Linux 提权实战指南

v20260317

performing-privilege-escalation-on-linux

指导红队在 Linux 系统中枚举 SUID/SGID、sudo 配置、内核漏洞、定时任务、能力和服务文件，通过多个路径实现并记录提权过程。

Linux 提权红队后渗透枚举内核漏洞安全工具 MITRE ATT&CK

获取技能

327 次下载

概览

Performing Privilege Escalation on Linux

Overview

Linux privilege escalation involves elevating from a low-privilege user account to root access on a compromised system. Red teams exploit misconfigurations, vulnerable services, kernel exploits, and weak permissions to achieve root. This skill covers both manual enumeration techniques and automated tools for identifying and exploiting privilege escalation vectors.

MITRE ATT&CK Mapping

T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1068 - Exploitation for Privilege Escalation
T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking
T1053.003 - Scheduled Task/Job: Cron
T1543.002 - Create or Modify System Process: Systemd Service

Key Escalation Vectors

SUID/SGID Binaries

Find SUID binaries: find / -perm -4000 -type f 2>/dev/null
Check GTFOBins for exploitation methods
Custom SUID binaries may have vulnerabilities

Sudo Misconfigurations

sudo -l to list allowed commands
Wildcards in sudo rules allow injection
NOPASSWD entries for dangerous commands
sudo versions vulnerable to CVE-2021-3156 (Baron Samedit)

Kernel Exploits

Dirty Cow (CVE-2016-5195) for older kernels
Dirty Pipe (CVE-2022-0847) for kernel 5.8+
PwnKit (CVE-2021-4034) for pkexec
GameOver(lay) (CVE-2023-2640, CVE-2023-32629) for Ubuntu

Cron Job Abuse

World-writable cron scripts
PATH hijacking in cron jobs
Wildcard injection in cron commands

Capabilities

getcap -r / 2>/dev/null to find binaries with capabilities
cap_setuid allows UID manipulation
cap_dac_override bypasses file permissions

Writable Service Files

Systemd unit files with weak permissions
Init scripts writable by non-root users
Socket files in accessible locations

Tools and Resources

Tool	Purpose
LinPEAS	Automated privilege escalation enumeration
LinEnum	Linux enumeration script
linux-exploit-suggester	Kernel exploit matching
pspy	Process monitoring without root
GTFOBins	SUID/sudo binary exploitation reference
PEASS-ng	Privilege escalation awesome scripts suite

Validation Criteria

Enumeration performed using automated tools
Privilege escalation vector identified
Root access achieved through identified vector
Evidence documented (screenshots, command output)
Alternative escalation paths identified

信息

Category 编程开发

Name performing-privilege-escalation-on-linux

版本 v20260317

大小 11.74KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-03-18