*Being able to cross through a directory (w) but not being able to read its content (r) gives the user permission to access known entries, but only by knowing their exact name.
Owner, group owner and other group permissions:
-rw-r-----[file type][root permissions][shadow group permissions][other group]
Users
The id command shows current user information.
The /etc/password file contains all users:
Information relating to ‘joe’:
Login Name: “joe”
Encrypted Password: “x” Means the password hash is within the /etc/shadow file
UID: “1000” User ID (aka real user ID). Linux starts counting regular user IDs from 1000
GID: “1000” Group ID value
Comment: “joe,,,” General contains a description of the user, often simply username information
Home Folder: “/home/joe”
Login Shell: “/bin/bash” The default interactive shell, if one exists
System services are configured with the /usr/sbin/nologin home folder.
System information
hostname shows the hostname
Operating system release and version:
/etc/issue
/proc/version
/etc/os-release
uname -a
dpkg --print-architecture
Running process & services
ps auxww lists system processes - are any that are running as root vulnerable?
We can see which processes are running each command:
joe@debian-privesc:~$ watch -n 1 "ps -auxww"
Pspy (check running commands - any cron jobs running?)
./pspy64
Network interfaces, route, and open ports
ip a or ifconfig a shows network adapter information.
route or routel shows the network routing table.
netstat or ss shows active network connections and listening ports.
-a list all connections
-n avoid hostname resolutions
-p list the process name the connection belongs to
netstat -tulpn
dpkg -l to list installed applications by dpkg on a Debian system.
Insecure file permissions
Search for every directory writable by the current user:
joe@debian-privesc:~$ find / -writable -type d 2>/dev/null
Configuration files
Can list credentials:
find / -type f -iname '\*.conf' 2>/dev/nullfind / -type f -iname '\*.conf*' 2>/dev/null
Mounted file systems
Unmounted drives could contain valuable information. If unmounted drives exists, we should check the mount permissions.
The /etc/fstab file lists all drives that will be mounted at boot time.
The system admin might have used custom configs or scripts to mount drives that aren’t listed in /etc/fstab/. Its therefore good practice to also use mount.
mount lists all mounted file systems.
lsblk to view all available disks (are there partitions that aren’t mounted?).
Drivers and kernel modules
lsmod lists loaded kernel modules.
/sbin/modinfo <kernel module> gives further information about that module.
Run getcap with the -r parameter to perform a recursive search starting from the root folder /, filtering out any errors from the terminal output:
joe@debian-privesc:~$ getcap -r / 2>/dev/null
Automated enumeration
/usr/bin/unix-privesc-check [ standard | detailed ] is a pre-installed bash script which performs a number of checks to find system misconfigurations that can be abused for local privilege escalation.
LinEnum and LinPeas are automated enumeration tools which are tailored to providing privilege escalation information.
Credential harvesting
Credentials may be stored in an environment variable. List environment variables with the env command.
If a variable also appears in the .bashrc file as export VARIABLE=value, it means its a permanent variable (which gets loaded when a user’s shell is launched).
Find running process that use cleartext passwords:
tcpdump is the defacto command line standard for packet capture, but it requires admin privileges.
Sometimes, however, certain accounts are given exclusive access to tcpdump for troubleshooting purposes. This would be apparent via listing the sudo permissions with sudo -l.
Capture traffic in and out of the loopback address:
joe@debian-privesc:~$ sudo tcpdump -i lo -A
Mail
Enumerate mail for sensitive information
/var/mail/var/spool/mail
Exploits
Cron jobs
Exploit - Misconfigured cron jobs running as root could afford privilege escalation
If a cron job is ran in the context of a root user, and it executes a file with insecure permissions, we could alter that file to have custom code execution by the root user.
Find a vulnerable cron job
See the section on enumerating . Look for a job that is running a file that can be altered and is running as an elevated user.
We find the user_backups.sh file is writable and located in the current user's home directory and is scheduled to be run as root every minute.
Edit the file to run malicious code (reverse shell)
The vulnerable file:
joe@debian-privesc:~$ ls -lah /home/joe/.scripts/user_backups.sh
Linux passwords are usually stored in /etc/shadow (ie, unless an Active Directory or LDAP is used).
For backwards compatibility, however, passwords hashes can be present in the /etc/passwd file. If so, the hash takes precedence over the respective entry in /etc/shadow.
Exploit - Write access for /etc/passwd means we can set an arbitrary password for any account.
Create and login as a new user with root privileges
Generate a suitable hash:
joe@debian-privesc:~$ openssl passwd w00t
The output of the OpenSSL passwd command varies depending on the system executing it. On older system is may default to the DES algorithm, while on newer systems it could output in MD5 format.
The UID and GID values are 0, specifying that the account is a superuser.
Switch to the new user:
joe@debian-privesc:~$ su root2Password: w00t
SUID binaries
Info - What is a SUID flag?
The SUID flag allows a process or script to run as the owner, rather than the user initiating it. The SUID flag is denoted with an s flag in the file permissions.
Exploit - SUID enabled files could allow us to execute code as a privileged user
If we find a file that is misconfigured and has the SUID flag, we can exploit it to run a command with elevated privileges.
Find a vulnerable SUID enabled file
joe@debian-privesc:~$ find / -perm -u=s -type f 2>/dev/null
The find program is vulnerable
Find an exploit for the vulnerable file
GTFO Bins can help. The -exec parameter can be exploited to run a bash shell along with the -p parameter.
Capabilities are extra attributes that can be applied to processes, binaries and services to assign specific privileges normally reserved for administrative operations like traffic capturing or adding kernel modules.
Exploit - If a capability is misconfigured it could allow privilege escalation.
The sudo command can be used to execute a command with elevated privileges. To use it, a user must be a member of the sudo group (on Debian based Linux distros).
Limitation - This may require also matching the OS system flavour
Success in exploiting a kernel vulnerability may depend on matching not only the target’s kernel version, but also the operating system flavour (eg Debian, RHEL, Gentoo, etc).
Enumerate target machine information
The /etc/issue file contains a message or system identification to be printed before the login prompt:
Searchsploit can help. We want to use “linux kernel Ubuntu 16 Local Privilege Escalation” as our main keywords. We also want to filter out some clutter from the output, so we’ll exclude anything below kernel version 4.4.0 and anything that matches kernel version 4.8:
# -t rsa Specifies key type (can be rsa, ed25519, ecdsa, etc.)# -b 4096 Specifies bit size for key# -f ~/.ssh/id_rsa Specifies the file path where private key will be saved# -N "" Sets an empty passphrase for private keyssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""
Information relating to ‘joe’:
