Not A Script Kiddie
Mastering Linux Privilege Escalation: A Hacker's Guide

Mastering Linux Privilege Escalation: A Hacker's Guide

Francis Baziele Saah's photo
Francis Baziele Saah
·

8 min read

Table of contents

I recently came across an interesting post on Reddit. It was about a guy who was able to hack his colleague's Twitter account. Want to know how he did it? Well, they were actually working on a project together. One day, while messing around with the server's config files for the project, he decided to try out some cool tricks he had read in a blog post. He managed to get superuser(root) privileges and got hold of his colleague's password hash. And guess what? He cracked the hash and used it on a few of his colleague's social media accounts. Boom, he was in!

Over 96% on web servers out there run Linux. Whether you are a red teamer or a cyber security enthusiast just trying your hands on some CTFs, you will eventually need to escalate privileges to gain higher levels of access and control within a system. In this blog post, we will take a look at multiple techniques used to escalate privileges on Linux.

What is Privilege Escalation

Privilege escalation falls under the forth stage of hacking. After you have compromised a system and gained initial access, you will usually find yourself with a user who has only basic privileges. Maybe you ended up with an accountant's account after you social engineered your way into an active directory environment, or you were able to compromise a web application and you're now www-data.Whatever it may be, your mission, if you choose to accept is to gain full control over the system. This process is know as privilege escalation

I will be using the Linux PrivEsc Arena tryhackme module to showcase some of the techniques discussed in this blog post.

Enumeration

To successfully escalate privileges, we need to get a good idea of the system. We need to find out what user we are, our privileges, applications installed on the system, their versions and so on.

System Enumeration

We will start by learning about the OS we are running.

hostname
uname -a
cat /proc/verion

System hardware and architecture

lscpu
lshw

Lets take a look at running processes

ps -aux
ps -u [username] #we can also specify a user like this
ps -ef
top -n 1

Here are a few more useful ones

hostname
history #You could find some really interesting stuff here
(env || set) 2>/dev/null #Check environment variables

User Enumeration

User info and permissions

whoami
id 
sudo -l

Check for other users on the system

cat /etc/passwd

Network Enumeration

ip a #interfaces and ip
ifconfig
ip neigh
arp -a
netstat -ano #open ports and established connections

Enumerating With Automates Tools

While it is good to do some manual enumeration, it is time consuming. Thankfully there are some really good tools out there that can automate this process for us.

LinPeas

LinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix*/Mac OS hosts

LinPeas run on the Linux PrivEsc Arena module — TryHackMe.com

LinPeas does all the the hard work and assembles a detailed description of what it found and some ideas as to how to move forward.

LinEnum

LinEnum is very similar to LinPeas, it enumerates the entire machine and highlights some possible escalation paths that it found.

LinEnum run on the Linux PrivEsc Arena module — TryHackMe.com

Kernel Exploits

The kernel is the core part of an operating system which manages system resources. It also acts like a bridge between application and hardware of the computer. If any application needs to for example play a sound, it will notify the kernel which will subsequently trigger the hardware to execute the requested command

Certain versions of a kernel may be vulnerable to attacks which will allow us to gain higher privileges. The first thing we have to do is to check the version of the kernel

Now that we have the version, we can google it to see if there are any exploits for that version

As you can see there is a vulnerability for this version. All we have to do now is to find an exploit or proof of concept online. I found one on exploit db.

As you can see, I was able gain root.

Escalating With Sudo

Sudo is a shell utility that allows us to run any command as root. On most low privilege systems, you will find that sudo is allowed for only a few commands. To see which commands you can run as root, run

sudo -l

If we were able to some how lunch a shell using sudo, it would have root privileges since it is being run by root. Lets see which binaries we can run with sudo

None of these commands seem like they could be used to launch shells, but they actually can. GTFOBins is an amazing resourse that we can use to check if we can launch shells with binaries. I will check to see if I can gain a shell with vim.

Lets try it out.

Woohoo!!, we landed another root shell

While GTFOBins is an invaluable resource, it is not the only way to escalate privileges with sudo. You will come across binaries which are not listed on GTFOBins but that doesn’t mean you can’t escalate privileges with it. I highly advice that you google the binaries to see if there is a way to use it to gain higher levels of access. In some cases you will find that you can read root owned files instead of getting a shell. But being able to read root files means you can read /etc/shadow and if your able to crack the root hash or even the hash another user you can then pivot from there.

Sudo Version

It is also worth checking the version of sudo you are using. Some versions of sudo in the past had vulnerabilities that allowed a user to switch to any account they wanted. You can check your sudo by running

sudo -V

Password Hunting

One very potent source of privilege escalation is password hunting. You will often find passwords in many places on a Linux system, from config files to environment variables. It is possible to find passwords that are reused or even passwords of other users

The first place I always check is the .bash_history , you can also view it contents by running the history command. Although I prefer

cat ~/.bash_history | less

Over here I found the password to the MySQL database which was also reused for the root password 🤦🏾‍♂️. Please don’t reuse passwords.

Here are more useful commands


#Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

#Passwords in memory
strings /dev/mem -n10 | grep -i PASS

Weak File Permissions

Even if you do not have superuser (sudo) privileges, there are still ways to gain access to sensitive information. For example, you may have read permissions on the /etc/shadow file, which stores password hashes of all users. By examining this file, you can potentially crack passwords and gain unauthorized access to user accounts.

It gets even better when you have write access, then you can replace the sudo hash with your own hash and login with password to that hash.

Additionally, you might find that you have write access to the .ssh file of another user. This file is used for SSH authentication and contains public keys. By appending your own public key to this file , you could potentially gain unauthorized access to their account.

Therefore, even without superuser privileges, it is important to be aware of the potential security risks and vulnerabilities that exist.

More Learning Resources

I am not an expert and I did not invent any of these methods. I’m just documenting what I am currently learning. That is why I wanted to show you some of the great resources that I learned with.

What I talked about in the article is just scratching the surface of the world of privilege escalation, and if you want to learn more I highly encourage you take a look at these.

  • HackTricks: If you are into cyber security and you don’t know about this resource, I don’t know what you have been learning all this while. This is a great resource that covers not only privilege escalation but also many hacking concepts. Most of the commands showcased in this post was actually sourced from Their privilege escalation page.

  • The Cyber Mentor : TCM is a Cybersecurity Consulting & Training company, but they also have a killer YouTube channel. Over there you will find a three hour cut of their premium Linux privilege escalation course. It’s an amazing resource and I encourage you to check them out.

  • Sushant747's Gitbook: This is a full OSCP guide and I learned a lot in the privilege escalation section.

  • Payload All The Things: Here’s another very popular resource. Lots of command snippets and examples, not only on privilege escalation but on every topic imaginable.

Conclusion

There are many more ways to escalate privileges, I couldn’t possibly cover it all. Every system is different, but the concepts remain the same. Learning to think outside the box and making the most of the resources at hand is what will make you a good hacker. And as with all things in cyber security, a little curiosity and ingenuity, coupled with a desire to break stuff is all that is required.

Call To Action

You probably have some killer techniques you use to gain root on any Linux system. Don’t be greedy, let me know in the comments. For more content like this, subscribe to my newsletter or follow me on Hashnode.

Stay s3cur3 lads 😎

Privilege EscalationLinux#privilegeesclationhackinglinux-basics