Category

Linux

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting User-Defined Functions

Introduction

User-Defined Functions in MySQL are used to extend the functionality by adding external code that will work the same as inbuilt functions. Certain versions of MySQL are affected by vulnerabilities that could allow attackers with database root access to execute code in the context of the MySQL process, which is often root, and escalate privileges.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Capabilities

Introduction

Capabilities in Linux are special attributes that can be allocated to processes, binaries, services and users and they can allow them specific privileges that are normally reserved for root-level actions, such as being able to intercept network traffic or mount/unmount file systems. If misconfigured, these could allow an attacker to elevate their privileges to root.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Vulnerable Sudo Version

Introduction

Sudo is a program for Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of Sudo were designed to run commands only as the superuser. It is commonly used in scenarios where normal users need to be able to perform actions as root.

Over the years, certain versions of Sudo were found to be affected by vulnerabilities that allowed attackers to escalate privileges to root, this guide will demonstrate how to identify a vulnerable Sudo version and how to exploit it in order to perform privilege escalation.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Shell Sessions

Introduction

The Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.

If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Credentials Harvesting

Introduction

Linux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.

When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.

There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Bashrc

Introduction

The .bashrc file is a script used in Linux-based operating systems that is executed whenever a user logs in. It contains important configurations for the terminal session such as the coloring, aliases, history length, or any commands that need to be executed at login.

It is a hidden file as it begins with a dot and it is normally located in the user’s home directory and like other files stored in this location, by default, it can be read by all users although it can only be edited by the owner or super users. If improper permissions have been applied to this file, it could allow potential attackers to add malicious commands that will be run when the user logs in.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting the LXC/LXD Groups

Introduction

LXC is the well-known and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-wide. LXD is a next generation system container manager. that offers a user experience similar to virtual machines but using Linux containers instead.

The LXC/LXD groups are used to allow users to create and manage Linux containers. These can be exploited by creating a root-level privilege container from the current file system and interacting with it, executing /bin/sh and therefore starting a root shell.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Misconfigured SSH Keys

Introduction

Secure Shell (SSH) is a cryptographic network protocol which allows users to securely perform a number of network services, such as remote authentication or file transfer, over an unsecured network. SSH keys provide a more secure way of logging into a server through SSH than via a password authentication.

If improperly configured, SSH keys could allow an attacker to authenticate as another user to escalate privilege, potentially even as root.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting User Groups

Introduction

In Linux, groups are an attribute that can be allocated to users to allow them to access certain files/binaries or perform certain actions in the operating system.

Some groups, when assigned to a given user, can allow them to perform actions that go beyond their usual privileges and potentially escalate privileges to root.

Read more