Linux Privilege Escalation

Introduction

  • In Linux, root is the highest privilege level. Gaining root access is the goal in privilege escalation attacks. After gaining initial access to a system, the following things are typically explored to identify potential vulnerabilities for privilege escalation:

    • OS Version: Identifying the specific OS version can help in searching for public exploits targeting that version.

    • Kernel Version: Similar to the OS version, the kernel version allows for checking known kernel vulnerabilities.

    • Running Services: Outdated or misconfigured services can provide a way to escalate privileges.

    • Installed Packages and Versions: Check for outdated or vulnerable packages.

    • Logged-in Users: Information about other logged-in users can offer ideas for lateral movement.

    • User Home Directories: Home directories often contain valuable information, such as scripts, SSH keys, or sensitive files.

    • User Bash History: Bash history files can reveal sensitive information, like passwords if passed as command-line arguments.

    • Sudo Privileges: If a user has sudo privileges with the NOPASSWD option, they can run the specified commands as root without a password.

    • Configuration Files: Files ending with .conf or .config usually have sensitive data, such as usernames and passwords.

    • Readable Shadow Files: If the shadow file is readable, it provides access to the hashed passwords for all system users which can be cracked offline.

    • Password Hashes: The /etc/passwd file, should be readable by all users, might contain password hashes that can be cracked offline.

    • Cron Jobs: Misconfigured cron jobs (e.g., those with weak permissions or insecure paths) can be exploited to execute code as root.

    • Unmounted File Systems and Additional Drives: These might contain sensitive data. Mounting them could expose information.

    • SETUID and SETGID Permissions: These permissions allow a user to run a command as root.

    • Writeable Directories: These can be used to download tools to the target system.

    • Writeable Files: Scripts executed by cron as root can be modified to execute commands and do privilege escalation.

  • Commands:

ps aux | grep root # List current processes run by root

history # Shows bash history

sudo -l # Lists user sudo privileges 

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null # Find writable directories

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null # Find writable files
PreviousPost-ExploitationNextArchive/Backup/Bin

Last updated