Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience.

NOTE: This is a brief version of this Cheatsheet. For the complete privilege escalation Cheatsheet visit our GitHub page.

Table of Content

  1. Abusing Sudo Rights
  2. SUID Bit
  3. Kernel Exploit
  4. Path Variable
  5. Enumeration
  6. MySQL
  7. Crontab
  8. Wildcard Injection
  9. Capabilities
  10. Writable etc/passwd file
  11. Writable files or script as root
  12. Buffer Overflow
  13. Docker

Abusing Sudo Rights

The word sudo stands for Super User and Do. Basically, the keyword ‘sudo’, when used as a prefix to a command will allow you to run the said command as root without changing your user. When you run any command along with sudo, it will ask for root privileges in order to execute the command and here, Linux will confirm if that particular username is in the sudoers file. If the information matches to the sudoers file then that command will run and if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command. So, we can manipulate such rights and use them to our advantage as we have done it many CTF’s.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/

1. Ted:1
2. KFIOFan: 1
3. 21 LTR: Scene1
4. Skytower
5. Matrix: 1
6. Sputnik 1
7. Sunset
8. DC-2
9. Kioptrix: Level 1.2
10. Matrix-3

SUID Bit

Set User ID (SUID) is a form of permission that lets the user execute any file with the permissions of a certain user. Those files which have suid permissions run with higher privileges. The maximum number of bits is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x. But when special permission is given to each user it becomes SUID, SGID, and sticky bits. When extra bit “4” is set to the user (Owner) it becomes SUID (Set user ID), then it will look like as rwsr-xr-x. SUID bits can be manipulated by changing the permission of a file so that we can execute or write it in as we choose to in order to gain access and do the needful.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

1. Kevgir
2. digitalworld.local – BRAVERY
3. Happycorp: 1
4. FourAndSix: 2
5. DC-1
6. dpwwn:2
7. MinU: v2
8. Toppo:1
9. Mr. Robot
10. Covfefe

Kernel Exploit

Kernel exploit is one of the most commonly used exploits nowadays as it is the most advanced attack there is today. It works for both Windows and Linux. In this attack, malicious code evades and takes control of the root/administrator to bypass user control access and as it abuses kernel.

1. pWnOS -1.0
2. LAMPSecurity: CTF 5
3. Kioptrix : Level 1.1
4. Hackademic-RTB1
5. Hackademic-RTB2
6. ch4inrulz : 1.0.1
7. Kioprtix: 5
8. Simple
9. SecOS: 1
10. Droopy

Path Variable

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user runs any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

1. PwnLab
2. USV
3. Zeus:1
4. The Gemini inc
5. EW-Skuzzy
6. Nullbyte
7. symfonos : 1
8. Silky-CTF: 0x01
9. Beast 2

Enumeration

Enumeration is a phase of attacking where the attacker focuses on traversing through the system and network in order to find useful information such as password hashes, active connections, etc. During this, bash history and config files come handy as they often have the most useful data of which an attacker can take advantage.

1. The Library:1
2. The Library:2
3. LAMPSecurity: CTF 4
4. LAMPSecurity: CTF 7
5. Xerxes: 1
6. pWnOS -2.0
7. DE-ICE:S1.130
8. SickOS 1.1
9. Tommyboy
10. VulnOS: 1

MySQL

MySQL provides a mechanism by which the default set of functions can be expanded by means of a custom written dynamic libraries containing User Defined Functions, or UDFs.

  1. Kioptrix : Level 1.3
  2. Raven
  3. Raven : 2

Crontab

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/

  1. Billy Madison
  2. dpwwn: 1
  3. BSides Vancuver: 2018
  4. Jarbas : 1
  5. SP:Jerome

Wildcard Injection

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken therefore one can take the privilege of it to execute an arbitrary command using a wild asterisk (*) argument.

Read from here: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

  1. Milnet
  2. Pipe

Capabilities

Capabilities are referred to if there are any additional privileges given to a file or directory. This can also be manipulated to our own advantage in order to achieve the desired goal. It can override the permissions or the READ access to a filesystem along with the ability to call chroot.

  1. Kuya : 1
  2. DomDom: 1

Writable /etc/passwd file

/etc/passwd file is the one where passwords and usernames are saved with their every detail possible. So, if by chance you find that this file is writable then you can add your own user with or without password and bypass access control of the system.

  1. Hackday Albania
  2. Billu Box 2
  3. Bulldog 2

Writable files or script as root

Sometimes, there are often files which are writable. Such files can be edited with our developed malicious code. This code can either run as root or can run to gain root access. Thus, the writable files are quite important for privilege escalation.

  1. Skydog
  2. Breach 1.0
  3. Bot Challenge: Dexter
  4. Fowsniff : 1
  5. Mercy
  6. Casino Royale
  7. SP eric
  8. PumpkinGarden
  9. dpwwn: 1
  10. Tr0ll: 3

Buffer Overflow

A buffer is a sequential segment of the memory allocated to hold anything like a character string or an array of integers this particular vulnerability exists when a program tries to put more data in a buffer than it can contain or when a program tries to insert data in memory set past a definitive buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

1. Tr0ll 2
2. IMF
3. BSides London 2017
4. PinkyPalace
5. ROP Primer
6. CTF KFIOFAN:2
7. Kioptrix : Level 1
8. Silky-CTF: 0x02

Docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency. The only reason it is widely used than VMware is due to its efficiency. In Docker, all of the commands require sudo prefixing them. Docker design modules intrinsically give significant rights to any user who has access to the daemon. The Docker daemon allows access to either the root user or any user in the ‘docker’ group. This means being a member of the ‘docker’ group is same as gaining permanent root access.

  1. Donkey Docker
  2. Game of Thrones
  3. HackinOS : 1

Leave a Reply

Your email address will not be published. Required fields are marked *