Index for Linux Privilege Escalation

Guides to have at hand

• HackTricks. Written by the creator of WinPEAS and LinPEAS.
• Vulnhub PrivEsc Cheatsheet.
• s0cm0nkey's Security Reference Guide.

This is a nice summary related to Local Privilege Escalation by @s4gi_:

Basic enumeration

See Linux Enumeration Cheat sheet

Enumeration scripts

Enumeration scripts

• Scan the Linux system with "linEnum".
• Search for possible paths to escalate privileges with "linPEAS".
• Enumerate privileges with "Linux Privilege Checker" tool.
• Enumerate possible exploits with "Linux Exploit Suggester" tool.

Privilege escalation techniques

Techniques

• Configuration files
• Crack sensitive files
• Cron jobs: path, wildcards, file overwrite
• Dirty cow
• Dirty Pipe
• Escaping restricted shells
• Escaping docker: Pentesting docker
• Escaping kubernetes
• Hijacking Tmux Sessions
• Kernel vulnerability exploitation
• Lxd privileges escalation
• Logrotate
• Netfilter
• NFS
• Password Mining: logs, memory, history, configuration files
• Path Abuse
• Polkit
• Process capabilities: getcap
• Python Library Hickjacking
• Shared libraries: LD_PRELOAD / LD_LIBRARY_PATH.
• Shared object hijacking
• ssh keys
• Sudo Rights Abuse
• Suid binaries: shared object injection, symlink, environmental variables
• Vulnerable services:
  • Screen 4.5.0
• Wildcard Abuse

Linux hardening

1. Updates and Patching

• Keep your system up to date to mitigate known privilege escalation vulnerabilities.
• Ubuntu/Debian: Use unattended-upgrades for automated updates.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

• Red Hat-based systems: Use yum-cron for automatic updates.

sudo yum install yum-cron
sudo systemctl enable --now yum-cron

2. Configuration Management

File and Directory Security

• Audit writable files and SUID binaries:

find / -perm -4000 2>/dev/null
find / -writable -type f 2>/dev/null

• Remove unnecessary SUID binaries:

chmod u-s /path/to/binary

Cron Jobs and Sudo Security

• Ensure absolute paths are used in cron jobs and sudo commands.
• Review cron job permissions:

ls -l /etc/cron* /var/spool/cron/

Credential Management

• Do not store plaintext passwords in world-readable files.
• Clean up home directories and bash history:

cat /dev/null > ~/.bash_history && history -c

Library Security

• Prevent low-privileged users from modifying custom libraries.
• Audit shared library usage:

ldd /path/to/binary

Remove Unnecessary Packages and Services

• Disable unused services:

systemctl disable --now <service>

• Remove unnecessary packages:

sudo apt purge <package>
sudo yum remove <package>

SELinux/AppArmor

• Enable SELinux for additional security:

setenforce 1

• Check AppArmor status:

aa-status

3. User Management

Limit User Accounts and Privileges

• Check active users:

cat /etc/passwd

• Check sudo privileges:

sudo -l

• Restrict sudo access based on least privilege:

visudo

Password Policies

• Enforce password history using /etc/security/opasswd:

sudo vi /etc/pam.d/common-password
password required pam_unix.so remember=5 sha512

• Enforce password expiration:

chage -M 90 -W 7 username

Monitoring and Automation

• Use tools like Puppet, SaltStack, Zabbix, and Nagios for automation.
• Enable remote alerts for security events.

4. Audit and Security Baselines

• Perform regular security audits using industry standards like DISA STIGs, ISO27001, PCI-DSS, and HIPAA.
• Supplement with penetration testing and vulnerability scans.

Lynis Security Auditing Tool

• Install and run Lynis:

git clone https://github.com/CISOfy/lynis
cd lynis
./lynis audit system

Example Output Warnings

! Found one or more cronjob files with incorrect file permissions (SCHD-7704)
! systemd-timesyncd never successfully synchronized time (TIME-3185)

Lynis Hardening Suggestions

• Set a GRUB boot loader password:

grub-mkpasswd-pbkdf2

• Disable core dumps:

echo '* hard core 0' >> /etc/security/limits.conf

• Run pwck to check password file integrity:

pwck

Last update: 2025-02-23
Created: February 2, 2023 19:36:50