This document discusses privilege escalation techniques on Linux systems. It begins by explaining that privilege escalation involves gaining root access on a machine where you initially only have non-root access. It then outlines several common methods for escalating privileges including exploiting binaries, using valid credentials, sudo misconfigurations, cron jobs, SUID executables, and breaking out of containers. The document provides links to additional resources and recommends first reconning the system to determine which escalation methods may apply.

1. @Ali Bawazeeer
• system admin || Junior penetration tester 
• security enthusiast
• Sometimes bug hunter ..

2. What will i talk about!

3. What is Privilege Escalation & why !
• You own a machine ( Nobody ) with non-root but you want to be a root
https://en.wikipedia.org/wiki/Privilege_escalation
 only root users can :
• achieve persistence
• Read || write any files… /etc/shadow
• Might be your key for lateral movement

4. Methods
• Binary ( kernel exploits ) your last resort to think about
• credentials always reusable – Enumerate … and enumerate more
• Valid user == sudeors ( #sudo –l ) if lucky you are root !
• Else ; sudo escape ! { misconfiguration }
• Cronjob – you may need to wait !
• Setuid binary < maybe if you play CTF >
• Daemon and container group issue …. LXD == docker !

5. Recon when you think !
Depends on how you have reached here !
- System information [ uname -a , env , cat /proc/version , /etc/issue ]
- what is running
[ ifconfing -a , netstat -antup , lsof -i , ps , daemons ……… packages ( application ) – ps aux | grep root]

6. CVE -> LMGFY 

7. Terminal – tty [ multiple jobs to do ]
• Error are not displayed
• You cant switch between users …. If you got any
http://www.dest-unreach.org/socat/doc/socat.html
its just boring to connect everytime , no up arrow key:D

8. Found credentials …
check Sudo Misconfiguration:
community classified this into two method !
• shell escape :-
(root) NOPASSWD: /usr/bin/find … /usr/bin/git /usr/bin/vi …. /usr/bin/curl /usr/bin/ssh
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
https://gtfobins.github.io/
• intended behavior :
/usr/bin/python
/usr/bin/php
/usr/bin/ruby .. Any of them

9. CRON JOB
• Automated task scheduler ..
 unsatisfied path - /*/*/whateveryourun.php,sh,bin
 writable file
* Matches any set of zero or more characters.
? Matches any single character.
 Cat /etc/crontab

10. SUID EXECUTABLES
• a Linux special permission allow a normal user to run an executable in
the context of its owner
• permission is valuable some tweak will kill you !

11. Container security == Linux security
• Docker containers are as secure as running it in a separate VMs/KVM.
• people are downloading random Docker images and then launching them on their host
< Always Review >
.
Misunderstanding

13. Its isolated what security should I
look at !
• looking to protect the host from the processes within the container,
• all software you are running in your containers does not require root
privilege , web applications, databases…etc

14. Am i in a container ( containerized )

15. Breaking out of a container
• kernel vulnerabilities : < google it – try and error ( Not in Production)
• docker.sock access
As outlined in the docs, access to the docker socket is akin to root access to the system.
/var/run/docker.sock
https://hub.docker.com/r/chrisfosterelli/rootplease/
 User Namespaces , if you need to run root within container

16. Things change fast in the tech
world…!!!!!
• if you notice something aged ... keep me posted !
• Some of this stuff will get out of date 😞 some already ... Methodology is the same !

17. Resources .. Further reading
• https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
• https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/
• https://www.cisecurity.org/benchmark/docker/
• https://docs.docker.com/install/linux/linux-postinstall/
• https://www.chef.io/inspec/
• https://github.com/rebootuser/LinEnum
• https://gtfobins.github.io/
• https://imgflip.com