So you've found a foothold on a machine, and you're looking to get root access. You might know the path to root but are unsure how to make it all work, or you could be unsure where to even start looking.
Well, you've come to the right place. This guide has plenty of information on Linux privilege escalation techniques. We will show you how to use both manual techniques and automated tools to detect potential privilege escalation methods.
Whether through kernel exploits, service exploits, cron jobs, or sudo permissions, we will show you examples of how to gain root access via one of many methods.
So if you are ready to learn Linux privilege escalation techniques, let’s start.
Understanding Privilege Escalation
Before we look at privilege escalation, let’s talk about root privileges. In a Linux environment, the highest level of access is termed "root."
A user with root privileges can perform any operation on the system, such as read, write, or delete any file, stop or start services, install or uninstall applications, and manage user accounts.
Linux privilege escalation can be described as the following:
It is a process or technique that allows a user with lower-level permissions to either horizontally switch to another user's privileges on the same level or vertically escalate their privileges to that of a root user.
This typically happens due to misconfigurations within the system or by exploiting vulnerabilities in certain versions of services or the kernel.
Privilege escalation is a crucial step in a penetration test or when completing a CTF, as it gives you full control of the system, allowing you to do some of the following:
- Bypass access controls
- Change passwords
- Create new users as a means of persistence
- Make changes to the software
We will show you how to find the kernel and sudo versions, display the command line history, perform user and network enumeration, look for cron jobs running with elevated privileges, or detect potential misconfiguration via manual methods and automated tools.
The manual enumeration in privilege escalation is a crucial process involving a detailed, hands-on review of a system's configuration and services. Manual enumeration can provide deeper insights and allows for quieter testing.
There is a lot of enumeration that you can do once you gain a foothold on a machine, and you should always gather as much information as possible. We will show you how to do some common enumeration on a machine.
Make note of all the information you gather, you never know what will be useful.
If you find a kernel version with an exploit available, you can use this to gain a root shell. You can check the kernel version by using the command
If LSB modules are installed, you can check for the Linux version with the command
lsb_release -a. If not, you can check the Linux version by using
As with the kernel version, the sudo version may also be susceptible to an exploit depending on the version running. You can check the sudo version by using the command
One of the first places you need to check is the command history on the machine. You could find valuable information, such as passwords. To check the history, simply type history in the command line.
You can check for system-wide cronjobs set to run at specific intervals, which may reveal some interesting information using the command
An effective strategy for an easy win when looking for Linux privilege escalation is looking at what sudo permissions your user currently has. This might reveal that you can run certain commands as sudo. In the terminal, type
A good idea when first stepping into a new machine is to check what groups your user is a part of. To check the id of your user in the terminal, enter id.
Check Network Info
It’s always a great idea to do network enumeration once you have a foothold on a machine. It will help you understand the lay of the land. Checking to see if you are potentially dual-homed (multiple network interfaces) will give you a better grasp on your next move.
This information can be crucial in understanding the network topology and identifying potential routes or pivot points. To check network information, you can use the command
If you want a great resource for Linux commands, see our Linux Command Line Cheat Sheet.
Automated tools are a great resource when performing enumeration on a Linux machine. They do all the heavy lifting for you, looking for privilege escalation vectors that can be compromised.
LinEnum (Linux Enumeration) is a popular privilege escalation tool. It is designed to display information about the Linux system that could be used in identifying potential vulnerabilities, misconfigurations, and privilege escalation opportunities.
LineEnum gathers information that includes user accounts, file permissions, active processes, installed packages, network configurations, scheduled cron jobs, system logs, version info, and more.
LinPEAS, also known as “Linux Privilege Escalation Awesome Script,” is another popular tool that can help identify potential paths to spawning a root shell. It can help find misconfigurations or vulnerabilities that could be exploited to escalate privileges within a Linux environment.
LinPEAS uses a color-coded system highlighting which privilege escalation vectors have the best chance of working. The main ones to pay attention to are red/yellow (95% a PE vector) and red (you should look at it).
Pspy is a command-line tool that allows you to spy on processes running in a Linux system without needing root permissions. Penetration testers and ethical hackers often use it to monitor the activities of a system and identify potential vulnerabilities.
The tool is particularly useful for identifying processes running as cron jobs or other scheduled tasks, often a target for privilege escalation attacks. By identifying these processes, a tester can find opportunities for exploiting misconfigurations or vulnerabilities that could allow an attacker to gain higher privileges on the system.
Linux Exploit Suggester
Linux Exploit Suggester is a Linux privilege escalation tool that checks the machine for potential kernel exploits. This tool calculates the likelihood of the exploit being successful using “Highly Probable, Probable, Less Probable, and Unpropable” scores.
Linux Smart Enumeration
Linux Smart Enumeration is another tool similar to LinPEAS. It's designed to identify system vulnerabilities, misconfigurations, and other potential routes for escalating privileges on a system. However, LSE is known for its unique "levels" of checks, which allow users to specify the depth of enumeration based on their needs.
It has three levels of verbosity. By default, the system will display the most critical security vulnerabilities. Executing Level 1 reveals useful information that could assist you in escalating privileges. Executing Level 2 will provide an extensive dump of all the system data gathered.
Kernel exploits are a type of vulnerability in the kernel of the Linux operating system. These exploits take advantage of bugs or flaws in the kernel's code. Various issues, such as buffer overflows, could cause this. Obviously, this is most prevalent in older kernels that have not been updated.
In practical terms, these exploits usually involve an attacker executing code that triggers the identified bug. This execution often leads to unexpected behavior by the kernel, allowing the attacker's code to run with elevated privileges.
Let’s look at how to use a kernel exploit to elevate our privileges and spawn a root shell. For this demo, we will use the Kioptrix level 1.1 VM from VulnHub
Once we have established a shell on the machine, we can start with manual enumeration. Let’s check the version of Linux running and which kernel version is being used with the command
As you can see from the screenshot above, this machine is running CentOS with a kernel version of 2.6.9. Our next step is to use searchsploit and look for an exploit with the following command: searchsploit linux CentOS 2.6 privilege escalation.
Alternatively, you can check Exploit Database or do a Google search with the kernel version. Always be cautious of running random exploits on client systems, and make sure you understand what the code is doing.
A few exploits match our information, but the exploit we will use is 9545.c. We must transfer this from Kali to our target machine and compile it into an executable. If you want to read up on what this exploit does and how it works, see Exploit Database for more information.
Let’s start a Python server on our Kali machine and download the exploit via wget on the Kioptrix machine. The following command will start a Python server on port 8000. Ensure you start the server in the same folder where the exploit is located.
python3 -m http.server
Next, we can use the wget command to download the exploit to Kioptrix with the command:
Ensure you use the IP of the machine running the Python server.
Using the temp folder when downloading tools or scripts is always a good idea due to its access, read and write permissions, and low-security monitoring. Additionally, it helps with file cleanup as files in this folder are often auto-deleted, reducing the chances of leaving traces.
Let’s compile our exploit, change the file to an executable, then run the exploit. Once complete, we will have root privileges. The specific command for compiling exploits is often included as a comment within the script itself.
We can compile this exploit by using:
gcc 9545.c -o privesc.
Service exploits leverage vulnerabilities in system or application services. These services are background programs that offer specific functionalities to other programs or users, with examples including web servers, database servers, and email servers, among others. A service with an exploitable vulnerability can allow an attacker to elevate privileges.
The process of a service exploit involves the attacker manipulating a vulnerability within a service to execute malicious code. Depending on the specific vulnerability and the service involved, successful exploitation results can vary significantly.
Let’s walk through leveraging a service exploit to root access via the Raven 2 VM from VulnHub.
Once you have access to the machine via the reverse shell, it’s time to do some enumeration and find any potential exploits.
We already have MySQL credentials that were located in the wp-config file.
Let’s run LinPeas on the system and see if we can find any privilege paths.
After reading through the output provided by LinPeas, we find that MySQL is running as root.
Let’s check and see if any exploits are available for this version.
Great, we have a potential privilege escalation service exploit we can use called udf_root. In essence, the exploit takes advantage of UDFs (a User Defined Function is a piece of code that extends the functionality of a MySQL server) in MySQL to execute system commands with the privileges of the MySQL service, thereby escalating our privileges on the system.
It does this by copying /bin/sh to the temp folder, setting the owner to root, and then setting the SUID permissions on the /bin/sh binary, giving us a root shell.
We need to Download the udf_root script from GitHub to our Kali machine. We renamed ours ravenprivesc.py and then transferred it to the target by starting a Python server in Kali and using wget to download it to the Raven machine.
We need to provide the MySQL credentials found earlier to run the script. Username: root and password: R@v3nSecurity.
And we are root.
In Linux systems, sudo stands for "super user do." It's a command that allows regular users to run certain commands with the security privileges of the superuser (root). The main purpose of sudo is to limit root privileges to only those moments when they are truly necessary.
We can exploit a sudo rule that allows us to run a certain command, such as cat, find, or python, with elevated privileges, which we can manipulate to run arbitrary commands instead.
Let’s exploit sudo permissions via shell escaping with the Raven VM from VulnHub.
Once you have your shell via SSH, we can do some enumeration to see what privileges we have. Remember from the manual section above that we mentioned always checking if you have enabled sudo permissions.
Let’s check our sudo permissions with the
sudo -l command.
As you can see from the screenshot above, we can run Python with sudo privileges without providing a password. Let’s take advantage of this to get a root shell.
A great resource to check is the GTFOBins website. GTFOBins is a curated list of Unix binaries that we can use to bypass local security restrictions. We can check this resource to find what command we can run with Python to become root.
Let’s run the command
sudo python -c 'import os; os.system("/bin/sh")'
We are now the root user.
SUID, which stands for Set owner User ID. SUID allows users to run an executable with the same permissions as the file owner. For example, if a file has the SUID bit set, the standard user can run the file with root privileges.
The SUID permission can be set using the chmod command with the four prefix (for example, chmod 4755 filename), and it can be identified in a long listing (
ls -l) with an s in the place of the users execute (x) permission (for example,
See our Linux File Permissions Cheat Sheet for a thorough explanation of file permissions.
Let’s look at how to take advantage of the SUID bit being set with the Mr.Robot VM from VulnHub.
Once you have a reverse shell, we can start enumeration and see if there are any files with the SUID bit enabled. We can do this both manually and via an automated tool.
To check for SUID manually, in the terminal type:
find / -type f -perm -04000 -ls 2>/dev/null
We can also check for SUID files using LinPeas.
As you can see, we can take advantage of the SUID bit set on the Nmap command to elevate our privileges and become root.
You can find a detailed procedure on how to perform this on GTFOBins.
Running Nmap with the ‘--interactive’ flag starts it in interactive mode, and ‘!sh’ spawns a shell from within the interactive mode. Since the SUID bit is set on Nmap, the shell will run with root privileges.
Scheduled tasks in Linux are operations that run at predefined times or intervals. They are used to automate repetitive tasks so that they can be accomplished without human intervention.
Linux accomplished this through “cron.” The cron utility is a job scheduler; It lets you automate tasks to the minute. Tasks are set up in the crontab, a simple text configuration file containing a list of commands to run at specified times. Each line of the file represents a single command and follows a syntax that specifies when the command should run.
If a scheduled task runs with higher privileges (like a root cron job), and if it's misconfigured to execute a file or script writable by a regular user, we can modify this file or script to include malicious commands, leading to privilege escalation when the scheduled task is executed.
We can look at scheduled tasks with the Symfonos 3 VM from VulnHub.
Once we have established the connection to the machine via SSH, we can start our enumeration. The first step is to transfer pspy from our Kali machine to the target via the Python server.
python3 -m http.server
We use the wget command to download pspy from the server. Just make sure to use the IP from your machine.
Let’s run pspy with the following:
After letting pspy run for a few minutes, we notice a process called ftpclient.py running periodically.
Let’s investigate the file and see if we can somehow append it with some code to spawn a reverse root shell.
We don’t have write privileges to the ftpclient.py file, but we notice the file is importing “ftplib.” Maybe we can write it into that file. Let’s take a closer look at it.
Since we are part of the “gods” group, we have read and write access to the file. We can append this file with a shell, wait for the scheduled task to execute, and we should become the root user.
And back on our Kali machine.
When it comes to Linux privilege escalation, one of the easiest methods to become the root user is finding passwords. This can provide a direct route to gaining increased access to a system. There are several methods that attackers might use to find passwords on a system.
Linux users may store their passwords in plain text; if these files are not properly secured, we may access the user's account.
Once we locate a password, we can use it to escalate our privileges by logging into a higher-privileged account or using it with sudo to run commands with elevated privileges.
Let’s look at how this works using the SickOS VM from VulnHub. Once we have a shell on the machine, we can search for passwords. The first thing we can do is look and see what other users are on the system using the
cat /etc/passwd command.
As you can see, we have another user called sickos. The next step is searching for passwords stored in plain text. We can use the following command to search for PHP files containing the string "pass."
find / -maxdepth 4 -name *.php -type f 2>/dev/null | xargs grep -C 3 -i pass
As you can see, we have a username ‘root’ and password ‘john@123’ stored in plaintext. Let’s see if we can switch to the sickos user with the password we found. Sometimes passwords are reused for more than one service.
And it worked. We have elevated our www-data user to the sickos user. As always, let’s check if we have any sudo privileges with the
sudo -l command.
We can run all commands as the root user, so we run
sudo su. And now have a root shell.
We have walked you through various Linux privilege escalation techniques such as kernel and service exploits, understanding SUID, managing scheduled tasks, and navigating password discovery.
These techniques and tools, from exploiting misconfigured sudo permissions to leveraging vulnerable services, form an essential part of a pentester's toolkit. You’ve learned how to enumerate via manual methods and with automated tools.
And you now better understand some of the most common misconfigurations in a Linux environment that can lead to privilege escalation.
Now that you’ve seen how you can leverage privilege escalation attacks in different ways, why not practice with our hands-on penetration testing labs?