Linux Local Privilege Escalation

by | Aug 2, 2022 | Uncategorized, VAPT | 0 comments

linux privilege escalation

Many enterprises utilize the Linux operating system to administer services, file servers, firewalls, and other systems. However, it contains a number of flaws that an attacker may exploit.

We have a part section of Windows local Privilege escalation, which will let you know it’s focusing on the Windows OS booting process and user types. It will teach you how an attacker can bypass the logon screen using a bootable Windows or Linux OS drive and describes protection methods, such as regedit and BitLocker, that may help safeguard computers against such attacks.

Linux Privileges

Regular User: The most basic type of access an account can have in a given system. This type of user only has access to files and apps they are permitted to use. A fully configured system prevents regular users from accessing sensitive files and data.

Root: The most privileged account in the system. The root user has access to all files, directories, processes, and settings in the system.

Sudo: Sudo users are similar to regular users, with the exception that the root user may grant the sudo user greater access and rights to certain files and applications. By default, sudo users can execute commands with root privileges.

Linux Boot Process

  • BIOS: Basic Input/Output System loads and executes the master boot record boot loader.
  • MBR: The Master Boot Record (MBR) is the first sector of a hard disk and contains data from partitions on the drive as well as the Grub boot loader.
  • Grub: Grand Unified Bootloader, Linux distros that is the standard bootloader in many Linux distros and allows the user to select the operating system and kernel to boot the system.
  • Kernel: The first program loaded after the bootloader, it enables operating system loading and establishes communication with I/O devices (mouse, keyboard, etc.).
  • Init: Runs with root privileges and has the lowest ID (PID1). Its job is to start every consecutive process.
  • Run Level: An operation that does not necessitate high-level authorization. Root privileges are no longer required after the system boots, and processes operate with lower-level rights.

Grub: By pressing “e” during boot, the user can access and edit Grub’s settings, including the init process. Changing ro_quiet splash to rw init=/bin/bash configures init as read-write and runs the default shell. Booting using cntrl+x or F10 allows access to the “Rescue shell.”

kali (linux) boot process

Rescue Shell: Within the shell, the following commands are used to create a user with admin privileges for further use:

adduser [username] -creates a user.

adduser [username] sudo: adds a user to the “sudo” group.

sync: writes files in memory for persistent storage.

reboot-f forces the system to reboot.



Another way of bypassing the system is mounting, which gives the user access to the computer’s file system. An ISO is needed to load a live OS to access a shell. In the live OS, the fdisk -l command is run to specify the computer’s storage and help choose the relevant partition.

Mount [partition] [location] is the command to link the specified location to the chosen partition.


Adding a Sudo User

Once mounted in /mnt, the folder will be linked to the specified partition to obtain access to it. Mount –rbind [source] [directory] recursively binds the source to a destination.

The final step is to add a user and sync it to the computer’s storage. Then disconnect the ISO and reboot the system. Mount –rbind /root root/ links the live root’s directory to the partitioned root folder. Chroot /mnt changes the root folder to the mounted partition.

adding a sudo user

Linux File System


The ‘passwd’ file contains all the system’s user account data and essential information required during login. The data in /etc/passwd is saved as plain text.

Note: A password file is a readable text file, not like the shadow file, which can only be read at the root level.

/etc/shadow: The ‘shadow’ file stores user passwords in a hashed format generated by an algorithm such as MD5 or Sha-512.

Passwd File Format

Command: cat /etc/passwd

root:x:0:0:root: /root: /bin/bash

password file format

root: Username

x: An indicator that the password is in /etc/shadow

0: User ID

0: User primary group ID

root: Comment area for extra information

/root: Home directory path

/bin/bash: Command/Shell that runs upon user login.

Shadow File Format

Command: cat /etc/shadow

root: $6$gHpll$7No.KsXalrV…WcBShvdxcAg:17628:0:99999:7:::

root: Username

$6$: Algorithm used ($6$ is Sha-512)

gHpll: Salt

7No.KsXalrV…WcBShvdxcAg: The hashed password

0:99999 :7 : Min: Max days left before the user can change the password.

:::: Number of days to warn users before a password expires.

shadow file format

Password Cracking

Password Cracking Methods

Wordlist: This method, also known as a “dictionary attack,” compares a password’s hash to a dictionary of known passwords. The downside is that the attack will fail if the password is not on the list.

Hybrid: similar to a wordlist attack but uses an algorithm to try different password variations. The method achieves the best results when custom wordlists are employed.

Brute-Force: Recommended only as a last resort, the method tries every possible combination and length provided by the user. Brute-force attacks will eventually succeed but, in some cases, can take years.

John the Ripper

John the Ripper is a Linux password cracking tool with many attack capabilities.

Unshadow: a function for cracking that mixes the ‘passwd’ and ‘shadow’ files. John [filename]: starts and attacks against a given file.

–wordlist=[wordlist]: a flag used to set a dictionary attack.

John the Ripper also supports multiple CPU or GPUs for enhanced cracking. By default it uses the Wordlist: usr/share/john/password.lst

John the ripper

System Enumeration


LinEnum is a bash script that tests for privilege escalation over 65 times.

Using an Enum script saves time and allows you to focus your efforts on obtaining root access. LinEnum emphasizes discoveries in yellow.

system enumeration

PSPY – Process Monitoring

PSPY is a non-root enumeration script that monitors Linux processes. It is a sophisticated tool that displays the execution of processes performed by users and cron tasks. Processes and cron jobs are at risk of privilege escalation.

Accessing the folder and performing chmod +x on the file makes it executable. PSPY displays a list of all processes as soon as they are executed. The program can capture recursive cron jobs and other processes in the background.

process monitoring

Covering Tracks

Logs to check

daemon log

A daemon is a program that executes in the background and executes a critical action in order for the system to function properly. Daemon.log contains information about the running system and application daemons.


The Authorization log contains system authorization information, including user logins and the authentication methods used.


The messages log contains global system messages. The log may include boot messages, mail, cron, daemon, auth, etc.


Stores messages received from the kernel or system application.


Logs information about users, user directories, and other user-related data.


grep is a command that searches for patterns in a file. It has various flags to help define the search.

-a flag reads files as text files.

-E searches for multiple patterns.

-v returns unmatching results.

Combining flags makes it possible to get all logs that are UNRELATED to the user.


working behind the scenes

After a system is breached, files and output can be left on the computer.

The /dev/shm or /tmp directories are used to avoid having others see those files. Both directories are temporary storage (tmps), meaning their content will be lost when the system shuts down.

tmpfs is a temporary file system that is stored in RAM memory to help it run faster.

Means of Protection

Mitigation Measures (Bootloader)

Bootloader password

Setting a Grub password may protect the computer and prevent the boot order from being changed. The command is grub-mkpasswd-pbkdf2

Restrict Access

More of a precautionary step than a security method, this means never leaving a computer unattended or in an accessible area, which is often not an enforceable policy.

restrict access

Mitigation Measures (Full Disk Encryption)

Full disk encryption will encrypt every bit of the data on the entire disk. Without a decryption key or password, data will be inaccessible.

During the partition stage of the Kali Linux installation, the third option is to encrypt the disk.

There is an option to encrypt data on a disk if a partition already exists through a 3rd party program, but that option is difficult to implement.

full disk enecryption

Mitigation Measures (Sticky bit)

A sticky bit is a permission bit set on a folder and can be modified only by the owner or root user.

It can prevent normal users from deleting a folder and its files. The Linux kernel will ignore sticky bits set for files.

sticky bit

Grub Password

The implementation of a Grub password requires configuration changes. Making copies of configuration files is highly recommended.

grub-mkpasswd-pbkdf2 will generate a hash using the password.

grub-mkconfig–o [path] saves a grub configuration file in the desired path.

grub password

Grub Protection Bypass

With Grub protection, there is no way to edit Grub from the boot menu to get root privileges on the host.

However, hackers can bypass the Grub protection by mounting a Kali Live in the host and modifying the 40_custom file.

A hacker can disable Grub protection by adding # before set and password.

grub protection bypass