Linux Privilege Escalation
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Let's start gaining some knowledge of the OS running
If you have write permissions on any folder inside the PATH
variable you may be able to hijack some libraries or binaries:
Interesting information, passwords or API keys in the environment variables?
Check the kernel version and if there is some exploit that can be used to escalate privileges
You can find a good vulnerable kernel list and some already compiled exploits here: https://github.com/lucyoa/kernel-exploits and exploitdb sploits. Other sites where you can find some compiled exploits: https://github.com/bwbwbwbw/linux-exploit-binaries, https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
To extract all the vulnerable kernel versions from that web you can do:
Tools that could help to search for kernel exploits are:
linux-exploit-suggester.sh linux-exploit-suggester2.pl linuxprivchecker.py (execute IN victim,only checks exploits for kernel 2.x)
Always search the kernel version in Google, maybe your kernel version is written in some kernel exploit and then you will be sure that this exploit is valid.
Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
Based on the vulnerable sudo versions that appear in:
You can check if the sudo version is vulnerable using this grep.
From @sickrov
Check smasher2 box of HTB for an example of how this vuln could be exploited
If you are inside a docker container you can try to escape from it:
Docker SecurityCheck what is mounted and unmounted, where and why. If anything is unmounted you could try to mount it and check for private info
Enumerate useful binaries
Also, check if any compiler is installed. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it (or in one similar)
Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges… It is recommended to check manually the version of the more suspicious installed software.
If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.
Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some applications like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits
Take a look at what processes are being executed and check if any process has more privileges than it should (maybe a tomcat being executed by root?)
Always check for possible electron/cef/chromium debuggers running, you could abuse it to escalate privileges. Linpeas detect those by checking the --inspect
parameter inside the command line of the process.
Also check your privileges over the processes binaries, maybe you can overwrite someone.
You can use tools like pspy to monitor processes. This can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met.
Some services of a server save credentials in clear text inside the memory. Normally you will need root privileges to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials. However, remember that as a regular user you can read the memory of the processes you own.
Note that nowadays most machines don't allow ptrace by default which means that you cannot dump other processes that belong to your unprivileged user.
The file /proc/sys/kernel/yama/ptrace_scope controls the accessibility of ptrace:
kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have the same uid. This is the classical way of how ptracing worked.
kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
If you have access to the memory of an FTP service (for example) you could get the Heap and search inside of its credentials.
For a given process ID, maps show how memory is mapped within that process's virtual address space; it also shows the permissions of each mapped region. The mem pseudo file exposes the processes memory itself. From the maps file we know which memory regions are readable and their offsets. We use this information to seek into the mem file and dump all readable regions to a file.
/dev/mem
provides access to the system's physical memory, not the virtual memory. The kernel's virtual address space can be accessed using /dev/kmem.
Typically, /dev/mem
is only readable by root and kmem group.
ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. Get it in https://github.com/Sysinternals/ProcDump-for-Linux
To dump a process memory you could use:
https://github.com/hajzer/bash-memory-dump (root) - _You can manually remove root requirements and dump the process owned by you
Script A.5 from https://www.delaat.net/rp/2016-2017/p97/report.pdf (root is required)
If you find that the authenticator process is running:
You can dump the process (see before sections to find different ways to dump the memory of a process) and search for credentials inside the memory:
The tool https://github.com/huntergregal/mimipenguin will steal clear text credentials from memory and from some well known files. It requires root privileges to work properly.
GDM password (Kali Desktop, Debian Desktop)
gdm-password
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)
gnome-keyring-daemon
LightDM (Ubuntu Desktop)
lightdm
VSFTPd (Active FTP Connections)
vsftpd
Apache2 (Active HTTP Basic Auth Sessions)
apache2
OpenSSH (Active SSH Sessions - Sudo Usage)
sshd:
Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).
For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
(Note how the user "user" has writing privileges over /home/user)
If inside this crontab the root user tries to execute some command or script without setting the path. For example: * * * * root overwrite.sh Then, you can get a root shell by using:
If a script is executed by root has a “*” inside a command, you could exploit this to make unexpected things (like privesc). Example:
If the wildcard is preceded of a path like /some/path/* , it's not vulnerable (even ./* is not).
Read the following page for more wildcard exploitation tricks:
Wildcards Spare tricksIf you can modify a cron script executed by root, you can get a shell very easily:
If the script executed by root uses a directory where you have full access, maybe it could be useful to delete that folder and create a symlink folder to another one serving a script controlled by you
You can monitor the processes to search for processes that are being executed every 1, 2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
For example, to monitor every 0.1s during 1 minute, sort by less executed commands and delete the commands that have been executed the most, you can do:
You can also use pspy (this will monitor and list every process that starts).
It's possible to create a cronjob putting a carriage return after a comment (without newline character), and the cron job will work. Example (note the carriage return char):
Check if you can write any .service
file, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped (maybe you will need to wait until the machine is rebooted).
For example create your backdoor inside the .service file with ExecStart=/tmp/script.sh
Keep in mind that if you have write permissions over binaries being executed by services, you can change them for backdoors so when the services get re-executed the backdoors will be executed.
You can see the PATH used by systemd with:
If you find that you can write in any of the folders of the path you may be able to escalate privileges. You need to search for relative paths being used on service configurations files like:
Then, create an executable with the same name as the relative path binary inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (Start, Stop, Reload), your backdoor will be executed (unprivileged users usually cannot start/stop services but check if you can use sudo -l
).
Learn more about services with man systemd.service
.
Timers are systemd unit files whose name ends in **.timer**
that control **.service**
files or events. Timers can be used as an alternative to cron as they have built-in support for calendar time events and monotonic time events and can be run asynchronously.
You can enumerate all the timers with:
If you can modify a timer you can make it execute some existents of systemd.unit (like a .service
or a .target
)
In the documentation you can read what the Unit is:
The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix.
Therefore, to abuse this permission you would need to:
Find some systemd unit (like a .service
) that is executing a writable binary
Find some systemd unit that is executing a relative path and you have writable privileges over the systemd PATH (to impersonate that executable)
Learn more about timers with man systemd.timer
.
To enable a timer you need root privileges and to execute:
Note the timer is activated by creating a symlink to it on /etc/systemd/system/<WantedBy_section>.wants/<name>.timer
Unix Domain Sockets (UDS) enable process communication on the same or different machines within client-server models. They utilize standard Unix descriptor files for inter-computer communication and are set up through .socket
files.
Sockets can be configured using .socket
files.
Learn more about sockets with man systemd.socket
. Inside this file, several interesting parameters can be configured:
ListenStream
, ListenDatagram
, ListenSequentialPacket
, ListenFIFO
, ListenSpecial
, ListenNetlink
, ListenMessageQueue
, ListenUSBFunction
: These options are different but a summary is used to indicate where it is going to listen to the socket (the path of the AF_UNIX socket file, the IPv4/6 and/or port number to listen, etc.)
Accept
: Takes a boolean argument. If true, a service instance is spawned for each incoming connection and only the connection socket is passed to it. If false, all listening sockets themselves are passed to the started service unit, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. Defaults to false. For performance reasons, it is recommended to write new daemons only in a way that is suitable for Accept=no
.
ExecStartPre
, ExecStartPost
: Takes one or more command lines, which are executed before or after the listening sockets/FIFOs are created and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process.
ExecStopPre
, ExecStopPost
: Additional commands that are executed before or after the listening sockets/FIFOs are closed and removed, respectively.
Service
: Specifies the service unit name to activate on incoming traffic. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option.
If you find a writable .socket
file you can add at the beginning of the [Socket]
section something like: ExecStartPre=/home/kali/sys/backdoor
and the backdoor will be executed before the socket is created. Therefore, you will probably need to wait until the machine is rebooted.
&#xNAN;Note that the system must be using that socket file configuration or the backdoor won't be executed
If you identify any writable socket (now we are talking about Unix Sockets and not about the config .socket
files), then you can communicate with that socket and maybe exploit a vulnerability.
Exploitation example:
Socket Command InjectionNote that there may be some sockets listening for HTTP requests (I'm not talking about .socket files but the files acting as unix sockets). You can check this with:
If the socket responds with an HTTP request, then you can communicate with it and maybe exploit some vulnerability.
The Docker socket, often found at /var/run/docker.sock
, is a critical file that should be secured. By default, it's writable by the root
user and members of the docker
group. Possessing write access to this socket can lead to privilege escalation. Here's a breakdown of how this can be done and alternative methods if the Docker CLI isn't available.
If you have write access to the Docker socket, you can escalate privileges using the following commands:
These commands allow you to run a container with root-level access to the host's file system.
In cases where the Docker CLI isn't available, the Docker socket can still be manipulated using the Docker API and curl
commands.
List Docker Images: Retrieve the list of available images.
Create a Container: Send a request to create a container that mounts the host system's root directory.
Start the newly created container:
Attach to the Container: Use socat
to establish a connection to the container, enabling command execution within it.
After setting up the socat
connection, you can execute commands directly in the container with root-level access to the host's filesystem.
Note that if you have write permissions over the docker socket because you are inside the group docker
you have more ways to escalate privileges. If the docker API is listening in a port you can also be able to compromise it.
Check more ways to break out from docker or abuse it to escalate privileges in:
Docker SecurityIf you find that you can use the ctr
command read the following page as you may be able to abuse it to escalate privileges:
If you find that you can use the runc
command read the following page as you may be able to abuse it to escalate privileges:
D-Bus is a sophisticated inter-Process Communication (IPC) system that enables applications to efficiently interact and share data. Designed with the modern Linux system in mind, it offers a robust framework for different forms of application communication.
The system is versatile, supporting basic IPC that enhances data exchange between processes, reminiscent of enhanced UNIX domain sockets. Moreover, it aids in broadcasting events or signals, fostering seamless integration among system components. For instance, a signal from a Bluetooth daemon about an incoming call can prompt a music player to mute, enhancing user experience. Additionally, D-Bus supports a remote object system, simplifying service requests and method invocations between applications, streamlining processes that were traditionally complex.
D-Bus operates on an allow/deny model, managing message permissions (method calls, signal emissions, etc.) based on the cumulative effect of matching policy rules. These policies specify interactions with the bus, potentially allowing for privilege escalation through the exploitation of these permissions.
An example of such a policy in /etc/dbus-1/system.d/wpa_supplicant.conf
is provided, detailing permissions for the root user to own, send to, and receive messages from fi.w1.wpa_supplicant1
.
Policies without a specified user or group apply universally, while "default" context policies apply to all not covered by other specific policies.
Learn how to enumerate and exploit a D-Bus communication here:
D-Bus Enumeration & Command Injection Privilege EscalationIt's always interesting to enumerate the network and figure out the position of the machine.
Always check network services running on the machine that you weren't able to interact with before accessing it:
Check if you can sniff traffic. If you can, you could be able to grab some credentials.
Check who you are, which privileges do you have, which users are in the systems, which ones can login and which ones have root privileges:
Some Linux versions were affected by a bug that allows users with UID > INT_MAX to escalate privileges. More info: here, here and here.
Exploit it using: systemd-run -t /bin/bash
Check if you are a member of some group that could grant you root privileges:
Interesting Groups - Linux PrivescCheck if anything interesting is located inside the clipboard (if possible)
If you know any password of the environment try to login as each user using the password.
If don't mind about doing a lot of noise and su
and timeout
binaries are present on the computer, you can try to brute-force user using su-bruteforce.
Linpeas with -a
parameter also try to brute-force users.
If you find that you can write inside some folder of the $PATH you may be able to escalate privileges by creating a backdoor inside the writable folder with the name of some command that is going to be executed by a different user (root ideally) and that is not loaded from a folder that is located previous to your writable folder in $PATH.
You could be allowed to execute some command using sudo or they could have the suid bit. Check it using:
Some unexpected commands allow you to read and/or write files or even execute a command. For example:
Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.
In this example the user demo
can run vim
as root
, it is now trivial to get a shell by adding an ssh key into the root directory or by calling sh
.
This directive allows the user to set an environment variable while executing something:
This example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:
Jump to read other files or use symlinks. For example in sudoers file: hacker10 ALL= (root) /bin/less /var/log/*
If a wildcard is used (*), it is even easier:
Countermeasures: https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/
If the sudo permission is given to a single command without specifying the path: hacker10 ALL= (root) less you can exploit it by changing the PATH variable
This technique can also be used if a suid binary executes another command without specifying the path to it (always check with strings the content of a weird SUID binary).
If the suid binary executes another command specifying the path, then, you can try to export a function named as the command that the suid file is calling.
For example, if a suid binary calls /usr/sbin/service apache2 start you have to try to create the function and export it:
Then, when you call the suid binary, this function will be executed
The LD_PRELOAD environment variable is used to specify one or more shared libraries (.so files) to be loaded by the loader before all others, including the standard C library (libc.so
). This process is known as preloading a library.
However, to maintain system security and prevent this feature from being exploited, particularly with suid/sgid executables, the system enforces certain conditions:
The loader disregards LD_PRELOAD for executables where the real user ID (ruid) does not match the effective user ID (euid).
For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded.
Privilege escalation can occur if you have the ability to execute commands with sudo
and the output of sudo -l
includes the statement env_keep+=LD_PRELOAD. This configuration allows the LD_PRELOAD environment variable to persist and be recognized even when commands are run with sudo
, potentially leading to the execution of arbitrary code with elevated privileges.
Save as /tmp/pe.c
Then compile it using:
Finally, escalate privileges running
A similar privesc can be abused if the attacker controls the LD_LIBRARY_PATH env variable because he controls the path where libraries are going to be searched.
When encountering a binary with SUID permissions that seems unusual, it's a good practice to verify if it's loading .so files properly. This can be checked by running the following command:
For instance, encountering an error like "open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)" suggests a potential for exploitation.
To exploit this, one would proceed by creating a C file, say "/path/to/.config/libcalc.c", containing the following code:
This code, once compiled and executed, aims to elevate privileges by manipulating file permissions and executing a shell with elevated privileges.
Compile the above C file into a shared object (.so) file with:
Finally, running the affected SUID binary should trigger the exploit, allowing for potential system compromise.
Now that we have found a SUID binary loading a library from a folder where we can write, lets create the library in that folder with the necessary name:
If you get an error such as
that means that the library you have generated need to have a function called a_function_name
.
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. GTFOArgs is the same but for cases where you can only inject arguments in a command.
The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}'
If you can access sudo -l
you can use the tool FallOfSudo to check if it finds how to exploit any sudo rule.
In cases where you have sudo access but not the password, you can escalate privileges by waiting for a sudo command execution and then hijacking the session token.
Requirements to escalate privileges:
You already have a shell as user "sampleuser"
"sampleuser" have used sudo
to execute something in the last 15mins (by default that's the duration of the sudo token that allows us to use sudo
without introducing any password)
cat /proc/sys/kernel/yama/ptrace_scope
is 0
gdb
is accessible (you can be able to upload it)
(You can temporarily enable ptrace_scope
with echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
or permanently modifying /etc/sysctl.d/10-ptrace.conf
and setting kernel.yama.ptrace_scope = 0
)
If all these requirements are met, you can escalate privileges using: https://github.com/nongiach/sudo_inject
The first exploit (exploit.sh
) will create the binary activate_sudo_token
in /tmp. You can use it to activate the sudo token in your session (you won't get automatically a root shell, do sudo su
):
The second exploit (exploit_v2.sh
) will create a sh shell in /tmp owned by root with setuid
The third exploit (exploit_v3.sh
) will create a sudoers file that makes sudo tokens eternal and allows all users to use sudo
If you have write permissions in the folder or on any of the created files inside the folder you can use the binary write_sudo_token to create a sudo token for a user and PID. For example, if you can overwrite the file /var/run/sudo/ts/sampleuser and you have a shell as that user with PID 1234, you can obtain sudo privileges without needing to know the password doing:
The file /etc/sudoers
and the files inside /etc/sudoers.d
configure who can use sudo
and how. These files by default can only be read by user root and group root.
If you can read this file you could be able to obtain some interesting information, and if you can write any file you will be able to escalate privileges.
If you can write you can abuse this permission
Another way to abuse these permissions:
There are some alternatives to the sudo
binary such as doas
for OpenBSD, remember to check its configuration at /etc/doas.conf
If you know that a user usually connects to a machine and uses sudo
to escalate privileges and you got a shell within that user context, you can create a new sudo executable that will execute your code as root and then the user's command. Then, modify the $PATH of the user context (for example adding the new path in .bash_profile) so when the user executes sudo, your sudo executable is executed.
Note that if the user uses a different shell (not bash) you will need to modify other files to add the new path. For example sudo-piggyback modifies ~/.bashrc
, ~/.zshrc
, ~/.bash_profile
. You can find another example in bashdoor.py
Or running something like:
The file /etc/ld.so.conf
indicates where the loaded configurations files are from. Typically, this file contains the following path: include /etc/ld.so.conf.d/*.conf
That means that the configuration files from /etc/ld.so.conf.d/*.conf
will be read. This configuration files points to other folders where libraries are going to be searched for. For example, the content of /etc/ld.so.conf.d/libc.conf
is /usr/local/lib
. This means that the system will search for libraries inside /usr/local/lib
.
If for some reason a user has write permissions on any of the paths indicated: /etc/ld.so.conf
, /etc/ld.so.conf.d/
, any file inside /etc/ld.so.conf.d/
or any folder within the config file inside /etc/ld.so.conf.d/*.conf
he may be able to escalate privileges.
Take a look at how to exploit this misconfiguration in the following page:
By copying the lib into /var/tmp/flag15/
it will be used by the program in this place as specified in the RPATH
variable.
Then create an evil library in /var/tmp
with gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6
Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation. Read the following page to learn more about capabilities and how to abuse them:
Linux CapabilitiesIn a directory, the bit for "execute" implies that the user affected can "cd" into the folder. The "read" bit implies the user can list the files, and the "write" bit implies the user can delete and create new files.
Access Control Lists (ACLs) represent the secondary layer of discretionary permissions, capable of overriding the traditional ugo/rwx permissions. These permissions enhance control over file or directory access by allowing or denying rights to specific users who are not the owners or part of the group. This level of granularity ensures more precise access management. Further details can be found here.
Give user "kali" read and write permissions over a file:
Get files with specific ACLs from the system:
In old versions you may hijack some shell session of a different user (root). In newest versions you will be able to connect to screen sessions only of your own user. However, you could find interesting information inside the session.
List screen sessions
Attach to a session
This was a problem with old tmux versions. I wasn't able to hijack a tmux (v2.1) session created by root as a non-privileged user.
List tmux sessions
Attach to a session
Check Valentine box from HTB for an example.
All SSL and SSH keys generated on Debian based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected by this bug. This bug is caused when creating a new ssh key in those OS, as only 32,768 variations were possible. This means that all the possibilities can be calculated and having the ssh public key you can search for the corresponding private key. You can find the calculated possibilities here: https://github.com/g0tmi1k/debian-ssh
PasswordAuthentication: Specifies whether password authentication is allowed. The default is no
.
PubkeyAuthentication: Specifies whether public key authentication is allowed. The default is yes
.
PermitEmptyPasswords: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is no
.
Specifies whether root can log in using ssh, default is no
. Possible values:
yes
: root can login using password and private key
without-password
or prohibit-password
: root can only login with a private key
forced-commands-only
: Root can login only using private key and if the commands options are specified
no
: no
Specifies files that contain the public keys that can be used for user authentication. It can contain tokens like %h
, which will be replaced by the home directory. You can indicate absolute paths (starting in /
) or relative paths from the user's home. For example:
That configuration will indicate that if you try to login with the private key of the user "testusername" ssh is going to compare the public key of your key with the ones located in /home/testusername/.ssh/authorized_keys
and /home/testusername/access
SSH agent forwarding allows you to use your local SSH keys instead of leaving keys (without passphrases!) sitting on your server. So, you will be able to jump via ssh to a host and from there jump to another host using the key located in your initial host.
You need to set this option in $HOME/.ssh.config
like this:
Notice that if Host
is *
every time the user jumps to a different machine, that host will be able to access the keys (which is a security issue).
The file /etc/ssh_config
can override this options and allow or denied this configuration.
The file /etc/sshd_config
can allow or denied ssh-agent forwarding with the keyword AllowAgentForwarding
(default is allow).
If you find that Forward Agent is configured in an environment read the following page as you may be able to abuse it to escalate privileges:
SSH Forward Agent exploitationThe file /etc/profile
and the files under /etc/profile.d/
are scripts that are executed when a user runs a new shell. Therefore, if you can write or modify any of them you can escalate privileges.
If any weird profile script is found you should check it for sensitive details.
Depending on the OS the /etc/passwd
and /etc/shadow
files may be using a different name or there may be a backup. Therefore it's recommended find all of them and check if you can read them to see if there are hashes inside the files:
In some occasions you can find password hashes inside the /etc/passwd
(or equivalent) file
First, generate a password with one of the following commands.
Then add the user hacker
and add the generated password.
E.g: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash
You can now use the su
command with hacker:hacker
Alternatively, you can use the following lines to add a dummy user without a password. WARNING: you might degrade the current security of the machine.
NOTE: In BSD platforms /etc/passwd
is located at /etc/pwd.db
and /etc/master.passwd
, also the /etc/shadow
is renamed to /etc/spwd.db
.
You should check if you can write in some sensitive files. For example, can you write to some service configuration file?
For example, if the machine is running a tomcat server and you can modify the Tomcat service configuration file inside /etc/systemd/, then you can modify the lines:
Your backdoor will be executed the next time that tomcat is started.
The following folders may contain backups or interesting information: /tmp, /var/tmp, /var/backups, /var/mail, /var/spool/mail, /etc/exports, /root (Probably you won't be able to read the last one but try)
Read the code of linPEAS, it searches for several possible files that could contain passwords. Another interesting tool that you can use to do so is: LaZagne which is an open source application used to retrieve lots of passwords stored on a local computer for Windows, Linux & Mac.
If you can read logs, you may be able to find interesting/confidential information inside them. The more strange the log is, the more interesting it will be (probably). Also, some "bad" configured (backdoored?) audit logs may allow you to record passwords inside audit logs as explained in this post: https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/.
In order to read logs the group adm will be really helpful.
You should also check for files containing the word "password" in its name or inside the content, and also check for IPs and emails inside logs, or hashes regexps. I'm not going to list here how to do all of this but if you are interested you can check the last checks that linpeas perform.
If you know from where a python script is going to be executed and you can write inside that folder or you can modify python libraries, you can modify the OS library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library).
To backdoor the library just add at the end of the os.py library the following line (change IP and PORT):
A vulnerability in logrotate
lets users with write permissions on a log file or its parent directories potentially gain escalated privileges. This is because logrotate
, often running as root, can be manipulated to execute arbitrary files, especially in directories like /etc/bash_completion.d/. It's important to check permissions not just in /var/log but also in any directory where log rotation is applied.
This vulnerability affects logrotate
version 3.18.0
and older
More detailed information about the vulnerability can be found on this page: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition.
You can exploit this vulnerability with logrotten.
This vulnerability is very similar to CVE-2016-1247 (nginx logs), so whenever you find that you can alter logs, check who is managing those logs and check if you can escalate privileges substituting the logs by symlinks.
Vulnerability reference: https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f
If, for whatever reason, a user is able to write an ifcf-<whatever>
script to /etc/sysconfig/network-scripts or it can adjust an existing one, then your system is pwned.
Network scripts, ifcg-eth0 for example are used for network connections. They look exactly like .INI files. However, they are ~sourced~ on Linux by Network Manager (dispatcher.d).
In my case, the NAME=
attributed in these network scripts is not handled correctly. If you have white/blank space in the name the system tries to execute the part after the white/blank space. This means that everything after the first blank space is executed as root.
For example: /etc/sysconfig/network-scripts/ifcfg-1337
(Note the blank space between Network and /bin/id)
The directory /etc/init.d
is home to scripts for System V init (SysVinit), the classic Linux service management system. It includes scripts to start
, stop
, restart
, and sometimes reload
services. These can be executed directly or through symbolic links found in /etc/rc?.d/
. An alternative path in Redhat systems is /etc/rc.d/init.d
.
On the other hand, /etc/init
is associated with Upstart, a newer service management introduced by Ubuntu, using configuration files for service management tasks. Despite the transition to Upstart, SysVinit scripts are still utilized alongside Upstart configurations due to a compatibility layer in Upstart.
systemd emerges as a modern initialization and service manager, offering advanced features such as on-demand daemon starting, automount management, and system state snapshots. It organizes files into /usr/lib/systemd/
for distribution packages and /etc/systemd/system/
for administrator modifications, streamlining the system administration process.
LinEnum: https://github.com/rebootuser/LinEnum(-t option) Enumy: https://github.com/luke-goddard/enumy Unix Privesc Check: http://pentestmonkey.net/tools/audit/unix-privesc-check Linux Priv Checker: www.securitysift.com/download/linuxprivchecker.py BeeRoot: https://github.com/AlessandroZ/BeRoot/tree/master/Linux Kernelpop: Enumerate kernel vulns ins linux and MAC https://github.com/spencerdodd/kernelpop Mestaploit: multi/recon/local_exploit_suggester Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester EvilAbigail (physical access): https://github.com/GDSSecurity/EvilAbigail Recopilation of more scripts: https://github.com/1N3/PrivEsc
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)