How To Perform Linux Privilege Escalation
When hacking a Linux machine, it can be favorable to become the root user. This user has admin rights, meaning they have full access to everything on a system.
Today, I will showcase the techniques I use to escalation to root from an ordinary user. This list will grow as I continue to learn more techniques.
Disclaimer: The intended use of these techniques are solely for Linux-based Capture the Flag competitions. I do not encourage readers to try to hack any real-world machines.
sudo -l shows all the commands the current user can run with root permissions. Note that this options requires knowing the user’s password.
On my kali vm, I can run all commands as root:
$ sudo -l
[sudo] password for kali:
Matching Defaults entries for kali on kali:
User kali may run the following commands on kali:
(ALL : ALL) ALL
The find command is a powerful tool for locating files in the filesystem. It can be used to find all files the user can run that have the setuid bit enabled. This is a cheesy technique that I used if I cannot use
The command is:
find / -perm -u=s -type f 2>/dev/null
find /usr/bin/ -perm -u=s -type f 2>/dev/null # use this if the first command doesn't work
- / - search from the top level directory
- -perm - find files with the following permissions set
- -u=s - setuid bit is enabled for the user
- -type f - search for regular files only
- 2>/dev/null - silence all errors
Note that not all of the returned binaries will lead to privilege escalation. For example, /usr/bin/mount and /usr/bin/umount won’t be helpful.
LinPEAS (Linux Privilege Escalation Awesome Script) is a script that searches for possible Linux escalation privileges. It is a great tool that I am still learning to use effectively. The GitHub repo for LinPEAS is linked here and it contains plenty of documentation on how to use it and what it does.
#how-to #security #linux