Local Privileges Escalation

Basic Enumeration

Local Enumeration

Attack Vectors

Scheduled tasks

Scheduled tasks

Password Authentication

The /etc/passwd file can contain password hashes directly instead of an x, indicating that the password hash is stored in /etc/shadow. If /etc/passwd is writable, it allows the creation of arbitrary users with root privileges.

Password Authentication

Monitor Process

It possible that the administrative user used command line with sensitive information exposed.

In this situation monitoring the process can reveal this sensitive information

#processes

SetUID Binaries and Capabilities

SetUID Binaries and Capabilities

Sudoers

it's possible to restrict a user's sudo permissions to specific commands or binaries. This is done by configuring the /etc/sudoers file, where certain users can be allowed to run only a defined set of commands with sudo.

Sudoers

Kernel Exploits

Kernel Exploits

References

Understanding /etc/passwd File FormatnixCraft

/etc/passwd format blog

Basic Linux Privilege Escalation - g0tmi1k

Basic Linux Privilege Escalation

Linux permissions: SUID, SGID, and sticky bitEnable Sysadmin

Red Hat - Linux permissions

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

pspy tool

PEASS-ng/linPEAS at master · peass-ng/PEASS-ngGitHub

LinPEAS

GitHub - pentestmonkey/unix-privesc-check: Automatically exported from code.google.com/p/unix-privesc-checkGitHub