How To Perform Linux Privilege Escalation
When hacking a Linux machine, it can be favorable to become the root user. This user has admin rights, meaning they have full access to everything on a system.
Today, I will showcase the techniques I use to escalation to root from an ordinary user. This list will grow as I continue to learn more techniques.
Disclaimer: The intended use of these techniques are solely for Linux-based Capture the Flag competitions. I do not encourage readers to try to hack any real-world machines.
sudo -l
Running sudo -l shows all the commands the current user can run with root permissions. Note that this options requires knowing the user’s password.
On my kali vm, I can run all commands as root:
$ sudo -l
[sudo] password for kali:
Matching Defaults entries for kali on kali:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kali may run the following commands on kali:
(ALL : ALL) ALL
find
The find command is a powerful tool for locating files in the filesystem. It can be used to find all files the user can run that have the setuid bit enabled. This is a cheesy technique that I used if I cannot use sudo -l.
The command is:
find / -perm -u=s -type f 2>/dev/null
find /usr/bin/ -perm -u=s -type f 2>/dev/null # use this if the first command doesn't work
- / - search from the top level directory
- -perm - find files with the following permissions set
- -u=s - setuid bit is enabled for the user
- -type f - search for regular files only
- 2>/dev/null - silence all errors
Note that not all of the returned binaries will lead to privilege escalation. For example, /usr/bin/mount and /usr/bin/umount won’t be helpful.
LinPEAS
LinPEAS (Linux Privilege Escalation Awesome Script) is a script that searches for possible Linux escalation privileges. It is a great tool that I am still learning to use effectively. The GitHub repo for LinPEAS is linked here and it contains plenty of documentation on how to use it and what it does.