As with penetration testing Windows targets, once you have compromised a Linux host, you probably need to escalate your privilege to achieve your objectives. Many of the basic concepts that are used in Windows are also used in Linux, though your specific targets and methods may be different. Here are common methods for escalating privilege in Linux.
Vulnerability/Technique | Description | Exploit |
/etc/passwd, /etc/shadow | Obtain a copy of these files to crack root or privileged user passwords. |
|
Weak process permissions | Find processes with weak controls and see if you can inject malicious code into those processes. |
|
User application compromise | Compromise end user applications and plug-ins such as OpenOffice, VNC, and Adobe Flash Player. Some require social engineering to get the end user to open a file or browser page. |
|
SetUID binaries | Locate applications you can run as root. | At a terminal, enter sudo find / -perm -04000 |
Services running as root | Locate services that are owned by (running as) root and see if you can compromise them. |
|
Shared folders | Search for sensitive information in Samba shared folders, as it is common for them to have few or no restrictions. | Metasploit module auxiliary/scanner/smb/smb_enumshares |
Kernel and service exploits | Find exploits that target the kernel and privileged services. |
|
Meterpreter upgrade | If you have a Bash shell from Metasploit, try to upgrade it to the more versatile Meterpreter. |
|
Netcat upgrade | If you have a Netcat shell, try to upgrade it to a fully interactive TTY or Meterpreter. | |
Exploit cron jobs | Exploit badly configured cron jobs to gain root access. | |
Missing patches and misconfigurations | Search for missing patches or common misconfigurations that can lead to privilege escalation. |
|
Note: To search for Metasploit modules that are application specific, at the msf console, enter search <keyword> platform:linux. For example: search adobe platform:linux.
Note: For more information on privilege escalation in Linux, see: