Abstract
An attacker that gains a foothold on a Linux system wants to escalate privileges to root in the same way that an attacker on a Windows domain wants to escalate privileges to Administrator or Domain Administrator. The techniques used on a Linux target are somewhat different. There are fewer privilege escalation modules in Metasploit, so an attacker may need to rely on a customized exploit. The success of these exploits may require a particular distribution and a version. These exploits are usually distributed as source code, and so need to be compiled. The 2016 Dirty COW class of attacks is particularly powerful because they work against such a wide range of systems; nearly every Linux system prior to the 2016 patch can be exploited.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
When practicing these exploits, it is helpful if you keep an original copy of the file /etc/passwd and a shell running as the root user open. Most distributions have as their first entry in /etc/passwd the entry for the root user - this is the line that gets munched during the exploit. If the root user is gone, and you don’t have a root shell or a copy of /etc/passwd, well, you are having an exciting day.
- 2.
This approach can work even if SELinux is running on the target.
- 3.
Although the shell is more stable, it still may result in a system crash.
- 4.
This is loosely based on the backup script from https://help.ubuntu.com/lts/serverguide/backup-shellscripts.html that is used to illustrate cron jobs, and has been modified to make it less secure.
- 5.
Suppose an administrator has dozens of Linux virtual machines running on VirtualBox for testing security techniques. This script backs up the Desktop on these systems to a VirtualBox shared folder that could be could be read without the hassle of starting each virtual machine.
- 6.
The command to make this change is sudo chmod u+s /usr/bin/nmap.
- 7.
The wordlist /usr/share/wordlists/metasploit/password.lst does not contain the password selected for these systems (password1!), so it has been added to this file.
- 8.
The fact that this web page is not considered trusted by Chrome is probably just another metaphor.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Mike O'Leary
About this chapter
Cite this chapter
O’Leary, M. (2019). Privilege Escalation in Linux. In: Cyber Operations. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-4294-0_9
Download citation
DOI: https://doi.org/10.1007/978-1-4842-4294-0_9
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-4293-3
Online ISBN: 978-1-4842-4294-0
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books