search

LineKernel

hashtag
Abdelrahman Ali Abdelaziz

Privilege escalation occurs when a computer user exploits system vulnerabilities or misconfigurations to gain access to other user accounts within a computer system. By obtaining access to these accounts, they can access additional files and execute administrative commands.

hashtag
In privilege escalations, there are two types of privilege escalations

1. Vertical privilege escalation.

2. Horizontal privilege escalation.

hashtag
Enumeration

The hostname command will return the hostname of the target machine

Hostname For wade

To get the Linux Kernel Version Use uname -r

hashtag
python version

hashtag
initial Access

The kernel is the central program within a computer's operating system, holding full control over all aspects of the system. It is the part of the operating system that always remains in memory, enabling communication between hardware and software components. Typically written in a low-level language like C, the kernel is susceptible to binary exploitation techniques, which can be used to uncover vulnerabilities.

If you want to gain privilege escalation you can search for a POC using

ok I will search for the version of kernel-vulnerable

I found CVE-2015-1328

  • Ubuntu 14.04 - Linux ubuntu 3.13.0-24-generic #46-Ubuntu x86_64

Logolinux-kernel-exploits/2015/CVE-2015-1328 at master · SecWiki/linux-kernel-exploitsGitHubchevron-right

hashtag
privEsc

hashtag
programs that the user can sudo

By running sudo -l we can see all the binaries a user can do. we first run sudo -l

sudo less

To get a password Frank uses sudo less /etc/shadow

Privilege Escalation: SUID

We run the command

circle-check

If the binary can lead to a privilege escalation

i searched i google to find the privisc using base64

unshasow

hashtag
Limited capabilities

Remember

circle-check

If the permission of a binary can lead to a privilege escalation

We search for this flaw using getcap.

i searched i google to find the privisc using capabilities

crontab

Cron => used to create job scheduling in Linux

first, check for crontab config

check all files u found check any think

We first check /karen/backup.sh

We first modify /Karen/backup.sh since we have permission

hashtag
Privilege Escalation: PATH

find the files writeable

hashtag
Privilege Escalation: NFS

hashtag
Exploiting the Network File Sharing Protocol

Network File Sharing (NFS) is a protocol allowing you to share directories and files with other Linux clients over a network

Read the _ /etc/exports _ file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.

LogoNFS no_root_squash/no_all_squash misconfiguration PE - HackTricksbook.hacktricks.xyzchevron-right

  • Mounting that directory in a client machine, and as root copying inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it SUID rights, and execute from the victim machine that binary (you can find here some C SUID payloadsarrow-up-right).

hashtag
Capstone Project

hashtag
Enumeration

Find the SUID

hashtag
unshadow

Password1

hashtag
su missy

hashtag
check the sudo

sudo Find

hashtag
Exploit Resources

Logolinux-kernel-exploits/2015/CVE-2015-1328 at master · SecWiki/linux-kernel-exploitsGitHubchevron-right

hashtag
other Resources

LogoGTFOBinsgtfobins.github.iochevron-right
LogoNFS no_root_squash/no_all_squash misconfiguration PE - HackTricksbook.hacktricks.xyzchevron-right
LogoPayloads to execute - HackTricksbook.hacktricks.xyzchevron-right
PreviousAttacktive DirectoryNextDay 1 — Linux PrivEsc

Last updated