Linux has been around for quite some time now, and several distributions have been spun off the original kernel over the years. Each distribution and kernel will have their own exploits, but the general concepts and ideas will remain the same across different distributions. First it is important to understand how the Linux OS works in a general sense. It’s important to have a general understanding of the Linux OS so later exploits will have some context as to what they do and why they work.
The Linux Kernel
The Kernel is the heart and backbone of the Linux operating system. It is what the entire operating system sits on. The kernel interacts with the hardware directly and handles input and outputs to the system. It also handles and allocates the use of memory for the system. Other responsibilities of the kernel include the handling of file system drivers, device drivers, network stack, network schedule, security modules, and process schedulers. In simplest terms, the kernel is the lowest level of software that interacts with the hardware. When you plug in a keyboard to your computer, the kernel will register the keyboard as a new input device for the operating system.
A shell is often referred to as the command line. There are multiple different shells available on Linux. A shell essentially takes input from a user via an input device like a keyboard, and sends the commands to the operating system to execute. Today there are graphical user interfaces for users to interact with, but a while ago, a shell was the only way you could interact with the underlying operating system and issue commands. The most common shell in use today is the
bash shell which is an improved version of the
sh shell, originally created by Steve Bourne.
Bash stands for “Bourne Again Shell”. The shell is a crucial part of the operating system because it is how and changes and commands are issued to the operating system.
Files and Processes
The entire Linux operating system is built off of files and processes. A file is exactly what it sounds like. It is a set of data that is stored on the file system. A process is a program that is running in memory and has a unique process identifier attached to it. This concept is important to understand early on. All privilege escalation attacks will be targeting either files, or processes on the operating system.
A daemon is a process that simply runs in the background. Generally, it is started upon boot up of the system and remains running until manually terminated, or upon shutdown of the machine. Examples of Linux daemons include SSH services, network connections, cronjobs, logging, etc. Daemons are an important concept to understand because sometimes daemons are running with higher privileges than necessary, and if exploited, the attacker can obtain whatever privilege the daemon was running as. In my experience, the most common daemon that is exploited is the
crond daemon. The
crond daemon runs automated tasks created by various users of the system. Sometimes these tasks are created insecurely leading to a privilege escalation attack.
An entire book could be written about the file system on Linux, but to keep it simple, I will only talk about the main groups of files in the Linux operating system.
/ – The Root Directory
This is the root directory of the Linux file system. This is the equivalent of C:\ directory on Windows.
/bin – Essential User Binaries
This directory holds user binaries (programs) that are essential when the system is running.
/boot – Static Boot Files
This directory contains files that are necessary to boot the Linux operating system.
/media – Temporary Media Mount
Any time a CD or USB is mounted on the system, it should generally be mounted here.
/mnt – Mount Point
Generally this is a temporary location for external file system mounts, although file systems can be mounted anywhere the user has access.
/dev – Device Files
This directory shows devices that are attached to the system such as hard drives. This directory also contains pseudo-devices that aren’t actual devices, but are instead virtual devices. /dev/null is an example of a virtual “device” that discards any input sent to it.
/etc – Configuration Files
This directory holds configuration files for the entire system.
/home – Home Folders
This directory contains the home folders for all the users on the system. User specific data and user specific configuration files are stored here as well.
/lib – Essential Shared Libraries
This directory contains a directory of libraries that are useful for the system. Certain programs running on the operating system have certain library dependencies and they are stored here.
/lost+found – Recovered Files
When the file system crashes, the operating system will do a check of the files on the next boot. Any files found to be corrupt will be placed here in this directory.
/opt – Optional Packages
This is generally where third-party software is placed when it doesn’t follow the typical Linux file system hierarchy.
/proc – Kernel and Processes
This directory doesn’t actually exist on disk. This is a directory that is created and run in memory. It provides information about the operating system and processes running on it.
/root – Root Home Directory
This is the home directory of the root user
/sbin – System Administration Binaries
Similar to the /bin directory, but the /sbin directory contains binaries essential to the system that are run by the root user.
/tmp – Temporary Files
Temporary files can be stored here by users or applications. Files here are deleted on restart. By default, the /tmp folder is world writable so it is a common place attackers use for exploitation creation and file downloading.
/usr – User Binaries
This directory contains read-only applications and files. These are generally non-essential to the operating system. By contrast, /bin contains essential binaries for the operating system.