It is Quite Easy To Privilege Escalate Into Any Linux Machine Once You Gain Access (Ubuntu or CentOS) And Become The King (root)
Nathan Chan
Cyber Security Analyst, The Cyber Shepherd, OSINT King. | APT Malware Researcher
Have been working on labs. :) It has been a rewarding experience, since I have almost mastered all the Linux privilege escalation boxes.
Tips for security: Make sure you secure the shadow files and passwd files, in case a hacker wants to pwn your machine. It is actually "not that hard to". Once there are misconfigurations in just one machine, the attacker can come in.
First, check whether you are additionally giving your attacker more room to attack.
find / -type f -perm -04000 -ls 2>/dev/null is a command where you can type into Linux to see which root permissions you are giving to every typical single user (terminology called the SUID).
Also, check your cron jobs. And, make sure they are secure as well. An attacker can take control and manipulate your cron jobs and overwrite the existing ones to give them root access.
Do a sudo -l to make sure you aren't giving extra access to anybody except the admins that you trust. Also, make sure that your sudoers file is secure from anyone's modification and are locked down.
normaluser@box:/scripts$ sudo -l sudo -l Matching Defaults entries for normaluser on box: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User normaluser may run the following commands on box: (normaluser) NOPASSWD: ALL
The above UNIX scenario sudo -l shows that any normal user has access to crafting any commands as root such as:
sudo bash ---> to gain an elevated prompt.
Anyone hacker can modify that file and gain root privileges.
Also be aware of locking down shadow and the passwd files.
Once your shadow or passwd file is compromised, or writable, a hacker is in. Remember that all a hacker has to do is to remove the x or * and write a new password hash such as md5crypt, or sha512crypt in it, generated by openssl by using the following commands:
openssl passwd -1
Once the hacker is in, you are basically compromised. So, defense in depth is key to success and security. Of course, GOD, is the king of your castle (even if you may not believe in Him).