Abstract
An attacker that gains a foothold on a Linux system wants to escalate privileges to root in the same way that an attacker on a Windows domain wants to escalate privileges to Administrator or Domain Administrator. The techniques used on a Linux target are somewhat different. There are fewer privilege escalation modules in Metasploit, so an attacker may need to rely on a customized exploit. The success of these exploits may require a particular distribution and a version. These exploits are usually distributed as source code, and so need to be compiled. The 2016 Dirty COW class of attacks is particularly powerful because they work against such a wide range of systems; nearly every Linux system prior to the 2016 patch can be exploited.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
When practicing these exploits, it is helpful if you keep an original copy of the file /etc/passwd and a shell running as the root user open. Most distributions have as their first entry in /etc/passwd the entry for the root user - this is the line that gets munched during the exploit. If the root user is gone, and you don’t have a root shell or a copy of /etc/passwd, well, you are having an exciting day.
- 2.
This approach can work even if SELinux is running on the target.
- 3.
Although the shell is more stable, it still may result in a system crash.
- 4.
This is loosely based on the backup script from https://help.ubuntu.com/lts/serverguide/backup-shellscripts.html that is used to illustrate cron jobs, and has been modified to make it less secure.
- 5.
Suppose an administrator has dozens of Linux virtual machines running on VirtualBox for testing security techniques. This script backs up the Desktop on these systems to a VirtualBox shared folder that could be could be read without the hassle of starting each virtual machine.
- 6.
The command to make this change is sudo chmod u+s /usr/bin/nmap.
- 7.
The wordlist /usr/share/wordlists/metasploit/password.lst does not contain the password selected for these systems (password1!), so it has been added to this file.
- 8.
The fact that this web page is not considered trusted by Chrome is probably just another metaphor.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Mike O'Leary
About this chapter
Cite this chapter
O’Leary, M. (2019). Privilege Escalation in Linux. In: Cyber Operations. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-4294-0_9
Download citation
DOI: https://doi.org/10.1007/978-1-4842-4294-0_9
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-4293-3
Online ISBN: 978-1-4842-4294-0
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books