Jason Turley's Website

How To Perform Linux Privilege Escalation

When hacking a Linux machine, it can be favorable to become the root user. This user has admin rights, meaning they have full access to everything on a system.

Today, I will showcase the techniques I use to escalation to root from an ordinary user. This list will grow as I continue to learn more techniques.

Disclaimer: The intended use of these techniques are solely for Linux-based Capture the Flag competitions. I do not encourage readers to try to hack any real-world machines.

sudo -l

Running sudo -l shows all the commands the current user can run with root permissions. Note that this options requires knowing the user’s password.

On my kali vm, I can run all commands as root:

$ sudo -l      
[sudo] password for kali: 
Matching Defaults entries for kali on kali:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kali may run the following commands on kali:
    (ALL : ALL) ALL

find

The find command is a powerful tool for locating files in the filesystem. It can be used to find all files the user can run that have the setuid bit enabled. This is a cheesy technique that I used if I cannot use sudo -l.

The command is:

find / -perm -u=s -type f 2>/dev/null
find /usr/bin/ -perm -u=s -type f 2>/dev/null # use this if the first command doesn't work

Note that not all of the returned binaries will lead to privilege escalation. For example, /usr/bin/mount and /usr/bin/umount won’t be helpful.

LinPEAS

LinPEAS (Linux Privilege Escalation Awesome Script) is a script that searches for possible Linux escalation privileges. It is a great tool that I am still learning to use effectively. The GitHub repo for LinPEAS is linked here and it contains plenty of documentation on how to use it and what it does.

#how-to #security #linux