Estimated Difficulty: ๐๐๐๐๐ค
Congratulations, you’ve got a foothold!
Now what? Bop to the Top and get yourself some Root!
The following blog will detail my own personal checklist that I run through when attempting to privilege escalate in a Linux environment. From my personal experience, it has a fairly good success rate – but I’ll also list further resources I have used to help me git gud get root in the past when this list hasn’t quite hit the mark.
NB: With the exception of #1, this list doesn’t necessarily have to be completed in order – it’s complete personal preference ๐
#1 – Get to Know Your Environment
Probably the most important step (in my eyes anyhow) is getting to know the environment that you’re in. Who have you compromised the system as? What kind of system are you in? What is your environment like? What permissions do you have? All very good questions to know the answers to…
A few commands that can help you understand your environment are listed below:
uname
uname -a
Using “uname -a” will help retrieve information about the system’s hardware and software, including: name, version and release date of the kernel, the type of operating system (OS) and machine name. By retrieving this information, you can gain a better understanding of the type of environment you are in, including identifying if the system is running a vulnerable kernel that you may be able to exploit to gain root privilege. An example of this is the infamous Dirty COW exploit, which effects older versions of Linux distributions.
id
id
Using the “id” command will help identify your current User ID (uid), Group ID (gid) and the groups you are currently a member of. This information can help you understand your current privileges and group access, which can be further enumerated to identify ways to privilege escalate to root.
whoami
whoami
This command does what it says on the tin, it identifies who you currently are on the system – just in case you didn’t know.
env
env
The “env” command retrieves the variables in the current environment. This may include the type of shell you have (e.g. /bin/bash), your home directory, your current directory, your username – and many more! Familiarising yourself with your current environmental variables will help you gain an understanding of the more “nitty gritty” aspects to your environment. Some variables, such as PATH, can actually be used as a way to privilege escalate… but that’s another blog post in itself ๐
After using these four commands, hopefully you will have a deeper understanding of the type of system you are working in – which will help you identify potential ways to escalate to root.
#2 – Check for Root Running Active Processes
The next step on my checklist, is to always check what’s currently running and/or active on the system. In particular, we are interested in any active processes that are running as root – to do this, you can do the following:
ps aux | grep root
Doing this will help you identify anything that is currently running as a root privilege. You may be able to hijack these services to gain root privilege (something like a tmux session is an excellent example of this) or this will help you identify points for further enumeration or investigation (i.e. are any of these services vulnerable?)
#3 – Check Crontab
Crontab is a handy thing to check once you’ve compromised a system. Crontab is a file, used by the cron daemon, that defines a list of tasks and commands (cron jobs) that are regularly run on the system. Sometimes cron jobs are used for testing or administrative purposes, however if you can identify any tasks that are run as root that you can overwrite – you can utilise that crontab task to execute your commands/code instead. Previously I have used crontab to spawn shells, but you can overwrite it to do anything of your choosing – including adding files such as SSH keys (hint, hint – nudge, nudge).
To check the crontab file, you can do the following:
cat /etc/crontab
You should see something similar to this:
Crontab is a valuable resource for potential privilege escalation, if you are interested – an article dedicated to crontab privilege escalation can be found here.
#4 – Check Network Connections
Next up on my “Bop to the Top” list I recommend to check the outgoing and incoming connections on the system, either by the system itself or by users active on the host. To do this I use “netstat” which retrieves the network statistics of the system.
netstat -alntp
Using the “-alntp” flags will display all connections (-a), including listening sockets(-l), numerical addresses(-n), TCP connections(-t) and relevant Process IDs (PIDs) and programs to the displayed sockets and connections.
By checking the network connections on the system, you can identify if there are any connections or programs that you may be able to either attempt to enumerate further, or potentially hijack to escalate to root e.g. if you can identify a MySQL database that is active (127.0.0.1:3306), you may be able to attempt to retrieve passwords, credentials etc.
NB: Depending on the version and flavour of Linux, “netstat” may not be available – however you can also use alternative commands such as SS or IP. For alternatives to deprecated networking commands, please have a look here
#5 – Check for SUID/SGID Executables
SUID (Set User ID) and SGIDs (Set Group ID) executables are those that execute with the permission of the owner (SUID) or group (SGID). You can identify SUIDs and SGIDs by a representative “s” in the execute permission field the file:
-rwsr-sr-x
If an “s” is present in the user execute permission field, the file will execute with the permission of the owner. If an “s” is present in the group execute permission field, the file will execute with the permission of the group. SUIDs and SGIDs are used to temporarily allow elevated privileges to perform tasks, however can often be exploited to gain root privilege.
To find SUIDs:
find / -user root -perm -4000 -print 2>/dev/null
To find SGIDs:
find / -user root -perm -2000 -print 2>/dev/null
To find SUIDs + SGIDs:
find / \( -perm -4000 -o -perm -2000 \) -a -type f -ls 2>/dev/null
Alternatively, you can also just list files and check for the relevant “s” execute permissions using:
ls -lah
Commonly known SUIDs/SGIDs that can be utilised to privilege escalate are: Nmap, Vim, Find, Bash, More, Less, Nano and Cp. A handy guide to exploiting these SUIDs/SGIDs (by Penetration Testing Lab) can be found here.
#6 – Check /etc/passwd
I suppose an extension of checking your environment, it’s always wise to have a snoop at /etc/passwd. The “passwd” file holds user account information and is usually readable by all users. If you’re lucky, the “passwd” file may contain password hashes that you can attempt to crack, or if it’s world-writeable you can append the file to add a user with root privileges, or change the password for an existing account.
To check /etc/passwd:
cat /etc/passwd
The user information should look similar this:
user:x:0:0:,,,:/home/user:/bin/bash
Each field is separated by a colon, and represents a different attribute to the user.
<Username>:<Password>:<UserID>:<GroupID>:<GecosField>:<HomeDirectory>:<Shell>
If an “x” is representing the password field, this indicates that the password is encrypted. If a user has no password, an “*” will represent the password field. If you are lucky enough to find password hashes, they should be in this field.
NB: If you notice a $1 in the hash, this signposts a weak MD5 and it’s usually fairly easy to crack!
If /etc/passwd is world-writeable, you can append a root privilege account by doing the following:
echo "privesc:Npge08pfz4wuk:0:0:privesc,,,:/:/bin/bash" >> /etc/passwd
This adds a root privilege user “privesc” with the password “password”.
Simply:
su privesc
And use the password “password” to get root privilege this way!
#7 – Check for all World-Writable Files and Folders
World-writable files are an absolute gem when trying to find a way to privilege escalate, especially if they are owned by root. Some of these files may be scripts, that you can edit to run your own code – or they could be items such as config files that you can tamper with to change permissions of other things that you can compromise on your way to root.
To find all world-writable files:
find / -type f -perm -2 2>/dev/null | grep -v "^/proc/"
To find all world-writable files owned by root:
find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null
World-writable folders are also just as useful for privilege escalation. If you can find a folder that you can write to, you may be able to add key files such as SSH keys or rhosts files that could be your key to root.
To find world-writable directories:
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -asl {} \;
#7 – Check Sudo Actions
Sudo allows you to execute commands as another, elevated user. To check what actions you can do with elevated privileges (usually root) you can:
sudo -l
Usually administrators allow users to execute commands as sudo for debugging or development purposes. However, this can be abused – as some executables (when sudo’d) can be used as a way to privilege escalate to get all the root.
You can reference actions against GTFOBins, which is a collection of binaries and executables that can be exploited to gain root privileges – or you can also use GTFOBLookup to query the collection offline.
#8 – Check Mounted/Unmounted Systems
It’s always wise to see how the host’s file systems are mounted, as sometimes (due to poor permissions) you can mount the root file system or even export it. To check how file systems are mounted, you can try the following:
mount
df -h
fdisk -l
It’s also wise to check any unmounted file systems that you can attempt to mount:
cat /etc/fstab cat /etc/mtab
Even if you can’t mount the root system, keep an eye out for sensitive files and partitions that may be useful for you in your journey to root!
#9 – Plaintext Passwords and Credentials
The final item on my checklist, is to check the obvious. Check for plaintext passwords and credentials throughout the environment (you’d be surprised…). Sometimes they are saved as literal password files (e.g. mypasswords.txt) or other times they may be hiding in config files.
Most of the time this will be a manual thing, but sometimes you can grep to find strings like “password” to help you:
grep -iRl "password" ./
Privilege Escalation Goals
Ideally you should try to attain one of the following to achieve root:
1, Spawn a root shell (e.g. /bin/bash)
2. Find root credentials
3. Spawn a bind/reverse shell back to your machine
4. Add “access” files (e.g. SSH Keys, Rhosts Files)
Please note there’s a few other ways to obtain root, the above four points are definitely not the only ways to privilege escalate. This is just a write-up of my own personal privilege escalation method/goals that I always try to attain ๐
Further Resources
This checklist definitely isn’t the 100% you will get root list.
I’ve attached a few more lists/methods below should you find that you need it:
G0tm1lk’s Basic Linux Privilege Escalation Guide:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Swissky’s “PayloadsAllTheThings” Linux Privilege Escalation Methodology:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
Download/Clone “LinEnum” to your compromised system – a tool that enumerates and check privilege escalation variables (e.g. finds world-writable files) within your environment:
https://github.com/rebootuser/LinEnum
C’est Fini
I hope you enjoyed this blog and that some of my checklist points can help you “Bop to the Top”. Another reminder that this is my personal checklist – it won’t be the answer to everything (unfortunately). Please have a look to at the attached further resources for other privilege escalation techniques and methods.
As always, constructive criticism and comments are welcome ๐
Great write up thanks! Keep them coming
Thank you! Glad the write-up was of good use. We certainly will keep the posts rolling out ๐
A lot of pretty awesome tips and one-liners there! Nice and thanks for sharing!
Cheers Dan! Happy to hear it was useful ๐