Linux Red Team Privilege Escalation Techniques - Kernel Exploits & SUDO Permissions

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome back to the red team training Series in this video we are going to be taking a look at performing privilege escalation on Linux targets so we are going to be continuing uh you know from our initial exploitation phase on our Linux Target which was essentially a server that was hosting a WordPress website and we have already established our initial access so we're going to be taking a look at how to obtain root privileges after which in the next video we'll be exploring the process of setting up persistence so that we don't lose our access however in this video we will be focusing on various privilege escalation techniques native or relative to Linux system so firstly we'll talk about local accounts and I'll get to these techniques shortly uh secondly we'll be taking a look at how to exploit suid or sudo permissions in order to elevate your privileges we'll also take a look at how to utilize kernel exploits in order to elevate your privileges so uh let me just delve a little bit into some of these techniques and how they can be used to elevate our privileges so when we're talking about local accounts local accounts can be used to abuse or Elevate Privileges and harvest credentials through operating system credential dumping uh password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of privileged escalation and lateral movement so so the objective here is to um again identify local accounts that are running on the target system or the target server and then obtain their credentials so again that can be used to maintain access on a system legitimate access of course and secondly it can be used for lateral movement however we will actually delve into this in the Practical section before we do that let's take a look at some of the other techniques so suid and sudo permission so an adversary May perform shell escapes or exploit vulnerabilities in an application with the set use ID or set group ID bits to get code running in a different user's context so a suid binary or seoid is a permission that can be applied to specific binaries on the on the target system by an administrator and what this essentially allows is it allows ordinary users or unprivileged users on the system to run that binary with root privileges without having to authenticate with the root password this is very useful because administrators may want to provide certain permissions certain pseudo permissions or root permissions to a particular user only for a specific binary as opposed to providing them with root permissions uh you know on a larger context in that they can utilize root permissions to run a variety of commands in this case suid permissions are essentially limit the sudo or root privileges to one binary and when we talk about sudo permissions the administrator can also provide or add permissions for a particular binary for a particular user so for example they can set up a or they can essentially set up a system where a particular binary can be launched as sudo or with root privileges by an unprivileged user without having to provide the administrator or the root password so we'll take a look at how to exploit that and then finally we're going to explore kernel exploits all right so adversaries May exploit software vulnerabilities in an attempt to elevate privileges uh the exploitation of a softer vulnerability occurs when a an adversary takes advantage of a programming error in a programming service or within the operating system software or the kernel itself to execute adversary controlled code so this is not really uh you know exclusive to the kernel itself you can also find vulnerabilities in software or packages that are installed on the target system if they'll if they can allow for elevation of privileges in this case we'll be focusing on kernel exploits that allow us to elevate our privileges so we'll be taking a look at that all right that being said in regards to the miter attack privilege escalation techniques pertinent to Linux these are the techniques we're going to be focusing on so local accounts suid binaries and pseudo permissions as well as kernel exploits that being said we can actually move on to the Practical aspect of this video where will take a look at all of these techniques so I'll see you back on my Cali VM alright so I'm back on my Cali VM and I'm I've logged in Via sh to the Target so if you remember in the initial Axis or the initial exploitation a video where we essentially exploited This Server and we're able to obtain initial access our our axis Vector was via SSH because we had obtained the credentials for this for the user Michael so our job now is again to elevate our privileges to that of the highest user or to the user with the highest privileges in this case we were able to identify that the only user that has root or administrative privileges is the root user so that is our objective now I'm going to be covering a few techniques here that you should actually follow through whenever you're performing a red team engagement on a Linux Target so the first thing you want to do is for your current user you want to try and identify whether this user has a bash history file now again A bash history file is the file that stores all a history of all commands that have been ended within the user's bash session right so in this case we know that this particular user is using a bash A bash shell as their as as their terminal um as their default uh shell for their terminal so again you can also verify what shells are installed or set up on the system by typing in cat Etsy shells you can see you have all of these shells here and then of course if I display uh the contents of the password file you can see for the user Michael if I can actually identify him there we are we can see that this user will use the bash Shell by default so if we head over to the the home directory of the user Michael here and I'll just print out the working directory there you can see told Michael and I list out the contents here you can see we don't have a bash history file which is uh probably a good thing from a security perspective primarily because again if the if the user Michael has entered any passwords or anything that could provide us with additional information as to how we can Elevate our privileges uh you know all of that would be stored within the bash history file we can also check the history file by typing in history and you can see it looks like this uh it looks like the setup here essentially erases the history the command history of the user as soon as as he logs out and once he logs in all of the history for that session is stored but not for any other sessions so in this case this is a dead end right the next uh thing that we should be doing is of course searching locally for passwords or and we are searching for passwords within configuration files within any files that may contain passwords now of course this can be done both manually and automatically we can take a look at how to do this manually by utilizing the grep utility so I'm just going to copy this grip command here and again it will be available in the documentation for this video so what's happening here is we're essentially using grep uh to actually recursively go through the root file system of this Linux server and then search for the following string which is password and essentially it's just going to Output it into no file here into Dev null rather and it's going to color code the results for us so what this will do is it will display any files that contain the occurrence of the following string so if we hit enter you can see there's quite a lot of results being output here and it essentially shows you all matches for the keyword password now the reason we're doing this is because within configuration files are many many services or software pieces of software will typically store credentials May typically store credentials and the way they store them is by you know listing out the username and the password and that's why we're searching for the password string as you can see this is quite difficult to actually go through because of the sheer amount of results that are going to be output what we can do however is fine tune our search to a particular directory or limit our search to a particular directory now the configuration files on Linux are typically stored within the Etsy directory so if we limit the results to the Etsy directory you can see that the results are much fewer now and we can go through the results to identify whether we can find any legitimate credentials in this case you can see that we can't find anything useful here so nothing within any configuration files we already know that we were able to obtain the the MySQL root credentials by taking a look at the the WordPress config file in the previous video during our initial exploitation so again we can do that as well you want to check as many directories as possible where you you typically have passwords being stored so VAR www HTML and of course this is going to be recursive so it will display quite a bit of data and of course as you can see that that is quite uh extensive in regards to the results that it outputs we can limit it to Wordpress so that we only limit the the occurrences of the of the string password uh to the files within the WordPress directory so I hit enter you can see it's reduced it slightly and of course WordPress contains quite a few occurrences of this but we're going to be looking for the actual value the the actual password as opposed to the specification of the string here so again in this case it's quite difficult to read but by performing an analysis of what services and software is running on the target system you can go through or you can identify where credentials are stored as we did in the initial exploitation video so again for example we were able to identify that um under the VAR dot HTML WordPress directory under WordPress config dot PHP we were able to identify the MySQL root user credentials and you can see we have the database user which is root and the password so let's actually copy this and I'll just exit out of there and if we list out the current users on the system we can see that we have the user Steven right so we we can pretty much try and uh laterally Elevate or horizontally Elevate our privileges to the user Stephen even though we know that this user is not an administrative user or a user with administrative privileges we might find some data within their their home directory so we can always try that so the way we can actually do this is if you remember we were able to identify the SSH credentials for the user Michael by logging into the mySQL database and then of course uh we were able uh we were able to dump the the database uh the data from the WordPress tables or the WordPress user table uh and we were able to get their WordPress credentials however for the SSH credentials we were able to perform a brute force with Hydra and identified the credentials for the user Michael however we did not do the same for the user Stephen uh what we can try and do is try and identify whether there is some form of password reuse here so we can try and crack the password the WordPress credentials for the user Steven and see whether we can log in Via SSH or just authenticate uh you know to with that user account with the password that we can uh that we will crack so we can log in so we'll say MySQL user is root and the password we will paste in because I copied it there we are if I show if I say show databases you can see we have the WordPress database I'm going to say use WordPress and then show tables like so and then we say select from WordPress users and I hit enter you can see we have the the md5 hash here for the user Steven we can crack this md5 hash uh quite easily with John the Ripper John the Ripper is a password cracking utility uh that comes pre-packaged on Kali Linux and the way I'll do this I'll just open up a new terminal here and uh I'll essentially say sudo well before we do that we actually need to save this hash because John the Ripper requires that we specify the hash within a file so I'll use vim and I'll just create a file called hash.txt and I'll paste in the hash here now whenever you're specifying a a hash that's going to be read by the by John the rip up you want to also provide the username of that particular password hash so this can be done by specifying the user which in this case is Steven you then want to use a colon and that's how you want to save it so I'm going to write and quit and now we can say sudo John and then we specify the file that contains the hash and the reason we're not specifying the format is because John the Ripper will automatically detect what hash it is and then crack it accordingly we then need to specify the word list to use to perform the Brute Force password cracking here and we are performing a dictionary attack in this case so we can again utilize a comprehensive word list like the rocky word list as we did in the previous or the initial exploitation video so we'll say user uh share word lists and under rock you uh the the name of the word list is rocku.txt right we hit enter I'm just going to provide my password here and it's going to begin the the password cracking process and it looks like it found the password for the user Steven so you can see it's saying the password is pink 84. um so we can try and authenticate let's see whether this will actually work I'm just going to copy it here without the spaces so we'll copy that if I now um I'm just going to drag this slightly here and let me just exit from the mySQL database if I now want to authenticate with the user Steven I can say Su Steven and then I paste in the password that I was able to get and it looks like that worked if I type in the ID command you can see we're logged in as the user Steven so that was successful so it looks like we were able to exploit uh the password reuse or we were able to exploit a password reuse misconfiguration or vulnerability rather so this is one thing that a lot of users do is they'll typically use the same password for multiple accounts in this case they've used the same password for their WordPress account as well as their as their Linux account here so I'll just spawn a bash session so I'll say bin bash I because we're currently within a bone shell and there we are Steven so I'll just head into their home directory let's see whether we can identify any files within that directory we can't if we say history uh we can see that again it's just for the current session so I'm just going to close that Tab and we're back here on the user Stephen so um again we've been able to identify the credentials for two users on the system one of them is Steven the other one is Michael the next step is to obtain root privileges so what we can take a look at now is how to use automated enumeration tools automated local enumeration tools for Linux systems um so the first thing I'll do is I'll just head over into my TMP directory whenever you're working with the Linux system you never want to store your scripts and files within a directory that is frequently accessed by users on the system so the TMP directory is a great option you can also opt or you know create other directories that again are clandestine as possible so the first utility or tool that we're going to talk about is a tool called Lin enum right so I'm just going to perform a quick Google search for it here and I'll just open up the GitHub repository the link to this GitHub repository will be in the documentation for this video so Lynn enum is a local enumeration tool that automates a lot of the enumeration checks that we typically perform but it also identifies vulnerabilities that we can exploit to elevate our privileges uh etc etc so you can clone the repository and you need to transfer the Lin enum bash script onto the target system I have already cloned the repository so I'll just open up a new tab here and I'll navigate to the directory where I stored them locally which is going to be on my desktop there we are on my desktop and under a folder called Lin Linux enum and within this folder I have the Lin e number script here I'll now use the the python module simple HTTP server to set up a local server here on Port 80 that will serve these files and then we can transfer or download these files onto our Target system using the wget utility so I'll say sudo python M simple HTTP server and we'll say Port 80 we hit enter I'll just provide my password here and you can see it's serving HTTP on on my Kali IP on Port 80 right so I can now say within the temp directory on the target wget HTTP I then specify I specify my Kali Linux IP address which is 192.168.2.21 and then I specify the file that I want to download which in this case is going to be Lin enum dot sh you can see that that's saved successfully and on the web server side here you can see that that the get request was successful because we get the 200 status code there um so what we can do now let me just uh terminate my server there and I'll just clear the terminal so we can see what's going on and I'll just bring this to the side here so we need to provide the script with executable permissions so if we list out the contents here you can see it's saved successfully so we'll say chmod plus X Lin enum Lin enum.sh and then we can execute it by saying Lin enum.sh we hit enter it's going to begin enumerating all the important information uh in relation or that's useful for privilege escalation so you can see number one it outputs the kernel information as we were able to do manually uh in the initial access video or the initial exploitation video it also displays the kernel information in depth here and the version of GCC installed that will be useful in a few seconds we get the hostname of the system the current User Group Etc and again all the groups available on the system the contents of the password file and we also identify something that's very interesting here so we it says that we can sudo without supplying a password alright so this brings us to our next privilege escalation technique with it which is exploiting suid binaries or sudo permissions in this case it looks for it looks like that for the user Stephen A sudo permission has been set by the administrator and the permission is listed here so it looks like um the user Stephen can run the python binary or can run python as the root user without providing the root password so that means we can potentially use this as our privileged escalation attack attack Vector primarily because if we can essentially find a way of spawning a shell within python uh remember it's going to be executed with root privileges so that means we should get a we should get a shell with root privileges so again it says right away a possible pseudo pawnage so we can uh in order to exploit this we can utilize a resource called GTFO uh GTFO bins this is an online resource and this link will be in the documentation that again you can see it actually gives you a very good description here GTFO bins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems so if we search for the binary that has been misconfigured which in this case is python we'll just click on python here and we're not looking for a typical shell we are looking for um let me find it here there we are we're looking for a sudo right or a pseudo or root shell so you can see it says if the binary is allowed to run as super user by sudo it does not drop the elevated privileges and may be used to access the file system escalate or maintain privileged access so in order to exploit this we can say pseudo python so we're launching it with sudo and remember we don't need to provide the root password or the uh the root user password there and then we're essentially saying import Os Os dot system and then execute bin date we can then execute a shell session and because we're executing it with root privileges we should get a shell with root privileges so in order to exploit this I'm just gonna can go down here and then we can execute it but instead of getting a normal Bond shell we'll spawn a bash shell here we hit enter and we've obtained root access as it says right over here so if we type in ID there we are root access and we now have taken complete control of the target server and we have done this by exploiting a misconfigured pseudo privilege for the python binary this is a very very common practice that you'll find on tons of servers where the administrator does not want to provide a particular user with privileges uh with you know complete administrative privileges but restricts administrative privileges to one binary or to one script and if if misconfigured we can exploit it to obtain a root shell as easily as we just did so this is the second take technique that I wanted to highlight the final technique is going to be is going to involve utilizing a kernel exploit so again the reason I'm taking you through all of these techniques is because again you need to have an understanding of how to utilize multiple techniques and you shouldn't rely on one because systems are configured differently now as I said what we'll do is we will just say we'll just go back into the user Steven here and again I'll just spawn a bash session there we are and we're back into the user Stephen so the next step is going to involve performing kernel exploitation all right so let's take a look at kernel exploits now when it comes down to Kernel exploits there's really two pieces of information that are vitally important to the process right and that of course is going to be the distribution release version or the distribution itself so you know is the target running Ubuntu is it running Debian is it running Fedora Red Hat etc etc and secondly and the most important of all is the kernel version now it's important to note that kernel exploits or privileged escalation via kernel exploits is not really a recommended technique primarily because the Linux kernel is the core of the operating system and a kernel exploit essentially interacts with the kernel now the problems that can arise are twofold number one this can cause issues with the system stability so you know that there may be a um a kernel panic when using a kernel exploit this can consequently lead to data loss or unexpected shutdowns secondly uh kernel exploits are really not a stable in regards to the actual execution on the Target and of course when I talk about stability I'm referring to the fact that kernel exploits typically only work for a specific kernel version so you have to make sure that you're running the correct kernel exploit or again you can cause uh you know unintended harm really to the system and of course that can again consequently raise red flags or alert system administrators or security analysts as to a possible intrusion or a possible activity on the target system that is typically not expected that being said as I said I went on the Linux Target you can enumerate this information for example if I wanted to display the kernel version I can type in you name r and this is the exact kernel version that's running on the target so realistically speaking uh we we should only be able to or we we should only run kernel exploits for this particular kernel version and then of course the other piece of information that's vital here is the actual distribution and the distribution release version in this case you can see it's a Debian 8 and the release version is eight so of course we know that the target is running Debian 8 and the kernel is 3.16 all right now when it comes down to Kernel exploits and privilege escalation as I've said there's lots of ways we can sort of identify exploits for this particular kernel however there's a there is a tool that we can utilize to automate this process to automate the process of identifying kernel exploits for our particular Target and this tool is the Linux exploit suggestor all right and the GitHub repository will be in the documentation for this video so you can head over to the GitHub repository it is essentially A bash script that needs to be run on the target system and what it does is it actually it essentially gets the information that again is relevant like the distribution release version and the kernel version and then essentially provides you with a list of vulnerabilities or exploits for that particular kernel version right now I also need to point out that a kernel exploits do really do not have a a high probability of sex of success unless again the the exploit has been tested and you've been able to confirm uh beforehand that this that this does work now what I would typically recommend whenever you want to run a kernel exploit on a Target system I would recommend uh you know setting up the same system uh on your on on your Virtual Lab or uh you know on on your virtual Network so for example in my case I would download Debian 8 and ensure that the kernel version is 3.16 and then run the kernel exploit on that system first before running it on the target system uh firstly to verify that it is working in second secondly to confirm or to verify that it's not causing any issues right so we can use this script you can download it by using the wget utility and the command here and that will save it for you in my case I've already downloaded it so I'm just going to open up a second terminal here and I'm this is on my Cali VM so I'm just going to navigate to where I've I've stored the script this is under Linux enum and you can see that we have it there this is the script name this is les.sh is an acronym for Linux exploit suggested so that's the the actual script name if he uh you if you'll actually if you actually download it using wget or this particular command as you can see it saves it as les.sh all right so now we need to transfer it over to the Target system so again I'll just use the python module a simple HTTP server to set up a simple web server to host these particular Scripts and again I'll just hit type in my password there we are so that's serving I'm currently on the temp directory on the target system so if I list out the the actual contents of this directory we only have the Lin enum script so we can say wget and then HTTP put in your Kali IP so I'll just type that in and then we say les.sh that's going to download it for us there we are so that's saved and I'm just going to terminate that and I'll close this here and I'll now provide the script uh with uh with executable permissions there we go and then I'll execute the script like so I hit enter and uh you you can actually see that it's uh it's actually completed providing the results so let me just go through the way this works all right so firstly it will gather all the important information it needs to actually perform the scan and that information is three uh the kernel version which in this case we know is 3.16.0 the architecture of the operating system in this case we know the that the target is running a 64-bit version of Debian 8. as you can see the distribution is Debian the distribution release version is eight and it then gives you um you know a summary of how many exploits exist so we have 76 kernel space exploits and 48 user space exploits and then it displays the exploits for this particular kernel version now whenever you're using the Linux exploit suggestor you want to look out for the exposure the exposure tells you the probability of success when using this particular exploit so you can see for the first few exploits you can see that they exposure is highly probable which means there's a high chance that this might work and you can see it for the second one and for the third one you can now see it's less probable and it you know it just continues so the way the script works is that the vulnerabilities or the exploits with the highest probability of success are going to be displayed first and then the ones with the least probability of success are going to be printed out last right or after the ones that are highly probable the information displayed is fairly helpful because it provides you with the common vulnerabilities and exposure ID or code that's the cve code as you can see that allows you to actually research more about this particular vulnerability the exploit is provided here you can see it's the dirty cow exploit it provides you with a reference link for this particular exploit and how you can exploit this vulnerability as for the tags this is very important it tells you what system or what distributions and kernels this exploit will work on so in our case you can see that we're pretty much good to go because it supports a Debian seven and eight also red at Enterprise Linux and then displays the specific kernel that it will work more on on red hat and also on Ubuntu so you can see Ubuntu 16.04 14.04 12.04 it then provides you with the download link for the exploit code itself which you can then download compile and transfer over to the Target and then execute so what we can do is let me just copy this particular exploit name and let's perform some research on it just to see how this works now I need to point out before we get started with this that I have again worked with this system before and I've run you know multiple kernel exploits and only only one or two were successful but not uh they weren't able to provide me with elevated privileges so in the case of this box I would not recommend running any kernel exploits I'm just taking you through the process of how this is done right so we head over into our browser we have the dirty cow exploit and you can click on the exploit DB link right which I believe corresponds to the link provided here now this is 40611 but it's the same exploit I believe I'm just going to wait for the exploit um the exploit DB link to actually open up all right so the exploit DB link is uh opened up and you can see the it this particular exploit targets the Linux kernel 2.6.22 and lower than 3.9 so we are in the uh within this range here and it gives you an idea of what it does so it's exploiting a race condition and provides us with privileged escalation so the way the dirty cow exploit works is it essentially creates a new administrative user account on the target system and the default user that it actually creates will have a name of firefought now you can actually download the exploit code and change the actual name the username to whatever you want remember you want to be as clandestine as possible so as I said it it actually allows you to create a new user account with administrative Privileges and again you can specify your own password once the exploit has run successfully you can then switch to that administrative user or you can SSH into that user account so this is a really cool exploit when it does work because it can allow you to create a a backdoor user that again has administrative privileges and you can then utilize that as a backdoor and you know you can again authenticate to that user overtly using SSH so in order to use it we need to download the exploit code so you want to click on the download link here and what I'll do is let me just open up a new terminal window and I'm just going to wait for this to bring up the download prompt for some reason the exploit DB site has been slightly slow today but it should actually pop us up there we are you can see we have the download um prompt I'm going to hit save file I'm now going to move the exploit code from my downloads folder because that's where Firefox saved it into my current working directory as you can see we now have it here it's a 40839.c so I'm just going to rename this to exploit.c so let me just get the correct name here so 40839.c and we'll rename it to exploit dot C right so now that that is done we can actually move ahead to the compilation phase now the exploit DB link here actually gives us instructions as to how we can compile this now uh I would typically recommend uh compiling the exploit code on the target system if GCC is installed because again this is a C file and we want to compile it into a binary so the target needs to have GCC installed in this case we know the target has GCC installed during our local enumeration section or during the local enumeration section so what we can do is I'm just going to again use the simple HTTP server to host the exploit code and then I'll download it onto the target we'll then compile it and run it all right so a simple HTTP server and we hit port 80. there we are and now I'll just use the obligate command type in my Kali IP and exploit.c is the file we want to download that downloads successfully so I can now close that up and uh we see we display the actual contents of this directory you can see we have exploit.c so to compile it we need to use GCC and then the pp thread and l-crypt flags for successful compilation primarily because uh this particular script or this particular exploit utilizes the P thread libraries um as you can see here P thread and l-crypt if I can actually find it where we have Crypt here there we are so there we are so that's why you need to provide the flags so I'm just going to copy this here and of course we want to substitute the names here of the C file in our case the name of the C file is exploit.c and we will output it into a binary called exploit all right so I hit enter it looks like compilation was successful if I list out the contents now you can see we have the exploit binary so let's provide it with a root or executable permissions and I'll just say chmod plus X exploit if I list that out now you can see we have we still have it here and the permissions have been set correctly this particular binary is owned by the user Steven primarily because we're working with that user so the way as I said this exploit works we simply need to execute it we can provide a password but it should prompt us to provide a password for the user account the root user account that it will create again you can also customize it so if I go into the exploit.c code we don't have Vim here so let me just use Nano exploit.c you can see that you can change the default username to create by changing the salt value which again is set to Firefox so you can change that whatever username you want you can also change the username I think there is a field here that allows you to change the actual username uh there we are so user.username you can change that from Firefox to whatever you want you can also change the user info and the user shell if you want all right but in this case we're not going to play around with that we're just going to say exploit we hit enter it's going to say that the Etsy password file has been backed up to Temp uh to the temp directory and the the backup file is called password.backup so this is useful if you ever want to revert to the previous password file and it's going to ask us to provide a password for this new user account that we want to create I'll just say password I'll hit enter it's going to begin the exploitation process but as I said with this particular box and with this particular kernel this exploit doesn't work because it will not actually create the user but again as I said I'm taking you through the methodology of utilizing a kernel exploit here so I'm going to wait for this to complete running and then I'll actually confirm to you that this did not work all right so the exploit is com has actually completed running and you can see that it's uh it's going to tell you right over here uh let me just see if I can identify that there we are so it's going to say done check the Etsy password file to see if the new user was created you can then log in with the the username five font and the password password that we specified um so again if I say cat SC password uh you can see that it it did not add the Firefox user primarily because as I mentioned earlier this exploit doesn't work on this version of Debian or rather this particular kernel it looks like it was patched and that user wasn't created however as you can probably tell this is not a silver bullet when it comes down to privilege escalation and we were able to actually utilize the um the python binary or python rather primarily because it it had the the particular sudo permission set that allowed the user Stephen to execute it with root privileges and not provide a password and that was a much more uh you know much more direct technique or vector that we utilize so again you know all I need to do in order to obtain root access is just copy this command here and again I need to be as a user Stephen because uh that particular sudo permission has only been set for the user Steve for the user Steven I prefer provide the bash or the actual shell that I want I hit enter and you can see we have root privileges now so that's a much more of a you know better technique because we're essentially exploiting misconfigurations as I said uh kernel exploits do work uh quite a few times on Linux but when dealing with a new or modern systems or modern distributions uh with kernel versions over 4.5 uh kernel exploits are far and few in between so you really need to have a well a well-balanced approach in regards to what vectors you Target now when we talk about privileges collation on Linux uh there there's plenty of other techniques I'll probably be covering them in their own videos uh you know you can Elevate privileges uh by uh by exploiting a misconfigured cron jobs uh you can Elevate privileges by exploiting various Linux services so on and so forth but hopefully with this video you have an idea of how you can go about elevating Privileges and and what it comes down to essentially is understanding how your target has been configured uh what are what the limitations are and then of course uh essentially strategizing what Vector you want to use based on on the target configuration that being said that's going to be it for this video and I'll be seeing you in the next video

Info

Channel: HackerSploit

Views: 17,132

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, linux red team, red team linux, linux privilege escalation, linux privilege escalation tryhackme, linux privilege escalation tutorial, privilege escalation, privilege escalation linux, linux kernel exploitation, red team, red teaming, what is a red team, red team exploitation, av evasion, linux privesc, red team kali linux, linux kernel exploit privilege escalation

Id: w2rElXYV2Fs

Channel Id: undefined

Length: 40min 42sec (2442 seconds)

Published: Fri Dec 30 2022