Common Linux Privesc

A room explaining common Linux privilege escalation

PreviousWhat the Shell?NextHashing - Crypto 101

Last updated 4 years ago

Was this helpful?

Common Linux Privesc

A room explaining common Linux privilege escalation

The room from teaches some basic concept about Linux privilege escalation. I have collected some key points from that room. Also, I have tried to keep note from other sources.

There are 2 types of privilege escalation.

Horizontal privilege escalation: This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you.
Vertical privilege escalation: This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised.

Tools:

Techniques:

Search Kernel exploits: Try to avoid if possible. Because this could crash the system
Exploiting services running as root: Always check web servers, mail servers, database servers if they are running as root.
Exploiting SUID executables: This is a Linux feature that allows a user to execute a file with the permission of a specified user. find / -perm -u=s -type f 2>/dev/null - This will show files with SUID bit set.
1. find - Initiates the "find" command
2. / - Searches the whole file system
3. -perm - searches for files with specific permissions
4. -u=s - Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form
5. -type f - Only search for files
6. 2>/dev/null - Suppresses errors
Exploiting sudo rights/user: When there is no possible way to get direct access to root, it is an useful way to attack another users, who have root access. sudo -l Shows who have the access to run as sudo
1. Never give sudo access to programming language, compiler or editor.
2. Never give sudo access to vi, more, less, nmap, perl, ruby, python, gdb.
Exploiting badly configured cron jobs: cron jobs generally run as root. So if we can successfully tamper any cron jobs, there is a possibility to get root access.
1. ls -la /etc/cron.d - this will show cron jobs list
2. find / -perm -2 -type f 2>/dev/null - prints world writable files
3. cron file should not be writable except by root
Exploiting PATH variable: When a user runs any command, the system searches for executables with the help of PATH variable. If we can rewrite the PATH variable for any command, we can implement command injection and get a root shell.

Resources:

PreviousWhat the Shell?NextHashing - Crypto 101

Last updated 4 years ago

Was this helpful?

The room from teaches some basic concept about Linux privilege escalation. I have collected some key points from that room. Also, I have tried to keep note from other sources.

There are 2 types of privilege escalation.

Horizontal privilege escalation: This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you.
Vertical privilege escalation: This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised.

Tools:

Privesc checker:
Enumeration tool :

Techniques:

Search Kernel exploits: Try to avoid if possible. Because this could crash the system
Exploiting services running as root: Always check web servers, mail servers, database servers if they are running as root.
Exploiting SUID executables: This is a Linux feature that allows a user to execute a file with the permission of a specified user. find / -perm -u=s -type f 2>/dev/null - This will show files with SUID bit set.
1. find - Initiates the "find" command
2. / - Searches the whole file system
3. -perm - searches for files with specific permissions
4. -u=s - Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form
5. -type f - Only search for files
6. 2>/dev/null - Suppresses errors
Exploiting sudo rights/user: When there is no possible way to get direct access to root, it is an useful way to attack another users, who have root access. sudo -l Shows who have the access to run as sudo
1. Never give sudo access to programming language, compiler or editor.
2. Never give sudo access to vi, more, less, nmap, perl, ruby, python, gdb.
Exploiting badly configured cron jobs: cron jobs generally run as root. So if we can successfully tamper any cron jobs, there is a possibility to get root access.
1. ls -la /etc/cron.d - this will show cron jobs list
2. find / -perm -2 -type f 2>/dev/null - prints world writable files
3. cron file should not be writable except by root
Exploiting PATH variable: When a user runs any command, the system searches for executables with the help of PATH variable. If we can rewrite the PATH variable for any command, we can implement command injection and get a root shell.

Resources:

Methodology and resources for privilege escalation :
List of useful command for privilege:
Some methodology explanation: