Linux
Last updated
Last updated
This section contains a set of techniques that can be used to perform privilege escalation on Linux systems.
This subsection contains valuable tools to identify potential privilege escalation vectors.
: Search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
: Scripted Local Linux Enumeration & Privilege Escalation Checks.
: Detects known vulnerabilities in the Linux kernel.
: Enumerate basic system info and search for common privilege escalation vectors such as writable files, misconfigurations, clear-text passwords and applicable exploits.
: Monitor Linux processes without root permissions
Local Exploit Suggester: Metasploit module (post/multi/recon/local_exploit_suggester) for meterpreter sessions enumerates the system looking for potential privilege escalation vectors.
SUID file permission allows users to run an executable with the system permissions of the executable's owner or group.
Find SUIDs files with the following commands:
There might be a case where a SUID binary executes a program indicating the whole path.
You can export a function named as the whole path command, obtaining a shell as the suid user.
If there is a SUID file that executes a command with a relative path, as you can see below, an attacker can change the PATH to run a malicious file.
In order to exploit the vulnerability, look at this example.
When a binary is executed, it will seek to load the necessary objects. You can use strace in order to track the needed shared objects.
If a shared object is not found, you can create a malicious object to spawn a shell.
Because you have got write permissions on the user's home directory, you can create a libcalc.so file.
In order to specify the user, you need to provide the flag -u; by default, the user will be root.
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries or shared objects. The loader will load before any other shared library, including the C runtime library (libc.so).
You can escalate privileges if you can execute a program with sudo and the LD_PRELOAD environment variable is kept.
If you have got write permission in the /etc/passwd file, then you can add your own password to the root user. This works because the system checks the password in /etc/passwd rather than in /etc/passwd.
To create the password, run the following command.
Then, modify /etc/passwd and log in as root.
If you can read the files /etc/shadow and /etc/passwd, then you can create an unshadowed file allowing you to crack the stored hashes.
You can use the same method shown on the ``/etc/shadow` section to escalate privileges.
If you have got write permission to any authorized_keys file, you could append your own SSH public key into it, allowing you to gain access to the machine through SSH.
Might exist some users' SSH private keys stored in the system.
Once found them, you can obtain access as the user through SSH.
There can be commands or files executed every specific time that an attacker can modify in order to execute arbitrary commands or files.
You can use the command cat /etc/crontab to view what cron jobs are scheduled.
There might be Linux commands executed with elevated privileges that use wildcards.
In this example, you will see how to exploit the wildcard vulnerability for the tar binary. However, there are more ways to exploit this vulnerability as you can see here.
For the command tar, we can exploit it with the following commands.
Once the script is executed you will have a root SUID bash file.
Note: Remember to execute it like this: /tmp/bash -p.
By default in Root Squashing is enabled in the NFS service, preventing any user who has access to the NFS share from gaining root access to the NFS volume. However, if disabled, it would allow you to create a SUID file, allowing a remote user to connect to the system as root.
As can be seen in the configuration no_root_squash is disabled.
Hence, following the instructions of this example, you can escalate privileges.
If bash -p does not work, use the following method:
If you can run any docker or lxd, then you can create a container mounting the host file system, accessing every file as root.
Usually, there are no images installed on the system, so you need to build it manually and then transfer it to the target hosts.
This subsection contains a list of the most common kernel exploits you can find on a Linux system.
Once, the SUID file has been detected, look for it on where you can find several ways to exploit the binary, escalating privileges.
Thanks to sudo, you can execute some binaries or commands as the user-specified. Through you can obtain the way to escalate privileges depending on the command.
However, enumerating the /etc/crontab file might not always work due to the lack of privileges, or maybe it will appear empty, but there might be contrab jobs. So, you can use looking for cronjobs.
Linux capabilities provide some root privileges to a process, just as SUID does but more granularly. There are several ways to exploit these , but in this subsection will only appear how to exploit the cap_setuid capability.
In order to know what to use you can execute the following command or the script .
RDS (CVE-2010-3904) <= 2.6.36-rc8:
FULL NELSONN (CVE-2010-4258) <= 2.6.37:
MEMPODIPPER (CVE-2012-0056) [ 2.6.39, 3.2.2 ]:
DirtyCow (CVE-2016-5195) <= 3.19.0-73.8:
Polkit’s pkexec(CVE-2021-4034):