As with penetration testing Windows targets, once you have compromised a Linux host, you probably need to escalate your privilege to achieve your objectives. Many of the basic concepts that are used in Windows are also used in Linux, though your specific targets and methods may be different. Here are common methods for escalating privilege in Linux.
Obtain a copy of these files to crack root or privileged user passwords.
- Metasploit module post/linux/gather/hashdump
- John the Ripper and other password crackers.
- (See previous discussion, "Password Cracking in Linux.")
Weak process permissions
Find processes with weak controls and see if you can inject malicious code into those processes.
- Metasploit modules:
- Meterpreter migrate and getsystem commands
- Tarasco Process Injector
User application compromise
Compromise end user applications and plug-ins such as OpenOffice, VNC, and Adobe Flash Player. Some require social engineering to get the end user to open a file or browser page.
- Metasploit modules such as:
Locate applications you can run as root.
At a terminal, enter sudo find / -perm -04000
Services running as root
Locate services that are owned by (running as) root and see if you can compromise them.
- Find out who you are whoami
- List all processes owned by you ps -x
- Locate processes owned by root ps -fU root
- List all processes and their owners ps -ef
Search for sensitive information in Samba shared folders, as it is common for them to have few or no restrictions.
Metasploit module auxiliary/scanner/smb/smb_enumshares
Kernel and service exploits
Find exploits that target the kernel and privileged services.
If you have a Bash shell from Metasploit, try to upgrade it to the more versatile Meterpreter.
If you have a Netcat shell, try to upgrade it to a fully interactive TTY or Meterpreter.
Exploit cron jobs
Exploit badly configured cron jobs to gain root access.
Missing patches and misconfigurations
Search for missing patches or common misconfigurations that can lead to privilege escalation.
Note: To search for Metasploit modules that are application specific, at the msf console, enter search <keyword> platform:linux. For example: search adobe platform:linux.
Note: For more information on privilege escalation in Linux, see: