment Variable
Examples
Cron Jobs - PATH Environment Variable
View the contents of the system-wide crontab
Victim
Note that the PATH variable starts with /home/user which is our user's home directory. Create a file called overwrite.sh in your home directory with the following contents
overwrite.sh
Make sure that the file is executable
Victim
Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:
Victim
Cron Jobs - Wildcards
Examples
View the contents of the other cron job script
Victim
Note that the tar command is being run with a wildcard (*) in your home directory.
Sudo/SUID/Capabilities
Run all of these commands then check https://gtfobins.github.io/ . They may give different results
Check what can be run with NOPASSWD
Victim
SUID / SGID Executables - Known Exploits
Find all the SUID/SGID executables.
Victim
SUID / SGID Executables - Shared Object Injection
SUID / SGID Executables - Shared Object Injection
SUID / SGID Executables - Environment Variables
SUID / SGID Executables - Environment Variables
SUID / SGID Executables - Abusing Shell Features
SUID / SGID Executables - Abusing Shell Features (#1)
SUID / SGID Executables - Abusing Shell Features (#2)
Sudo - Environment Variables
LD_LIBRARY_PATH
Examples
preload.c - code
library_path.c
Sudo can be configured to inherit certain environment variables from the user's environment. Check which environment variables are inherited (look for the env_keep options):
Victim
LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c.
Victim
LD_PRELOAD and LD_LIBRARY_PATH are both inherited from the user's environment. LD_PRELOAD loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c
Victim
A root shell should spawn. Exit out of the shell before continuing. Depending on the program you chose, you may need to exit out of this as well.
Run ldd against the apache2 program file to see which shared libraries are used by the program.
Victim
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.
Victim
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c.
Victim
LD_PRELOAD
Examples
If LD_PRELOAD is set try below then running the script we can run with NOPASSWD
Victim
preload.c - code
Victim
Files with SUID-bit set
Victim
setcap
If setcap is set that is very interesting checkout room. Could lead to priv esc. by setting getcap on other things.
Programs in strange locations
If there is a program running in a user home directory or somewhere strange, it may be worth investigating
Getcap
Victim
python
If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
Service Exploits
PATH Variables
Examples
Hacker vs. HackerExploiting Crontab
Look at the paths, below is an example of a cronjob. it first looks at /home/lachlan/bin before /bin and /usr/bin. therefore we can change pkill because it doesn't use the exact path in the cronjob. This means we can put a new file called /home/lachlan/bin/pkill with whatever we want and it will run as root.
Victim
Possible other places crons are running
Victim
Victim(lachlan)
Add path
Example
If a cron job is not specfiying the full path we may be able to change it to go towards another file.
Before we change the path we can see ls goes to /bin/ls
Now after running the below command ls is now directed to our script.
Victim
Passwords & Keys
History Files
Examples
Passwords & Keys - History Files
Victim
Config Files
Examples
Passwords & Keys - Config Files
Victim
SSH Keys
Copy keys from Victim
Examples
Look for hidden files & directories in the system root.
Victim
Copy the key over to your Kali box (it's easier to just view the contents of the $KEY file and copy/paste the key) and give it the correct permissions, otherwise your SSH client will refuse to use it.
Kali
Add Keys to Victim
Examples
Kali
Victim
Kali
NFS
Examples
NFSLinux Privilege EscalationLinux PrivEsc Arena
Option #1
Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
Check the NFS share configuration on the Debian VM.
Victim
no_root_squash is present
Note that the /tmp share has root squashing disabled.
On your Kali box, switch to your root user if you are not already running as root.
Kali
Using Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly).
Kali
Still using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash).
Kali
Still using Kali's root user, make the file executable and set the SUID permission.
Kali
Back on the Debian VM, as the low privileged user account, execute the file to gain a root shell.
Victim
Option #2
Victim
Kali
nfc.c
Kali
Victim
Kernel Exploits
Examples
Writable Files
Files where group permissions equal to "writable"
Ports
May be able to find open ports only accessible internally.
LXD
Examples
Resources
https://www.hackingarticles.in/lxd-privilege-escalation/
Victim
Kali
Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.
Victim
PolKit
Examples: Hip Flask
See if it exists.
Kali
Check out this room for more details
Monitor Processes
Examples
Victim
PSPY
script that can monitor linux processes without root access
Kali
Victim
Docker Breakout / Privilege Escalation
Examples
Copy Material from here:
https://tryhackme.com/room/linprivesc
Automated Enumeration Tools
LinPeas
Room with other things to try
https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc
Other Cheat sheets
https://github.com/RoqueNight/Linux-Privilege-Escalation-Basics
Last updated