Linux Privilege Escalation


  • Linux Capabilities (getcap)
  • sudo -ln (for when you get shell but don't have a password, do -l if you have password)
  • check /opt and ~/
  • SUID files
  • cron-executed files

Linux Capabilities

To get the capabilities of a binary, use the getcap command. For example, if you execute:
getcap /usr/bin/python3.8
getcap -r / 2>/dev/null
and it returns /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip , you are then able to abuse setuid , as follows:
python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
More details on hacktricks and hackingarticles

SUID Files

Files with the SUID bit set execute as the owner, rather than the current user. If a binary has the ability to execute a command, such as find, you may be able to use it to execute commands as root:sudo find . -exec /bin/bash /;
To find SUID files, execute the following command:
find / -perm -u=s -type f 2>/dev/null

Ultra-specific Privilege Escalation

(Likely) one-off privilege escalation techniques to provide future inspiration.

SUID executable core dump

Situation: A SUID executable reads a file into memory that you lack permission to read. The executable has coredump generation enabled (Source code contains prctl(PR_SET_DUMPABLE, 1) or hinted at by a valgrind file).
Note: Using GDB to debug the SUID executable will result in the executable not gaining privilege as GDB uses your current permission level.
Run the SUID executable to the point that it reads the file. Once read, background the process with ctrl + Z , use PS to locate the executables' PID, and then send SIGSEGV to cause a segmentation fault (kill -SIGSEGV [PID]). Finally, execute fg to resume (and crash) the file, resulting in a crash file appearing (/var/crash/_path_to_executable.uid.crash).
Use apport-unpack to unpack the crash information into a new folder apport-unpack /tmp/_path_to_executable.uid.crash /tmp/mycrash. Switch to the /tmp/mycrash directory.
apport-unpack output
Explore the content of the CoreDump using a command such as strings CoreDump. Hopefully, the file content you are looking for will appear.