Linux Privilege Escalation

Introduction

In Linux, root is the highest privilege level. Gaining root access is the goal in privilege escalation attacks. After gaining initial access to a system, the following things are typically explored to identify potential vulnerabilities for privilege escalation:
- OS Version: Identifying the specific OS version can help in searching for public exploits targeting that version.
- Kernel Version: Similar to the OS version, the kernel version allows for checking known kernel vulnerabilities.
- Running Services: Outdated or misconfigured services can provide a way to escalate privileges.
- Installed Packages and Versions: Check for outdated or vulnerable packages.
- Logged-in Users: Information about other logged-in users can offer ideas for lateral movement.
- User Home Directories: Home directories often contain valuable information, such as scripts, SSH keys, or sensitive files.
- User Bash History: Bash history files can reveal sensitive information, like passwords if passed as command-line arguments.
- Sudo Privileges: If a user has sudo privileges with the NOPASSWD option, they can run the specified commands as root without a password.
- Configuration Files: Files ending with .conf or .config usually have sensitive data, such as usernames and passwords.
- Readable Shadow Files: If the shadow file is readable, it provides access to the hashed passwords for all system users which can be cracked offline.
- Password Hashes: The /etc/passwd file, should be readable by all users, might contain password hashes that can be cracked offline.
- Cron Jobs: Misconfigured cron jobs (e.g., those with weak permissions or insecure paths) can be exploited to execute code as root.
- Unmounted File Systems and Additional Drives: These might contain sensitive data. Mounting them could expose information.
- SETUID and SETGID Permissions: These permissions allow a user to run a command as root.
- Writeable Directories: These can be used to download tools to the target system.
- Writeable Files: Scripts executed by cron as root can be modified to execute commands and do privilege escalation.
Commands:

ps aux | grep root # List current processes run by root

history # Shows bash history

sudo -l # Lists user sudo privileges 

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null # Find writable directories

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null # Find writable files

PreviousPost-Exploitation NextArchive/Backup/Bin

Last updated 4 months ago

Introduction

In Linux, root is the highest privilege level. Gaining root access is the goal in privilege escalation attacks. After gaining initial access to a system, the following things are typically explored to identify potential vulnerabilities for privilege escalation:

OS Version: Identifying the specific OS version can help in searching for public exploits targeting that version.
Kernel Version: Similar to the OS version, the kernel version allows for checking known kernel vulnerabilities.
Running Services: Outdated or misconfigured services can provide a way to escalate privileges.
Installed Packages and Versions: Check for outdated or vulnerable packages.
Logged-in Users: Information about other logged-in users can offer ideas for lateral movement.
User Home Directories: Home directories often contain valuable information, such as scripts, SSH keys, or sensitive files.
User Bash History: Bash history files can reveal sensitive information, like passwords if passed as command-line arguments.
Sudo Privileges: If a user has sudo privileges with the NOPASSWD option, they can run the specified commands as root without a password.
Configuration Files: Files ending with .conf or .config usually have sensitive data, such as usernames and passwords.
Readable Shadow Files: If the shadow file is readable, it provides access to the hashed passwords for all system users which can be cracked offline.
Password Hashes: The /etc/passwd file, should be readable by all users, might contain password hashes that can be cracked offline.
Cron Jobs: Misconfigured cron jobs (e.g., those with weak permissions or insecure paths) can be exploited to execute code as root.
Unmounted File Systems and Additional Drives: These might contain sensitive data. Mounting them could expose information.
SETUID and SETGID Permissions: These permissions allow a user to run a command as root.
Writeable Directories: These can be used to download tools to the target system.
Writeable Files: Scripts executed by cron as root can be modified to execute commands and do privilege escalation.

Commands:

ps aux | grep root # List current processes run by root

history # Shows bash history

sudo -l # Lists user sudo privileges 

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null # Find writable directories

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null # Find writable files