Skip to main content
Hashnodeb1d0ws

Command Palette

Search for a command to run...

The Basics of Privilege Escalation in Linux

Updated
6 min read
The Basics of Privilege Escalation in Linux
B
b1d0ws
Part of seriesPosts

Hi guys!

In today's article I'll be showing you some simple techniques for privilege escalation in Linux.

This text covers some basic tactics that will at least guide you through some basic CTFs. If you've already studied something, you'll probably already know everything I'm going to show you here, so you can use this as a review.

But first of all, what is elevation of privilege? There's not much to it, it's basically what the name says! It's about escalating your privileges within a machine, going from an ordinary user to a user with more permissions, going from an ordinary user to root for example.

System Enumeration

As a good pentester, you know that everything starts with good enumeration. So, it is always recommended to gather some information about the system using the commands below.

View system information

uname -a
cat /proc/version
cat /etc/issue

View user information

id
cat /etc/passwd

See environment variables

 env

Search for interesting files such as

~/.bash_history
/home/user/.ssh/id_rsa
/var/shadow.bak

Automated Tools

After manually enumerating the system, it is highly recommended that you use at least one automated tool to look for possible paths for privilege escalation. Below, I list some tools that perform this process, with LinPeas being the most used and the one I recommend the most.

When running the tool, just analyze its output and look for flaws that will allow privilege escalation. Of course, if you haven't seen the vulnerabilities below, you probably won't know how to exploit the points indicated by these tools.

Kernel

There are various versions of the Kernel, and some have vulnerabilities that allow privilege escalation. If you performed system enumeration, you should have already identified the Kernel version being used.

With this information, you can look for ways to exploit the identified version. One of the most well-known attacks is Dirty Cow, which affects Kernels 2.x to 4.x, before 4.8.3. If one of these versions is identified, it's worth attempting the exploit.

The Linux Exploit Suggester tool analyzes this automatically, as shown in the figure below. From the output, we can see that the system is vulnerable to Dirty Cow.

We access the site to get the exploit and use it.

Sudo Permissions

In Linux, there is a file called /etc/sudoers that can basically assign users permissions to execute commands as root.

In the image below, the first uncommented line indicates that the root user can execute all commands as sudo, which is the default behavior. The second line indicates that the user kali can execute the find command as root, without needing a password (NOPASSWD).

To understand more about the structure of this file, I recommend this article.

The question is: how can we see which commands we can execute as root if we don't have access to the /etc/sudoers file?

The sudo -l command shows this to you, as shown below.

Once you identify the command you can execute as root, to see if there's a way to use it for privilege escalation, you can check the site GTFOBins to see if any command is listed under Sudo to become root.

It's important to note that each command has a different way to escalate privileges, and obviously, not all of them have this capability. A different example would be having permission to execute the cat command. With this command, you can read any file on the system, so you could look for flags like /root/root.txt or analyze /etc/shadow for hashes.

SUID

A bit similar to exploiting sudo permissions, we have SUID exploitation. SUID files have a special permission that determines the file/program will be executed with the owner's permission.

So, if a command that has the ability to escalate privileges has SUID linked to the root user, the system is vulnerable to privilege escalation. To search for files with SUID, you can use the command: find / -type f -perm -04000 -ls 2>/dev/null.

At first, it may be confusing and difficult to analyze which command can be used, but with practice, you will find it easier.

In the result below, we see that /usr/bin/bash has SUID for the root user. Now we can search for this command on gtfobins and use the syntaxes that appear under SUID.

To learn more about SUID and other special permissions, visit this link.

Cron Jobs

Cron Jobs are used in Linux to run scripts at regular intervals and are very useful for scheduling automated tasks. However, this can be a factor for privilege escalation.

You can check the cron jobs of the machine in the file /etc/crontab. In the image below, we see that there is a task that runs the file /home/kali/backup.sh every minute. The time interval is indicated by the * symbol.

There is a structure behind this syntax that you can understand better through this link.

Analyzing the file, we notice that it backup the notes folder. To exploit this flaw, we can edit the backup.sh file with a command that gives us root access.

In this case, we can insert the command below, which opens a connection to our attacking machine on port 3333. Since the script will run as root, our connection will also be established with that user.

Now just save the file and wait for the task to run (every minute) while listening on the port you specified in the command.

PwnKit

PwnKit is a newly found vulnerability that affects most Linux distributions using a service called PolKit. It has been registered as CVE-2021-4034 and allows privilege escalation.

Most of the machines where I tried to use this flaw were vulnerable because only the latest versions of the distributions have fixed this bug. Just run one of the automated tools I mentioned, and the output will indicate if the system is vulnerable.

If you take an older CTF, you might use this tactic to escalate privilege, but this was probably not an intentionally inserted flaw, so it shouldn't be the path to root as proposed by the challenge.

The exploitation is extremely simple and can be found here.

Below you can see the exploitation being carried out on a TryHackMe machine created to learn how to exploit this vulnerability.

If you want to know more, visit this link.

Checklist

  • Discover the kernel version and check if there is any exploit like Dirtyc0w;

  • Look for credentials, user accounts, and directories with misconfigured permissions;

  • See which commands you can use as root;

  • Look for services or applications that can be exploited like SUID and PwnKit;

  • Look for automated scripts like backup tasks in crontab.

Conclusão

In this article, we covered some basic techniques for privilege escalation in Linux. Although simple, they are widely used in CTFs and also appear in real-world exploitation cases.

There are many other ways to exploit a system, such as using Capabilities, PATH exploitation, NFS, LXD, among others, but they do not fit in this basic guide.

I hope you can benefit from something you learned here.

See ya =)

#ctf#pentest#privilege-escalation

Comments

Join the discussion

No comments yet. Be the first to comment.

Posts

Part 9 of 17
Up next

Subdomain Enumeration Tools

Hello, everyone! In today's text, I will show the main tools for subdomain enumeration, a technique widely used to gather information and potential targets to increase the attack surface of a target. Enumeration is one of the first phases of a CTF, p...

More from this blog

b1d0ws

24 posts