RedTeam
5.Machine
1.Linux
General
Exploitation
1.Privilege-Escalation
General Privs Esc

What is Privilege Escalation

Privilege escalation is the act of exploiting a bug, vulnerability or misconfiguration in an operating system or application to gain elevated access to resources that are normally protected from an application or user. This can allow an attacker to perform actions that they would not normally be able to do, such as deleting files, accessing sensitive data, or running programs. There are many ways that privilege escalation can be accomplished, including exploiting vulnerabilities in software, using default or weak passwords, or manipulating configuration settings. It is important for system administrators and users to be aware of the risks of privilege escalation and to take steps to secure their systems and applications to prevent it from occurring.

Initial Enumeration

When you gain initial shell access to the host, it is important to check several key details.

OS Version: Knowing the distribution (Ubuntu, Debian, FreeBSD, Fedora, SUSE, Red Hat, CentOS, etc.) will give you an idea of the types of tools that may be available.

Kernel Version: As with the OS version, there may be public exploits that target a vulnerability in a specific kernel version.

  • Command
ps aux | grep root

Installed Packages and Versions: Like running services, it is important to check for any out-of-date or vulnerable packages that may be easily leveraged for privilege escalation.

Logged in Users: Knowing which other users are logged into the system and what they are doing can give greater into possible local lateral movement and privilege escalation paths.

User Home Directories: Are other user's home directories accessible? User home folders may also contain SSH keys that can be used to access other systems or scripts and configuration files containing credentials.

  • We can check individual user directories and check to see if files such as the .bash_history file are

readable and contain any interesting commands, look for configuration files, and check to see if we can obtain copies of a user's SSH keys.

  • List Directory
ls -la /home/USER/
ls -l ~/.ssh            ---> List ssh key
history                 ---> Check history (commands)

Sudo Privileges: Can the user run any commands either as another user or as root? If you do not have credentials for the user, it may not be possible to leverage sudo permissions.

sudo -l

Configuration Files: Configuration files can hold a wealth of information. It is worth searching through all files that end in extensions such as .conf and .config, for usernames, passwords, and other secrets

Readable Shadow File: If the shadow file is readable, you will be able to gather password hashes for all users who have a password set

Password Hashes in /etc/passwd: Occasionally, you will see password hashes directly in the /etc/passwd file. This file is readable by all users, and as with hashes in the shadow file, these can be subjected to an offline password cracking attack. This configuration, while not common, can sometimes be seen on embedded devices and routers.

Cron Jobs: Cron jobs on Linux systems are similar to Windows scheduled tasks. They are often set up to perform maintenance and backup tasks.

ls -la /etc/cron.daily/

Unmounted File Systems and Additional Drives: If you discover and can mount an additional drive or unmounted file system, you may find sensitive files, passwords, or backups that can be leveraged to escalate privileges.

lsblk

SETUID and SETGID Permissions: Binaries are set with these permissions to allow a user to run a command as root, without having to grand root-level access to the user.

Writeable Directories: It is important to discover which directories are writeable if you need to download tools to the system.

find / -path /proc -prune -o -type d -perm - o+w 2>/dev/null

Writeable Files: Are any scripts or configuration files world-writable? While altering configuration files can be extremely destructive, there may be instances where a minor modification can open up further access.

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null