Basic Linux Privilege Escalation

Enumeration is the Key

(Linux) privilege escalation is all about:

  • Collect - Enumeration, more enumeration and some more enumeration
  • Process - Sort through data, analyse and priorisation.
  • Search - Know what to search for and where to find the exploit code.
  • Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box".
  • Try - Get ready for (lots of) trial and error

Operating System

What's the distribution type? What version?

blog

What's the kernel version? Is it 64-bit?

blog

What can be learnt from the environmental variables?

blog

Is there a printer?

blog

Applications & Services

What services are running? Which service has which user privilege?

blog

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

blog

What applications are installed? What version are they? Are they currently running?

blog

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

blog

What jobs are scheduled?

blog

Any plain text usernames and/or passwords?

blog

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

blog

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

blog

What other users & hosts are communicating with the system?

blog

Whats cached? IP and/or MAC addresses

blog

Is packet sniffing possible? What can be seen? Listen to live traffic

blog

Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can you interact with the system?

blog

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Is port forwarding possible? Redirect and interact with traffic from another view

Note:http://www.boutell.com/rinetd/

Note:http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note:http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

blog

Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

blog

Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

blog

Is tunnelling possible? Send commands locally, remotely

blog

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

blog

What sensitive files can be found?

blog

Anything "interesting" in the home directorie(s)? If it's possible to access

blog

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

blog

What has the user being doing? Is there any password in plain text? What have they been editing?

blog

What user information can be found?

blog

Can private-key information be found?

blog

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

blog

What can be found in /var/ ?

blog

Any settings/files (hidden) on website? Any settings file with database information?

blog

Is there anything in the log file(s) (Could help with "Local File Includes"!)

blog

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

If commands are limited, you break out of the "jail" shell?

blog

How are file-systems mounted?

blog

Are there any unmounted file-systems?

blog

What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID

blog

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

blog

Any "problem" files? Word-writeable, "nobody" files

blog

Preparation & Finding Exploit Code

What development tools/languages are installed/supported?

blog

How can files be uploaded?

blog

Finding exploit code

http://www.exploit-db.com/

http://1337day.com/

http://www.securiteam.com/

http://www.securityfocus.com/

http://www.exploitsearch.net/

http://metasploit.com/modules/

http://securityreason.com/

http://seclists.org/fulldisclosure/

http://www.google.com/


Finding more information regarding the exploit

http://www.cvedetails.com/

http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk

http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations

Is any of the above information easy to find?

Try doing it! Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched?

Kernel, operating system, all applications, their plugins and web services

blog

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net/

Other (quick) guides & Links

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

Misc

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html


Forked from g0tmi1k blog with s2