person stepping on blue stairs
Fri Jun 09

Enumeration 101: The Key to Successful Linux Privilege Escalation

Linux privilege escalation is a vast and complex topic. The key to mastering it is to focus on enumeration. Enumeration helps you identify different scenarios and gather crucial information about the system you are targeting. This process is particularly valuable because it varies from case to case. In this article, we are going to learn what kind of information that would be beneficial for you while attempting to escalate your privilege.

System

Operating System

Enumerating the target’s distribution is a vital step in Linux privilege escalation. It helps you narrow down your scope and collect more relevant information. There are many distributions available, and each one may have different commands and paths for the same information. For instance, you can find the current operating system in /etc/lsb-release for Debian-based systems, and in /etc/redhat-release for RHEL-based systems.

Useful commands:

cat /etc/issue
cat /etc/lsb-release      # Debian based
cat /etc/redhat-release   # Redhat based

**Kernel **

The kernel version is as important as the OS in Linux privilege escalation. It can reveal the vulnerabilities that the system is prone to. This information helps you narrow down your search for the most suitable and effective privilege escalation methods.

Different kernel versions may have different vulnerabilities and exploits available. In [another article](https://www.binaryte.com/blog/dirty-pipe- vulnerability-explained), we know that the vulnerability only affects particular kernel version 5.8 < 5.16.11. Certain kernel versions may have publicly disclosed vulnerabilities or exploits that can be leveraged for privilege escalation. By enumerating the kernel, you can determine if any such vulnerabilities exist and explore possible ways to exploit them. Note that, exploiting kernel should be your last resort as as it can leave you target system unstable.

Useful commands:

uname -mrs
cat /proc/version

Environment Variable

Environment variables are dynamic values that affect how a computer system or software application behaves. They provide configuration settings, system information, or other data that programs or scripts can use. For example, they can control software features or provide essential information for system operation.

However, environment variables can also expose sensitive data such as passwords, API keys, or configuration details. If you can enumerate these variables, you may find valuable information that can help you exploit the system further.

Additionally, environment variables can reveal information about the system’s configuration, software versions, library paths, and user-specific settings. This information can help you understand the system’s context and discover potential vulnerabilities or weaknesses.

Useful commands:

env
cat /.bashrc
cat /.bash_profile

LD_PRELOAD

The LD_PRELOAD environment variable allows the preloading of shared libraries before other libraries. This can be used to override or modify the behavior of certain functions or symbols in a program or script. For example, you can use LD_PRELOAD to replace the standard malloc() function with your own implementation, or to inject additional code into a process at runtime.

You can use LD_PRELOAD to inject malicious code into a process and execute it with the same privileges as the process. This can be done by overriding functions that are commonly used by the process and may allow you to access or modify sensitive data, execute commands, or perform other malicious actions

Running process

Services

Running services on a Linux system can reveal potential attack vectors for privilege escalation. Some services may have elevated privileges or known vulnerabilities that can be exploited by attackers. To do this, you need to know the exact versions of the services and check if they have any security flaws.

Useful commands:

htop
ps aux
cat /etc/services

Service configuration files

You also need to look for misconfigurations or weak security measures on the services that can be abused to gain unauthorized access or escalate privileges. However, you should not waste time on irrelevant or secure services. Instead, you should focus on the ones that are most likely to be exploitable. Sometimes, you may need to chain multiple vulnerabilities across different services to achieve privilege escalation.

Useful commands:

cat /etc/apache2/apache2.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf

Cron Jobs

Cron jobs are automated tasks that can be scheduled to run at specific times or intervals on Unix-like operating systems. By default, cron runs with elevated privileges (as root) when executing the system-wide crontab file located at /etc/crontab. This means that any commands or scripts specified in the crontab file will also run with root privileges. This can be a potential security concern if unprivileged users have the ability to modify the scripts executed by cron. Once the modified script is executed by Cron, it would run with root privileges, effectively giving the unprivileged user elevated access to the system.

Useful commands:

cat /etc/cron*
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Network

NIC (Network Interface Card)

Identifying NICs on the system can give you more flexibility towards the target’s network. Even better, it may allow you to do lateral movement, meaning that you might be able to identify other devices connected to the same network and possibly pivot from the compromised system to other devices and take control of it. Utilizing network-based vulnerabilities can potentially result in the escalation of privileges throughout the entire network.

Useful commands:

cat /etc/network/interfaces
cat /etc/sysconfig/network

**DNS **

DNS (Domain Name System) settings can reveal useful information for privilege escalation. For example, you can exploit misconfigured DNS servers to perform DNS cache poisoning or DNS hijacking, which can give you unauthorized access or control over network traffic.

You can also configure [zone transfers](https://www.binaryte.com/blog/what-is- zone-transfer) between the primary and secondary DNS servers in a local network, if you have administrative access to both of them. This would allow you to replicate the DNS zone data within the local network and have an updated copy of the DNS records on the secondary server. This can help you identify potential targets or entry points for privilege escalation.

Additionally, you can enumerate DNS records to discover hidden or internal services, subdomains, or systems that are not publicly accessible. These hidden assets may have lower security measures, making them easier to compromise and escalate privileges.

Useful commands:

hostname
cat /etc/resolv.conf

DHCP

DHCP (Dynamic Host Configuration Protocol) is a network management protocol that allows a server to automatically assign IP addresses and other communication parameters to devices connected to the network using a client–server architecture. DHCP can help you discover potential targets by revealing valuable information such as the IP address range, subnet mask, default gateway, DNS servers, and more. Analyzing these configurations can reveal misconfigurations or weak settings that might be exploited for privilege escalation.

DHCP can also provide you insights into the network infrastructure, such as the presence of routers, switches, and other network devices. This knowledge can be helpful in planning and executing privilege escalation techniques that involve network manipulation.

Useful commands:

cat /etc/dhcpd.conf
dhclient

MAC address

MAC (Media Access Control) addresses are unique identifiers assigned to network interfaces. They can be used to enumerate the devices connected to the network, including routers, switches, and other devices.

MAC addresses often contain vendor-specific information, such as the manufacturer of the network interface card. This information can help you identify potential vulnerabilities or weak configurations that can be exploited for privilege escalation. You can also use this information to narrow down your research on vendor-specific vulnerabilities.

Another way to use MAC addresses for privilege escalation is to spoof your own MAC address to match a device already present on the network. This way, you can impersonate that device and blend in with the network traffic. Spoofing your MAC address can also increase the difficulty for cybersecurity experts to trace the source of the attack and determine the involved devices. This can give you more time and opportunities to conduct further attacks.

Useful commands:

ifconfig -a
ip link show

Shell

When dealing with the target, try some commands like netcat or ssh to spawn shells to identify what the user you are currently in is capable of. There are chances where the target server may have more users with better privilege than the user you are currently in. By checking whether it is possible to spawn a shell from netcat or ssh, you might be able to change the user so you can get better privileges.

Useful commands:

nc -lvp 4444

Port forwarding

If possible, you may want to check if the current user is capable of opening some port so you can have access to a more powerful user by exploiting a certain opening port. By utilizing known vulnerabilities to the corresponding port and service, you may conduct even more sophisticated exploits that possibly allow you to get the root account.

Users and confidential information

User information

One of the essential steps in privilege escalation is to identify the current user on the system. This helps you understand your initial access level and what privileges you have on the system. The current user may have different levels of access and permissions depending on the account type and group membership. For example, some users may have regular user privileges, while others may have elevated privileges, such as being in the “sudo” group or having root access. Knowing the current user helps you measure the distance between your current privileges and the ones you need to escalate to.
.
Useful commands:

who
id
groups
sudo -l

Interesting files and directory

The user probably has his/her username and password stored in a config file or in the particular directory. Hence, it is worth checking some files and folders on the system which can be configuration files, scripts, databases, environment files for particular projects, log files, etc. if possible, you may also check very sensitive files that stored all users information such as /etc/passwd and /etc/shadow.

Useful commands:

cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers

SSH keys and configurations

The .ssh directory often contains important files such as id_rsa and id_dsa, which are SSH private keys. These keys can be leveraged for unauthorized access if they are not properly protected. The .ssh directory may also contain configuration files like config or authorized_keys. These files can provide valuable information about allowed hosts, user permissions, and other SSH settings. Examining these files can help in identifying misconfigurations or potential avenues for privilege escalation. In some cases, administrators may mistakenly leave sensitive information in the .ssh directory, such as passwords, passphrases, or keys that are not appropriately secured.

Useful commands:

cat ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config

History and log files

Analyzing history and [log files](https://www.binaryte.com/blog/the-basics-of- linux-logging ) can be useful for some reasons. It allows you to analyze user behavior patterns, such as unusual login times, excessive privileges, or suspicious activities from privileged accounts. This analysis helps in identifying potential avenues for privilege escalation.

Many applications generate their own log files as well. By reviewing these logs, you can identify any vulnerabilities, misconfigurations, or unexpected behaviors specific to those applications. These findings can potentially lead to privilege escalation opportunities.

Useful commands:

cat ~/.bash_history
cat /etc/httpd/logs/access_log
cat /var/log/auth.log

Linux file permissions

Checking file permissions allows you to understand the level of access different users and groups have on the system. By examining permissions, you can identify files, directories, and executables that may have higher privileges than the current user.

For example, if a file has world-writable permissions but is owned by a privileged user, it could be an entry point for escalating privileges. Similarly, misconfigured sudoers file or incorrect group memberships might grant excessive privileges to certain users.

Useful commands:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

**Conclusion **

Even though it seems like a lot to do, you may not use everything mentioned above. However, gathering more information means that you will have greater flexibility. It is also crucial to document your findings and organize them in a clear way. This will help you see the big picture of how your target system operates and where the weaknesses are.

You might like

Nmap Usage And Examples: A Complete Guide

Learn how to install and use Nmap, the most popular network scanning tool, to discover hosts, services, vulnerabilities, and more. Also learn various commands to release its full potential. Click here now!
Unveiling Secrets with Content Discovery

Learn content discovery, a skill to find hidden and sensitive information on websites. Discover how to do it manually, with OSINT, or with automated tools. Identify the framework, technology, and firewall of a website. Boost your cyber security knowledge with content discovery today!