The information gathered using the techniques below can be leveraged with scripts available on GTFOBins to elevate privileges on a Linux target.
1. SUDO Rights
The sudo command allows users to run specific commands with elevated privileges. Checking sudo rights helps identify which commands the user can execute as another user (including root).
# List all sudo privileges of the current usersudo-l
2. SUID/SGID Files
SUID (Set User ID) and SGID (Set Group ID) files allow processes to run with the privileges of the file owner or group, respectively. Misconfigured SUID/SGID files can be exploited to escalate privileges.
# Find all files with the SUID permissionfind/opt/etc/bin/sbin/usr/bin/usr/sbin/home/root-typef-perm-04000-ls2>/dev/null# Find all files with SUID or SGID permissionsfind/opt/etc/bin/sbin/usr/bin/usr/sbin/home/root-typef-a \( -perm-u+s-o-perm-g+s \) -execls-l{} \; 2>/dev/null
Exploitation process of these these files may include:
try to find and modify the dependences used by these files.
strings<SUIDBinary>gdb<SUIDBinary>
3. Writable/Readable Files
Writable files allow modification, and readable files may contain sensitive information. Misconfigured permissions could provide access to sensitive data or scripts.
4. Capabilities
Linux capabilities enable privileged operations without granting full root access. Misconfigured capabilities on binaries can allow privilege escalation.
5. Process Snooping
Monitoring running processes, especially scheduled tasks, can help discover vulnerabilities. Misconfigured processes or tasks can expose sensitive data or allow privilege escalation.
Pspy is a tool for monitoring processes without root privileges. It can help identify tasks or scripts executed by higher-privileged users.
pspy32 for 32-bit systems.
pspy64 for 64-bit systems.
6. PATH Manipulation
Processes that rely on insecure PATH variables can be exploited by injecting malicious scripts or binaries. Adding a custom directory to the PATH can make the system execute your script.