Privilege Escalation

Privilege Escalation Techniques

The information gathered using the techniques below can be leveraged with scripts available on GTFOBins to elevate privileges on a Linux target.

1. SUDO Rights

The sudo command allows users to run specific commands with elevated privileges. Checking sudo rights helps identify which commands the user can execute as another user (including root).

# List all sudo privileges of the current user
sudo -l

2. SUID/SGID Files

SUID (Set User ID) and SGID (Set Group ID) files allow processes to run with the privileges of the file owner or group, respectively. Misconfigured SUID/SGID files can be exploited to escalate privileges.

# Find all files with the SUID permission
find / -type f -perm -04000 -ls 2>/dev/null

# Find all files with SUID or SGID permissions
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null

Exploitation process of these these files may include:

  • finding the ready to use exploit on GTOBINS.

  • try to find and modify the dependences used by these files.

strings <SUID Binary>
gdb <SUID Binary>

3. Writable/Readable Files

Writable files allow modification, and readable files may contain sensitive information. Misconfigured permissions could provide access to sensitive data or scripts.

# Find all writable files
find / -writable 2>/dev/null

# Find all readable files
find / -readable 2>/dev/null

4. Capabilities

Linux capabilities enable privileged operations without granting full root access. Misconfigured capabilities on binaries can allow privilege escalation.

# List all files with capabilities enabled
getcap -r / 2>/dev/null

5. Process Snooping

Monitoring running processes, especially scheduled tasks, can help discover vulnerabilities. Misconfigured processes or tasks can expose sensitive data or allow privilege escalation.

Pspy is a tool for monitoring processes without root privileges. It can help identify tasks or scripts executed by higher-privileged users.

  • pspy32 for 32-bit systems.

  • pspy64 for 64-bit systems.

6. PATH Manipulation

Processes that rely on insecure PATH variables can be exploited by injecting malicious scripts or binaries. Adding a custom directory to the PATH can make the system execute your script.

# Check the current PATH environment variable
echo $PATH

# Temporarily modify the PATH variable to include a custom directory
export PATH=/tmp:$PATH

External resources

PreviousCredential gathering and persistenceNextEnumeration

Last updated