Skip to main content

Introduction to Linux Privilege Escalation

  • Root = full access
  • Allows capture network access restricted files
  • If connected to DC attacker can get NTLM hash

Enumeration

  • IMP step to learn about system
  • Below info is imp
    • OS Version
    • Kernel Version
    • Running Services

List Current Processes

  • Use ps aux
hexadivine@htb[/htb]$ ps aux | grep root

root 1 1.3 0.1 37656 5664 ? Ss 23:26 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 23:26 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 23:26 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 23:26 0:00 [kworker/0:0]
root 5 0.0 0.0 0 0 ? S< 23:26 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? S 23:26 0:00 [kworker/u8:0]
root 7 0.0 0.0 0 0 ? S 23:26 0:00 [rcu_sched]
root 8 0.0 0.0 0 0 ? S 23:26 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 23:26 0:00 [migration/0]
  • Check for any out-of-date or vulnerable packages
    • An example is Screen (tool for multi-terminal)
    • screen version 4.05.00 suffers from a privilege escalation
  • Check for logged in users
    • insight into possible local lateral movement and privilege escalation paths

List Current Terminal-Attached Processes

hexadivine@htb[/htb]$ ps au

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1256 0.0 0.1 65832 3364 tty1 Ss 23:26 0:00 /bin/login --
cliff.moore 1322 0.0 0.1 22600 5160 tty1 S 23:26 0:00 -bash
shared 1367 0.0 0.1 22568 5116 pts/0 Ss 23:27 0:00 -bash
root 1384 0.0 0.1 52700 3812 tty1 S 23:29 0:00 sudo su
root 1385 0.0 0.1 52284 3448 tty1 S 23:29 0:00 su
root 1386 0.0 0.1 21224 3764 tty1 S+ 23:29 0:00 bash
shared 1397 0.0 0.1 37364 3428 pts/0 R+ 23:30 0:00 ps au