Chapter 15 Exercises: Linux Exploitation and Privilege Escalation

⚖️ Legal Note: All exercises must be performed on systems you own or have explicit authorization to test. Use your Student Home Lab or platforms like TryHackMe/HackTheBox.

Exercise 1: SUID Binary Enumeration and Analysis

Difficulty: Beginner | Time: 20 minutes

On your Student Home Lab Linux VM, perform a complete SUID/SGID enumeration.

  1. Use find to locate all SUID binaries on the system.
  2. Cross-reference each binary against GTFOBins (https://gtfobins.github.io/).
  3. For any custom (non-standard) SUID binaries found, use strings and ltrace to analyze their behavior.
  4. Document which binaries are default/expected and which are potentially exploitable.

Deliverable: A table listing each SUID binary, whether it appears in GTFOBins, and the exploitation method if applicable.

Exercise 2: Kernel Vulnerability Assessment

Difficulty: Beginner | Time: 15 minutes

Using your lab VM, perform a kernel vulnerability assessment.

  1. Record the exact kernel version using uname -a and cat /proc/version.
  2. Run Linux Exploit Suggester against the system.
  3. For each suggested exploit, research whether the specific kernel build is actually vulnerable (consider distribution backports).
  4. Create a risk matrix showing each potential exploit, its likelihood of success, and its potential impact on system stability.

Deliverable: A kernel vulnerability assessment report with risk ratings.

Exercise 3: Cron Job Exploitation Lab

Difficulty: Intermediate | Time: 30 minutes

Set up a vulnerable cron job scenario on your lab VM and exploit it.

  1. As root, create a script /opt/scripts/backup.sh that runs tar czf /backup/data.tar.gz /var/www.
  2. Add a cron entry: * * * * * root /opt/scripts/backup.sh.
  3. Make the script world-writable: chmod 777 /opt/scripts/backup.sh.
  4. Switch to a low-privilege user and exploit the writable cron script to escalate to root.
  5. Repeat the exercise using PATH hijacking instead of direct script modification.

Deliverable: Screenshot proof of root access obtained through both methods, plus a remediation report.

Exercise 4: PATH Hijacking Challenge

Difficulty: Intermediate | Time: 25 minutes

Create and exploit a PATH hijacking vulnerability.

  1. Write a simple C program that calls system("date") without the full path.
  2. Compile it and set the SUID bit (as root).
  3. As a low-privilege user, exploit the PATH hijacking vulnerability.
  4. Modify the C program to use the absolute path /usr/bin/date and verify the fix prevents exploitation.

Deliverable: Source code for both vulnerable and fixed versions, plus exploitation proof.

Exercise 5: Capabilities Exploitation

Difficulty: Intermediate | Time: 20 minutes

Explore Linux capabilities as a privilege escalation vector.

  1. As root, assign cap_setuid+ep to /usr/bin/python3.
  2. As a low-privilege user, exploit this capability to gain root.
  3. Remove the capability and instead assign cap_dac_read_search+ep.
  4. Exploit this to read /etc/shadow and crack a password hash.
  5. Document the differences between these two capability-based attacks.

Deliverable: Step-by-step exploitation documentation for both capabilities.

Exercise 6: Container Escape Lab

Difficulty: Advanced | Time: 45 minutes

Practice container escape techniques.

  1. Install Docker on your lab VM.
  2. Run a container with the Docker socket mounted: docker run -v /var/run/docker.sock:/var/run/docker.sock -it ubuntu.
  3. From inside the container, install the Docker CLI and escape to the host.
  4. Run a privileged container: docker run --privileged -it ubuntu.
  5. From inside, escape by mounting the host filesystem.
  6. Document the indicators that reveal you are inside a container.

Deliverable: Container escape documentation with screenshots and indicators of compromise.

Exercise 7: Automated Enumeration Comparison

Difficulty: Beginner | Time: 30 minutes

Compare the output of different automated enumeration tools.

  1. Run LinPEAS on your lab VM and save the output.
  2. Run Linux Smart Enumeration (LSE) at all three verbosity levels.
  3. Run linuxprivchecker.
  4. Compare the findings across all three tools.
  5. Identify any findings that one tool caught but others missed.

Deliverable: A comparative analysis document showing the strengths and gaps of each tool.

Exercise 8: Sudo Abuse Techniques

Difficulty: Intermediate | Time: 30 minutes

Practice exploiting sudo misconfigurations.

  1. Configure the following sudo entries for a test user (one at a time): - (root) NOPASSWD: /usr/bin/vim - (root) NOPASSWD: /usr/bin/find - (root) NOPASSWD: /usr/bin/less - (root) NOPASSWD: /usr/bin/python3 - (root) NOPASSWD: /usr/bin/env
  2. For each entry, escalate to root using the GTFOBins technique.
  3. For each entry, write a remediation recommendation.

Deliverable: Exploitation proof for each sudo entry plus remediation guidance.

Exercise 9: Writable /etc/passwd Exploitation

Difficulty: Beginner | Time: 15 minutes

Exploit writable /etc/passwd to add a root user.

  1. Create a backup of /etc/passwd.
  2. Make /etc/passwd writable by your test user (as root).
  3. As the test user, generate a password hash using openssl passwd -1 -salt hacker MyPassword.
  4. Add a new line to /etc/passwd with UID 0 and the generated hash.
  5. Switch to the new user and verify root access.
  6. Restore the original /etc/passwd and fix permissions.

Deliverable: Documentation of the exploitation process and the password hash format.

Exercise 10: LD_PRELOAD Exploitation

Difficulty: Advanced | Time: 30 minutes

Exploit LD_PRELOAD for privilege escalation.

  1. Configure sudoers to preserve LD_PRELOAD: Defaults env_keep += "LD_PRELOAD".
  2. Grant a test user sudo access to a harmless command (e.g., /usr/bin/id).
  3. Write a malicious shared library that spawns a root shell.
  4. Compile it as a shared object and use LD_PRELOAD with the sudo command.
  5. Remove the LD_PRELOAD from env_keep and verify the fix.

Deliverable: Source code for the malicious shared library and exploitation proof.

Exercise 11: Wildcard Injection Attack

Difficulty: Advanced | Time: 25 minutes

Exploit wildcard expansion in a cron job using tar.

  1. Create a cron job that runs cd /var/www/html && tar czf /backup/web.tar.gz * as root.
  2. As a low-privilege user with write access to /var/www/html, create files named: - --checkpoint=1 - --checkpoint-action=exec=sh privesc.sh
  3. Create privesc.sh with a payload.
  4. Wait for the cron job and verify execution.

Deliverable: Explanation of why wildcard injection works and defensive measures.

Exercise 12: NFS Root Squashing Bypass

Difficulty: Intermediate | Time: 25 minutes

Exploit NFS misconfigurations.

  1. Set up an NFS share with no_root_squash enabled.
  2. From a remote machine, mount the share as root.
  3. Create a SUID binary on the share.
  4. Access the SUID binary from the target and escalate privileges.
  5. Fix the configuration by removing no_root_squash.

Deliverable: NFS exploitation documentation and secure configuration guide.

Exercise 13: Python Script for Linux Enumeration

Difficulty: Intermediate | Time: 45 minutes

Write a Python script that automates Linux privilege escalation enumeration.

  1. The script should check: SUID binaries, capabilities, cron jobs, writable directories, sudo permissions, and kernel version.
  2. Color-code output by severity (use ANSI escape codes).
  3. Cross-reference SUID binaries against a built-in GTFOBins database.
  4. Output results in both human-readable and JSON format.

Reference: See code/example-01-linux-enum.py for a starting framework.

Deliverable: Working Python script with sample output.

Exercise 14: Shared Library Hijacking

Difficulty: Advanced | Time: 30 minutes

Exploit a missing shared library in a SUID binary.

  1. Create a simple C program that loads a shared library from a non-standard path.
  2. Compile it, set SUID, and remove the library.
  3. Verify the binary attempts to load the missing library using strace.
  4. Create a malicious library at the expected path.
  5. Execute the SUID binary and verify code execution.

Deliverable: Source code for both the binary and the malicious library, plus exploitation walkthrough.

Exercise 15: Complete Privilege Escalation Challenge

Difficulty: Advanced | Time: 60 minutes

Set up a multi-layered privilege escalation scenario.

  1. Create a VM with at least three different privilege escalation vectors (e.g., SUID binary, writable cron, misconfigured capability).
  2. Create a low-privilege user.
  3. Challenge a partner to find and exploit all three vectors.
  4. Time the exercise and compare approaches.
  5. Write a penetration test report documenting all findings.

Deliverable: Full penetration test report with executive summary, technical findings, evidence, and remediation recommendations.

Exercise 16: Restricted Shell Escape

Difficulty: Intermediate | Time: 20 minutes

Practice escaping restricted shell environments.

  1. Configure rbash for a test user.
  2. Attempt to escape using at least three different methods (vim, awk, python, ssh, etc.).
  3. Document which methods work and which are blocked.
  4. Configure additional restrictions and test again.

Deliverable: Table of escape methods tested with success/failure status.

🔵 Blue Team Exercise: Hardening Challenge

Difficulty: Intermediate | Time: 45 minutes

Harden a Linux system against all privilege escalation vectors covered in this chapter.

  1. Audit and remove unnecessary SUID bits.
  2. Review and fix cron job permissions.
  3. Remove dangerous capabilities.
  4. Configure sudo with least privilege.
  5. Enable and configure AppArmor or SELinux.
  6. Set up auditd rules to detect privilege escalation attempts.
  7. Run LinPEAS and verify minimal findings.

Deliverable: Hardening checklist with before/after comparison.