Linux Privilege Escalation
There are common methods of escalating privileges on Linux.
1. We need to enumerate,
- OS version,
- Kernel Version,
- Running Services
since we can find some vulnerable services and versions.
2. List Current Processes
By using the following command, we can list current processes:
ps aux | grep root
3. Installed Packages and Versions
Installed packages and versions can create vulnerabilities.
4. Logged in Users
User information can give some opportunities about moving laterally or escalating privileges.
Also user’s home directories can give a chance for privilege escalation. For example, an ssh key or .bash_history file of a user is very important.
If you find an ssh key of a user, you can use it to open an ssh session on the host.
ls -l ~/.ssh
bash_history is also important. It gives an idea that user’s command history. With
sudo -l
command, we can see users with sudo rights.
5. Configuration Files
Configuration files can hold important information.
6. Shadow Files
If a shadow file is readable, we can gather password hashes for all users who have a password set.
7. Password Hashes in /etc/passwd
We can find hashes of some users in the shadow file.
8. Cron Jobs
Some misconfigurations such as relative paths or weak permissions, they can leverage to escalate privileges when the scheduled cron job runs.
Web can look at the cron job that works by the following way:
ls -la /etc/cron.daily/
9. Unmounted File Systems and Additional Drives
If you discover and can mount an additional drive or unmounted file system, you may find sensitive files, passwords, or backups that can be leveraged to escalate privileges.
lsblk
10. SETUID and SETGID Permissions
Binaries are set with these permissions to allow a user to run a command as root, without having to grant root-level access to the user. Many binaries contain functionality that can be exploited to get a root shell.
11. Find Writable Directories
Web can find writable directories by using the following command:
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null