Linux privilege escalation is a critical phase in the penetration testing lifecycle, falling under the 'Attacks and Exploits' domain of the CompTIA PenTest+ certification. It occurs after an attacker has established an initial foothold on a target Linux system, usually as a low-privileged user (suc…Linux privilege escalation is a critical phase in the penetration testing lifecycle, falling under the 'Attacks and Exploits' domain of the CompTIA PenTest+ certification. It occurs after an attacker has established an initial foothold on a target Linux system, usually as a low-privileged user (such as 'www-data' or a limited service account). The objective is to elevate permissions to the 'root' user, granting full administrative control over the operating system.
There are several primary vectors for privilege escalation in Linux environments. First, **Kernel Exploits** involve leveraging vulnerabilities in an unpatched operating system kernel (e.g., Dirty COW) to execute arbitrary code with root privileges. Second, **Misconfigurations** are common targets; this includes checking `sudo` rights via `sudo -l`. If a user can run specific binaries as root without a password (such as text editors or scripting languages), they may utilize techniques documented in GTFOBins to spawn a root shell.
Third, **SUID/SGID executables** are files that run with the permissions of the file owner rather than the user. If a binary owned by root has the SUID bit set and contains a vulnerability or allows shell escapes, it leads to immediate escalation. Additionally, attackers look for **Weak File Permissions**, such as world-writable cron jobs or configuration files containing cleartext credentials.
To identify these flaws, penetration testers utilize enumeration scripts like **LinPEAS** or **LinEnum**. Mastery of this topic requires understanding Linux file permissions, the principle of least privilege, and how to audit systems for deviations from security baselines. Mitigation relies heavily on patch management, restricting sudo access, and removing unnecessary SUID bits.
Linux Privilege Escalation for CompTIA PenTest+
Definition and Importance Linux Privilege Escalation is the process where an attacker, having gained initial access to a system with low-level privileges (such as the www-data user after a web exploit), exploits vulnerabilities, misconfigurations, or logic errors to gain higher privileges, typically aiming for the root user. It is a critical phase in the penetration testing lifecycle because obtaining root access provides unrestricted control over the operating system. This allows the tester to access sensitive files (like /etc/shadow), install persistence mechanisms, pivot to other internal networks, and wipe logs to hide their tracks.
How it Works: Common Vectors Privilege escalation relies on identifying specific weaknesses in the target Linux environment:
1. Sudo Rights Misconfiguration: The sudo command allows users to execute commands as another user (usually root). If configured insecurely (e.g., NOPASSWD), a user might run a binary that can spawn a shell (like vim, less, or find), granting them a root shell immediately. 2. SUID/SGID Binaries: When the SUID (Set User ID) bit is set on a file, it executes with the permissions of the file owner rather than the user running it. If a binary owned by root is SUID and has a vulnerability or allows shell escapes, it can be exploited to gain root privileges. 3. Kernel Exploits: If the operating system is running an outdated kernel (e.g., Dirty COW), an attacker can compile and run an exploit code locally to overwrite system files or escalate privileges. 4. Cron Jobs: System tasks scheduled to run as root may reference scripts that are world-writable. An attacker can edit the script to include a reverse shell, which the system then executes with root privileges. 5. Weak File Permissions: If sensitive files (like /etc/passwd) are writable, an attacker can add a new root user directly.
Exam Tips: Answering Questions on Linux Privilege Escalation When facing scenario-based questions in the CompTIA PenTest+ exam, look for specific clues in the provided terminal outputs or descriptions:
1. Check 'sudo -l' First: If a question asks what to do post-compromise, checking sudo capabilities is often the correct first step. Look for output containing (root) NOPASSWD: /path/to/bin. 2. Identify GTFOBins: If the exam shows a user can run tools like nmap, tar, vim, or find as root, the answer usually involves using that tool to spawn a shell (e.g., :!/bin/sh in vim). 3. Recognize SUID Commands: Memorize the command to find SUID files: find / -perm -u=s -type f 2>/dev/null. If a log output shows this command, the tester is looking for SUID vectors. 4. Analyze Kernel Versions: If the scenario provides the output of uname -a and the kernel version looks old, and no configuration errors are visible, the answer is likely related to a kernel exploit. 5. Writable Files: If the output of ls -l on a script run by cron shows -rwxrwxrwx (world writable), the vector is modifying that script.