Skip to main content
SpringerLink
Log in

Privilege Escalation in Linux

  • Chapter
  • First Online:
Cyber Operations

Abstract

An attacker that gains a foothold on a Linux system wants to escalate privileges to root in the same way that an attacker on a Windows domain wants to escalate privileges to Administrator or Domain Administrator. The techniques used on a Linux target are somewhat different. There are fewer privilege escalation modules in Metasploit, so an attacker may need to rely on a customized exploit. The success of these exploits may require a particular distribution and a version. These exploits are usually distributed as source code, and so need to be compiled. The 2016 Dirty COW class of attacks is particularly powerful because they work against such a wide range of systems; nearly every Linux system prior to the 2016 patch can be exploited.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    When practicing these exploits, it is helpful if you keep an original copy of the file /etc/passwd and a shell running as the root user open. Most distributions have as their first entry in /etc/passwd the entry for the root user - this is the line that gets munched during the exploit. If the root user is gone, and you don’t have a root shell or a copy of /etc/passwd, well, you are having an exciting day.

  2. 2.

    This approach can work even if SELinux is running on the target.

  3. 3.

    Although the shell is more stable, it still may result in a system crash.

  4. 4.

    This is loosely based on the backup script from https://help.ubuntu.com/lts/serverguide/backup-shellscripts.html that is used to illustrate cron jobs, and has been modified to make it less secure.

  5. 5.

    Suppose an administrator has dozens of Linux virtual machines running on VirtualBox for testing security techniques. This script backs up the Desktop on these systems to a VirtualBox shared folder that could be could be read without the hassle of starting each virtual machine.

  6. 6.

    The command to make this change is sudo chmod u+s /usr/bin/nmap.

  7. 7.

    The wordlist /usr/share/wordlists/metasploit/password.lst does not contain the password selected for these systems (password1!), so it has been added to this file.

  8. 8.

    The fact that this web page is not considered trusted by Chrome is probably just another metaphor.

Author information

Authors and Affiliations

  1. Towson, MD, USA

    Mike O’Leary

Authors
  1. Mike O’Leary
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Mike O'Leary

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

O’Leary, M. (2019). Privilege Escalation in Linux. In: Cyber Operations. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-4294-0_9

Download citation

Publish with us

Policies and ethics

Search

Navigation