Linux Privilege Escalation

These pages follow the Linux PrivEsc room on TryHackMe. I found these rooms very useful in learning new escalation techniques so decided to writeup information here.

Automated Enumeration Tools

The following scripts are used to search for possible paths to escalate privileges on Linux/Unix/MacOS hosts. More info can be found here.

The tools effectiveness depends on the environment, for example a tool written in Python will not work if Python is not installed on the target system.

  1. LinPeas
  2. LinEnum
  3. LES (Linux Exploit Suggester)
  4. Linux Smart Enumeration
  5. Linux Priv Checker

Manual Enumeration Commands

These basic commands can be used to discover misconfigurations which can lead to privilege escalation. Depending on the target environment some commands can be restricted, for example the /etc/shadow file is usually protected.

Command Description
hostname prints the hostname of target machine
uname -a prints target kernel information
cat /proc/version returns more detailed information on kernel version
cat /etc/issue more OS information
cat /etc/passwd lists users found on the target system
cat /etc/shadow lists password hashes of system users
ps aux shows running processes for all users
sudo -l lists commands the current user can run as sudo
env prints system environment variables
ls -la lists current directory files, including hidden binaries
netstat -ltp shows network interfaces and routes
netstat -ano shows network sockets and timers without name resolution


Privilege Escalation Vectors

There are 6 main vectors of Linux privilege escalation. The following sections explore each vector in a CTF scenario.

Widget
something can go here