liminfo

Linux Privilege Escalation

Free reference guide: Linux Privilege Escalation

26 results

About Linux Privilege Escalation

The Linux Privilege Escalation Cheat Sheet is a security reference covering 28 techniques for escalating privileges on Linux systems, organized into six categories: SUID/SGID, Kernel Exploits, Cron Jobs, Services, Environment Variables, and Containers. Each entry provides the command syntax, description, and ready-to-use example commands for penetration testers and security professionals.

SUID entries cover finding setuid/setgid binaries with find -perm -4000/-2000, plus specific exploitation techniques for nmap (interactive mode shell escape), find (-exec /bin/sh), and vim (:!/bin/sh). Kernel exploit entries document DirtyPipe (CVE-2022-0847, Linux 5.8+ pipe overwrite) and DirtyCow (CVE-2016-5195, Copy-on-Write race condition) with compilation and execution commands.

The reference also covers cron job abuse (writable scripts, PATH hijacking, tar wildcard injection), service exploitation (writable systemd unit files, MySQL UDF), environment variable attacks (LD_PRELOAD shared library injection, LD_LIBRARY_PATH hijacking, PATH variable manipulation), and container escape techniques (Docker socket mount, docker group membership, CAP_SYS_ADMIN capability abuse, privileged container breakout).

Key Features

  • Find SUID/SGID binaries with find / -perm -4000/-2000 and exploit nmap, find, vim for shell access
  • Kernel exploit reference: DirtyPipe (CVE-2022-0847) pipe overwrite and DirtyCow (CVE-2016-5195) race condition
  • Cron job abuse: writable cron scripts, PATH hijacking in crontab, tar wildcard injection with checkpoint-action
  • Service exploitation: writable systemd unit files with ExecStart modification, MySQL UDF sys_exec()
  • LD_PRELOAD privilege escalation via shared library injection with _init() function and setuid(0)
  • PATH environment variable hijacking when SUID binaries execute commands without absolute paths
  • Docker container escape: socket mount, docker group abuse, CAP_SYS_ADMIN capability, privileged mode breakout
  • Organized into 6 categories (SUID, Kernel, Cron, Services, Env Vars, Containers) with searchable entries

Frequently Asked Questions

What is SUID privilege escalation?

SUID (Set User ID) is a file permission that allows a program to run with the privileges of the file owner (typically root). If a SUID binary has exploitable functionality (like nmap interactive mode, find -exec, or vim :!sh), an attacker can leverage it to spawn a root shell. Use find / -perm -4000 -type f 2>/dev/null to discover SUID binaries on a system.

How does the DirtyPipe exploit (CVE-2022-0847) work?

DirtyPipe affects Linux kernel 5.8 and later. It exploits a vulnerability in the pipe mechanism that allows an unprivileged user to overwrite data in read-only files, including SUID binaries and /etc/passwd. The exploit compiles a C program that writes arbitrary data to files the user normally cannot modify, enabling password changes or binary modifications for root access.

What is LD_PRELOAD privilege escalation?

LD_PRELOAD is an environment variable that specifies shared libraries to load before all others. If sudo is configured to preserve LD_PRELOAD (env_keep), an attacker can compile a malicious shared library with an _init() function that calls setuid(0) and system("/bin/bash -p"), then run any allowed sudo command with LD_PRELOAD pointing to the malicious library to get a root shell.

How does cron job PATH hijacking work?

If a cron job runs a script that calls commands without absolute paths (e.g., "service" instead of "/usr/sbin/service"), and the PATH in crontab includes a writable directory, an attacker can create a malicious script with the same name in that writable directory. When the cron job runs, it executes the attacker script instead, typically creating a SUID bash copy (/tmp/rootbash).

What is tar wildcard injection in cron jobs?

When a cron job runs tar with a wildcard (e.g., tar czf backup.tar.gz *), an attacker can create files named --checkpoint=1 and --checkpoint-action=exec=sh shell.sh in the target directory. Tar interprets these filenames as command-line options, executing the attacker shell script with the privileges of the cron job (usually root).

How can Docker group membership lead to root access?

If a user belongs to the docker group (id shows groups=999(docker)), they can run Docker containers. By mounting the host root filesystem into a container (docker run -v /:/mnt -it alpine sh), then using chroot /mnt, the attacker gains full root access to the host filesystem, effectively escalating to root privileges on the host.

What is the difference between LD_PRELOAD and LD_LIBRARY_PATH attacks?

LD_PRELOAD loads a specific shared library before all others, allowing function hooking or _init() code execution. LD_LIBRARY_PATH changes the search path for shared libraries, letting an attacker substitute legitimate libraries with malicious ones. Both require sudo env_keep or SUID binary usage, but LD_LIBRARY_PATH requires knowing which library the target binary loads (discovered via ldd).

How do you escape a privileged Docker container?

A privileged container (--privileged flag) has access to all host devices. Run fdisk -l to list host disks, then mount /dev/sda1 /mnt to mount the host root partition. Use chroot /mnt to switch to the host filesystem as root. Alternatively, check for CAP_SYS_ADMIN capability (capsh --print) which also allows mounting host filesystems.