Linux systems often have opportunities for privilege escalation through misconfigured files, directories, or binaries. An attacker can use tools like Metasploit, searchsploit, and exploitDB to search for known exploits to escalate privileges on older or outdated systems. System enumeration reveals useful information for privilege escalation like kernel versions, user accounts, permissions, and processes. Misconfigured permissions on files, directories, or binaries with sudo/setuid/setgid can allow escalating privileges by modifying or executing files as a privileged user.

1. 1
Linux Remote Escalation
Privilege
Escalation

2. Meterpreter
Often, the remote shell will be created
via an automatic tool like Metasploit. In
the case of a meterpreter shell, two
commands become especially beneficial:
Use priv – loads extensive permissions
Getsystem – uses a few preconfigured
techniques in an attempt to escalate
privileges
Note that these exploits might not
always work.
2

3. Known CVE
Some exploits exist solely for the
purpose of privilege escalation and
might be available.
• Netfilter
• BPF
The above are two are examples of Linux
exploits for some new kernel versions
4.4.
Other exploits will need to be compiled
and then transferred to the system. To
easily search for these, we can use the
tool Searchsploit [keywords].
3

4. 4
Searching for Exploits
Known Exploits
Looking for basic system information like OS version and kernel version is easily done. Most people do not worry about every
new update, so it is safe to assume that an old OS version will have a known bug. The bug might have been fixed in newer
versions, but because no one updated the system, a vulnerability still exists.
Below are some common search engines for exploits:
ENGINE USAGE RESULTS
msfconsole msf> search [key words] Exploits and payloads available for usage right from
the msf console itself
searchsploit searchsploit [key words] The results from the exploit-db, including
precompiled C code and documentation
exploitDB https://www.exploit-db.com/ Exploits, precompiled C code, documentations and
CVE documents

5. Enumeration
Gaining control of a remote system is
only the first step, then the goal
becomes getting to the highest
privileges as fast as possible.
Enumeration is the process of collecting
various information related to the
system itself:
• System version
• Environmental variables
• Running services
• Installed applications
• Scheduled jobs
• Permissions
LinEnum is a bash script available from
github that provides a decent amount of
information.
5

6. 6
How Different Data Is Useful
DATA INSIGHT
Kernel and distribution information This information can help in the process of searching for known exploits
Previously/currently logged users Provides insight about other users that might be hackable
Group memberships Improve knowledge of the system when searching for weak permissions
Sudo executable commands Having sudo executable commands might be a way to PE
Environmental information Especially important for identifying bad PATH configurations
Automated tasks PE via automated tasks is a common attack vector
Network information Knowing the network structure may suggest more targets to exploit
Running processes with permissions Some processes may be outdated and exploitable
Binaries associated with permissions Binaries with misconfigured permissions are the reason for most PE

7. Plain Text
It is surprising how many people leave
critical information lying around in text
files, notes, or in documents in their
home folder.
Quickly navigating through some
common folders and searching for files
labeled “pass” or “secret” might pop a
thing or two.
There are a few useful built-in tools that
perform searches like find and grep,
which can be used to search for files or
plain text.
7

8. 8
File Permissions
File name
-rwxr-xr-x 1 root root 10469 Aug 7 2017 savelog
Known Exploits
When looking at the permissions through the shell, each set of ‘rwx’ corresponds with one of the entities: ‘owner’, ‘group’ or
‘everybody’. The number represents the amount of hard links to the file, and the owner:group corresponds to the ownership
assignment of the file.
Below is a slightly more graphical explanation:
Date modifiedSizeOwner’s
group
Owner
Hard link
count
Everybody
Group
Owner
Special
flags

9. Misconfigured Permissions
The Linux architecture has a file
representation for everything. For this
reason, it is important to understand
how Linux file permissions work.
The possibility of one file having
misconfigured permission is highly likely.
Files with different permissions can be
found with verities of the find command.
For example, find -type f -writable will
find all the writable files.
9

10. SETUID
When set-user identification permission is set on an
executable file, a process that runs this file is granted
access based on the owner of the file, usually root,
rather than the user who is running the executable
file. This special permission allows a user to access
files and directories that are normally only available to
the owner.
When looking at the permissions of an executable,
setuid can be noticed by having ‘s’ in the place of ‘x’ at
the owner position.
SETGID
The set-group identification permission is similar to
setuid, except that the process's effective group ID is
changed to the group owner of the file, and a user is
granted access based on permissions granted to that
group.
When looking at the permissions of an executable
setuid can be noticed by having ‘s’ in the place of ‘x’ at
the group position.
10
Run As

11. Setuid / Setgid
Dealing with Linux permissions can be
tricky, especially when encountering
setuid or setgid.
Using this option is usually done to allow
a user to run a program without actually
having the privileges to run it.
But, in the case the user is given “write”
permission for the file, it can be altered
and cause the system to run
unprivileged commands as root.
11

12. Sudo Permissions on Binaries
A Linux System can have a special group
of users who are permitted to run a
limited number of commands as root.
The user-type has low privileges, with
the ability to run a listed set of
commands as if the user was root.
For no specific reason, many commands
can spawn a shell, and these commands
can be exploited when listed in the sudo
list of a user.
12

13. 13
Shell Through Binaries
BINARY SHELL
Find Find . -exec /bin/bash /;
Awk awk 'BEGIN {system("/bin/sh")}'
Nmap Nmap --interactive (older versions)
Vi :shell
Python python -c 'import pty; pty.spawn("/bin/bash")'
Perl perl —e 'exec "/bin/bash";'
Ruby ruby: exec "/bin/sh"
Lua lua: os.execute('/bin/sh')

14. Sudo Permissions
Among the worst things in a system to
be given root privileges are text editors
and programming languages.
Most text editors and most
programming languages like Python,
Perl, or Ruby have built-in commands
that allow spawning a shell.
Knowing most processes inherit their
ancestors’ privileges, a shell spawned
through a root editor or a root-
privileged programming language will
cause a root shell.
14