As with penetration testing Windows targets, once you have compromised a Linux host, you probably need to escalate your privilege to achieve your objectives. Many of the basic concepts that are used in Windows are also used in Linux, though your specific targets and methods may be different. Here are common methods for escalating privilege in Linux.




/etc/passwd, /etc/shadow

Obtain a copy of these files to crack root or privileged user passwords.

  • Metasploit module post/linux/gather/hashdump
  • John the Ripper and other password crackers.
  • (See previous discussion, "Password Cracking in Linux.")

Weak process permissions

Find processes with weak controls and see if you can inject malicious code into those processes.

  • Metasploit modules:
  • post/multi/recon/local_exploit_suggester
  • post/multi/manage/shell_to_meterpreter
  • Meterpreter migrate and getsystem commands
  • Tarasco Process Injector

User application compromise

Compromise end user applications and plug-ins such as OpenOffice, VNC, and Adobe Flash Player. Some require social engineering to get the end user to open a file or browser page.

  • Metasploit modules such as:
  • exploit/multi/vnc/vnc_keyboard_exec
  • auxiliary/fileformat/odt_badodt
  • exploit/multi/misc/openoffice_document_macro
  • exploit/multi/browser/adobe_flash_hacking_team_uaf
  • exploit/multi/browser/adobe_flash_nellymoser_bof

SetUID binaries

Locate applications you can run as root.

At a terminal, enter sudo find / -perm -04000

Services running as root

Locate services that are owned by (running as) root and see if you can compromise them.

  • Find out who you are whoami
  • List all processes owned by you ps -x
  • Locate processes owned by root ps -fU root
  • List all processes and their owners ps -ef

Shared folders

Search for sensitive information in Samba shared folders, as it is common for them to have few or no restrictions.

Metasploit module auxiliary/scanner/smb/smb_enumshares

Kernel and service exploits

Find exploits that target the kernel and privileged services.

Meterpreter upgrade

If you have a Bash shell from Metasploit, try to upgrade it to the more versatile Meterpreter.

Netcat upgrade

If you have a Netcat shell, try to upgrade it to a fully interactive TTY or Meterpreter.

Exploit cron jobs

Exploit badly configured cron jobs to gain root access.

Missing patches and misconfigurations

Search for missing patches or common misconfigurations that can lead to privilege escalation.

Note: To search for Metasploit modules that are application specific, at the msf console, enter search <keyword> platform:linux. For example: search adobe platform:linux.

Note: For more information on privilege escalation in Linux, see: