1.   Introduction

Privilege escalation is a critical concept in Linux security, as it involves obtaining higher-level permissions on a system than what is initially granted to a user or group. When attackers successfully escalate their privileges, they gain significant control over the system, potentially compromising its security and integrity. Understanding privilege escalation is vital for both defenders seeking to protect their systems and administrators looking to secure their environments.

Overview of Linux basic concepts

Linux Privilege Levels (User, Group, Root)

In Linux, there are three primary privilege levels: user, group, and root. Each level determines the extent of access and control a user or group has over files, directories, and system resources.

Users

User accounts are integral to Linux security. They are configured in the /etc/passwd file, while password hashes are stored in /etc/shadow. Every user is identified by a unique integer user ID (UID). Among all user accounts, the “root” user is exceptionally powerful, having a UID of 0. The root user is bestowed with unrestricted access to every file and resource on the system, making it a coveted target for attackers during privilege escalation attempts.

Groups

Groups provide a means of organizing users with similar access requirements. Group configurations are stored in the /etc/group file. Each user has a primary group and can belong to multiple secondary (or supplementary) groups. The primary group usually shares the same name as the user account. When a user is part of a group, they inherit the permissions granted to that group, allowing for more efficient management of access controls.

Files & Directories

In Linux, all files and directories have an owner and a group assigned to them. Each owner and group has specific permissions controlling the ability to read, write, and execute files or enter directories. There are three sets of permissions: one for the owner, one for the group, and one for all other users (commonly referred to as “world” permissions). Only the owner of a file or directory can change its permissions, ensuring a level of security in the system.

File Permissions

File permissions dictate what actions can be performed on a file:

• Read: When set, the file’s contents can be read.
• Write: When set, the file’s contents can be modified.
• Execute: When set, the file can be executed, effectively running it as a process.

Directory Permissions

Directory permissions differ from file permissions, and they have distinct functions:

• Execute: When set, the directory can be entered. Without this permission, neither read nor write permissions will work within the directory.
• Read: When set, the directory contents can be listed.
• Write: When set, files and subdirectories can be created within the directory.

Special Permissions

Apart from the standard permissions, Linux also supports special permissions:

• Setuid (SUID) bit: When set on an executable file, it allows the file to run with the privileges of the file owner, regardless of the user executing it. This is useful for certain applications that require elevated access for specific tasks.
• Setgid (SGID) bit: When set on an executable file or a directory, it allows the file or the files created within that directory to run or inherit the group permissions of the file group, respectively. This is commonly used for shared directories where group collaboration is necessary.

2.   Enumeration

Explanation of what enumeration is and why it’s important. Enumeration is the process of gathering information about a system that can be used to aid in a privilege escalation attack. It is important because it can help attackers identify potential vulnerabilities or weak points in the system. Techniques for enumerating the system (e.g., finding running processes, checking file permissions, identifying installed software).

1. Checking running processes: The ps command can be used to list all the currently running processes on a system. 

Example, ps aux will show a detailed list of all running processes, including the user who started the process, the process ID (PID), and the resources the process is using.

2. Checking file permissions: The ls command can be used to display file and directory permissions. 

Example, ls -l will display a long listing of files and directories, including their permissions, owner, and group.

3. Identifying installed software: The dpkg -l command can be used to list all installed packages on a Debian-based system, while rpm -qa can be used to list installed packages on a Red Hat-based system.
4. Checking network connections: The netstat command can be used to display active network connections and listening ports. 

Example: netstat -tulpn will show all TCP and UDP connections with their corresponding processes and listening ports.

5. Checking system users: The cat /etc/passwd command can be used to display a list of all system users and their associated information, such as their home directory and default shell.
6. Checking system groups: The cat /etc/group command can be used to display a list of all system groups and their associated members.
7. Checking system services: The systemctl command can be used to list all system services and their current status. 

Example: systemctl list-units –type=service will show all active services on the system.These techniques can help an attacker gather information about the system that can be used to identify potential vulnerabilities or weak points in the system.

8. Network Enumeration: This technique involves identifying open ports, services running on those ports, and other details about the network configuration of the system. Some common tools used for network enumeration include nmap, netcat, and tcpdump.

Example: To scan for open ports on a target system using nmap, you can use the following command:

nmap -sS <targetIP>

This command will perform a TCP SYN scan on the target system and list all open ports.

9. Password Enumeration: This technique involves identifying user accounts on the system and attempting to guess or crack their passwords. Some common tools used for password enumeration include Hydra, Medusa, and John the Ripper.

Example: To use Hydra to brute force SSH login credentials on a target system, you can use the following command:

hydra -L <userlist>-P <passwordlist>ssh://<targetIP>

This command will use the usernames and passwords from the specified files to attempt to log in to the SSH server on the target system.

10. User and group enumeration: Enumerating users and groups on the system can help identify potential targets for privilege escalation attacks. This can be done using tools such as id and getent. 

Example, the following command can be used to list all users on the system:
getent passwd

11. File system enumeration: Examining the file system can reveal important information about the system, such as configuration files, database files, and logs that may contain sensitive information. This can be done using tools such as find and locate. 

Example: the following command can be used to find all files on the system that have the word “password” in their name or contents:
find / -name “*password*” -type f.

These are just a few examples of the many techniques that can be used for system enumeration. The goal is to gather as much information about the system as possible in order to identify potential weaknesses that can be exploited for privilege escalation.

3.   Exploitation

Explanation of what exploitation is and how it relates to privilege escalation. Exploitation is the process of using a vulnerability or weakness in a system to gain access or control that would not normally be possible. It is related to privilege escalation because attackers often use exploitation techniques to gain elevated privileges. Techniques for exploiting vulnerabilities (e.g., exploiting misconfigured file permissions, exploiting a vulnerability in a setuid binary)

There are many different techniques that can be used for exploitation, here below some techniques

Overview of common privilege escalation techniques

There are many different techniques that attackers use to escalate privileges on a Linux system. Some of the most common include exploiting vulnerabilities in software, using misconfigured permissions, and abusing weak authentication mechanisms.

1. Exploiting vulnerable software: Attackers can exploit vulnerable software installed on the system to gain higher privileges. 

For example, if a vulnerable setuid binary is present on the system, an attacker can exploit it to escalate their privileges.

2. Exploiting file permissions: Attackers can exploit weak file permissions to escalate their privileges. 

For example, if a user has write access to a root-owned binary file, they can replace the binary with a malicious one that gives them higher privileges.

3. Exploiting kernel vulnerabilities: Attackers can exploit kernel vulnerabilities to escalate their privileges. 

For example, if there is a kernel module with a vulnerability that allows local privilege escalation, an attacker can exploit it to escalate their privileges.

4. Exploiting weakly protected credentials: If the system stores passwords or other sensitive information in plaintext or weakly encrypted files, an attacker with access to those files can use the credentials to escalate their privileges.
5. Exploiting misconfigured services: Attackers can exploit misconfigured services to escalate their privileges. 

For example, if a service is running with root privileges and is not properly secured, an attacker can exploit it to gain root access.

6. Exploiting weak file permissions: An attacker can exploit weak file permissions to escalate their privileges. 

For example, if a file is owned by the root user and group, but has write permissions for other users, an attacker can modify the file to gain root privileges.

7. Exploiting cron jobs: Cron jobs are scheduled tasks that run automatically at specific times on a Linux system. An attacker can exploit a vulnerable cron job to escalate their privileges. 

For example, an attacker can modify a cron job script that runs as root to execute malicious commands with root privileges.

8. Exploiting misconfigured sudo: Sudo is a command-line utility that allows users to execute commands with elevated privileges. A misconfigured sudoers file can allow attackers to execute commands with root privileges. 

For example, if a user is granted sudo access to a command that allows them to edit system files, an attacker can modify the sudoers file to grant themselves full sudo access.

9. Exploiting misconfigured setuid binaries: Setuid binaries are executables that run with the privileges of the user who owns the binary, regardless of who executes the binary. A misconfigured setuid binary can allow an attacker to execute arbitrary code with elevated privileges. 

For example, if a setuid binary is owned by the root user and has a buffer overflow vulnerability, an attacker can exploit the vulnerability to execute arbitrary code with root privileges.

10. Exploiting vulnerable SUID binaries: SetUID (SUID) bit is a permission bit that allows a user to execute a file with the permissions of the file’s owner. This can be abused if there are any SUID binaries with vulnerabilities that allow an attacker to execute arbitrary code with elevated privileges. 

An example of a vulnerable SUID binary is /usr/bin/passwd, which allows an attacker to overwrite the shadow file and create a new root password.

11. Exploiting vulnerable system services: If any system services are running with elevated privileges and have vulnerabilities, attackers can exploit these vulnerabilities to gain root access. 

For example, if the Apache HTTP server is running as root and has a vulnerability that allows arbitrary code execution, an attacker can exploit it to gain root access.

12. Exploiting writable directories with SUID programs: If a directory is writable by a non-root user and contains a SUID binary, an attacker can replace the SUID binary with their own code, which will be executed with elevated privileges. 

An example of this is the /tmp directory, which is often writable by all users and may contain SUID binaries.

13. Exploiting shell escape vulnerabilities: Some programs allow users to execute shell commands, but don’t properly sanitize the user input. This can allow an attacker to inject their own shell commands and execute them with elevated privileges. 

An example of this is the “sudoedit” command, which allows a user to edit files as root, but can be abused if the user can execute arbitrary commands.

4.   Post-Exploitation

Explanation of what post-exploitation is and why it’s important. Post-exploitation is the process of maintaining access and escalating privileges after gaining initial access to a system. It is important because it allows attackers to maintain control over the system and continue to extract sensitive information or use it for malicious purposes. Techniques for maintaining access and escalating privileges after gaining initial access.

There are many different techniques that can be used for post-exploitation, including:

• Installing a backdoor: An attacker may install a backdoor that allows them to maintain access to the system even if their initial method of access is discovered and blocked.
• Escalating privileges: Once an attacker has gained initial access to a system, they may use further exploitation techniques to escalate their privileges and gain even more control over the system.

5.   Defense and Mitigation

Explanation of common defenses and mitigations against privilege escalation attacks (e.g., regular system updates, restricting user permissions, monitoring system logs)

There are many different defences and mitigations that can be used to protect a Linux system against privilege escalation attacks, including:

• Regular system updates: Keeping software up to date can help prevent known vulnerabilities from being exploited.
• Restricting user permissions: Limiting the permissions granted to users and groups can help prevent them from being able to escalate their privileges.
• Monitoring system logs: Keeping track of system logs can help identify suspicious activity or attempts at privilege escalation.

Best practices for securing a Linux system against privilege escalation attacks. In addition to the specific defences and mitigations listed above, there are also a number of best practices that can be followed to help secure a Linux system against privilege escalation attacks, including:

• Use strong passwords: Strong passwords can help prevent attackers from being able to gain access to user accounts.
• Disable unnecessary services: Disabling any unnecessary services or software can help reduce the attack surface of the system.
• Use least privilege: Only grant users and groups the permissions they need to perform their required tasks.
• Implement security policies: Develop and implement security policies to help ensure that security is a top priority for the system and its users.

6.   Conclusion

Recap of key concepts

• Privilege escalation is the process of gaining elevated permissions on a system beyond what is normally granted to a user or group.
• Enumeration, exploitation, and post-exploitation are key steps in a privilege escalation attack.
• Defences and mitigations can be used to protect against privilege escalation attacks, including regular system updates, restricting user permissions, and monitoring system logs.

Final thoughts and recommendations

• Privilege escalation attacks are a serious threat to Linux systems and it’s important to understand how they work in order to protect against them.
• By following best practices for system security and staying up to date on the latest threats and vulnerabilities, users can help protect their systems against privilege escalation attacks.