Crafting Custom Nuclei Templates for Linux Privilege Escalation Vulnerability Detection
Nuclei's extensible template engine provides a powerful mechanism for detecting Linux privilege escalation vulnerabilities, extending its utility beyond traditional web application scanning to versatile system auditing. This capability allows pentesters to codify common Linux misconfigurations, vulnerable software versions, and risky file permissions into automated checks, significantly streamlining the post-exploitation enumeration phase or proactive internal security assessments.Nuclei Template Fundamentals for System Auditing
To identify privilege escalation vectors, Nuclei templates must interact directly with the operating system. This is primarily achieved through protocols like ssh for remote authenticated execution and exec for local command execution. Understanding their structure and how to leverage matchers for command output is crucial.
The ssh Protocol: Remote Authenticated Checks
When SSH credentials are available, the ssh protocol enables Nuclei to execute commands remotely on a target system and parse their output. This is invaluable for systematic enumeration across multiple hosts, allowing for checks against kernel versions, package installations, or specific file contents.
id: linux-kernel-version-check
info:
name: Linux Kernel Version Detection via SSH
author: your-pentester-alias
severity: info
description: Detects the Linux kernel version by executing 'uname -r' over SSH, useful for identifying known kernel exploits.
tags: privesc, linux, kernel, ssh, enumeration
ssh:
- host: "{{Hostname}}"
port: 22
username: "pentestuser"
password: "SecurePassword123!" # Replace with actual credentials or {{ssh_key}} for key-based auth
inputs:
- command: "uname -r"
matchers:
- type: regex
part: body
regex:
- '^(?:4\.4|4\.8|4\.9|4\.10|4\.13|4\.14|4\.15|4\.19|5\.0|5\.4|5\.5|5\.6)\.\d+-\d+' # Example regex for specific vulnerable kernel series
name: "vulnerable-kernel-series"
description: "Potentially vulnerable Linux kernel series detected."
tags: [critical, high, exploit-possible]
- type: regex
part: body
regex:
- '(\d+\.\d+\.\d+-\d+)' # General kernel version extraction
name: "kernel-version"
description: "Extracted Linux kernel version."
tags: [info, enumeration]
This template executes uname -r and attempts to match the output against a regex representing known vulnerable kernel series. A more general regex also captures the version for further manual analysis. Initial reconnaissance to identify exposed SSH services can be aided by tools like Zondex, which can help discover internet-facing services that Nuclei can then target with specific credentialed checks. When performing remote scans, especially against sensitive targets, ensuring a secure and encrypted channel is paramount. Utilizing a service like VPNWG provides robust VPN tunneling, safeguarding your traffic and maintaining operational security during engagements.
To run this template against a target:
nuclei -t linux-kernel-version-check.yaml -target ssh://target.example.com:22
Remember to adjust the host, port, username, and password fields, or use command-line arguments to pass credentials dynamically. For key-based authentication, specify {{ssh_key}} in the template and pass the path to your private key via the -priv-key flag with Nuclei.
The exec Protocol: Local System Assessment
The exec protocol is indispensable when Nuclei is deployed directly on a target system, acting as a local post-exploitation enumeration tool or during an internal assessment. It allows Nuclei to execute commands natively on the host where it's running, making it ideal for deep system checks that require local file system access or privilege context.
id: local-suid-sgid-binary-detection
info:
name: Local SUID/SGID Binary Scanner
author: your-pentester-alias
severity: high
description: Identifies potentially exploitable SUID/SGID binaries on the local filesystem, indicating privilege escalation opportunities.
tags: privesc, linux, suid, sgid, local, enumeration
exec:
- command: "find / -perm -4000 -o -perm -2000 -type f -exec ls -ld {} \\; 2>/dev/null | grep -E 'rws|rwx'"
matchers:
- type: regex
part: body
regex:
- '/usr/bin/nmap' # Known SUID nmap exploit vector
- '/usr/bin/perl' # Potentially dangerous SUID perl
- '/usr/bin/find' # SUID find can bypass restrictions
- '/usr/bin/bash' # Dangerous SUID bash
- '/usr/bin/vim' # SUID vim can be exploited
- '/usr/bin/less' # SUID less can be exploited
- '/usr/bin/more' # SUID more can be exploited
- 'php' # SUID PHP interpreter
- 'python' # SUID Python interpreter
- 'ruby' # SUID Ruby interpreter
condition: or
name: "dangerous-suid-binary-found"
description: "A potentially dangerous SUID/SGID binary was detected. Investigate for privilege escalation."
tags: [critical, exploit]
- type: status
status:
- 200 # Indicate command execution success
This template executes a find command to locate all SUID/SGID binaries and then filters the output for specific, commonly exploitable binaries. The exec protocol doesn't require a target flag; it operates on the machine running Nuclei. To execute:
nuclei -t local-suid-sgid-binary-detection.yaml
The success of this template relies heavily on the environment variables and permissions of the user running Nuclei on the local system. For comprehensive vulnerability management that includes automated web security testing alongside internal network assessments, platforms like Secably can integrate Nuclei's custom templates to broaden detection capabilities, creating a more holistic security posture.
Detecting Writable Configuration Files (/etc/sudoers)
Misconfigured permissions on critical system files like /etc/sudoers can lead to straightforward privilege escalation. We can craft templates to check for overly permissive file permissions or specific dangerous entries.
id: sudoers-file-permissions-check
info:
name: Insecure Sudoers File Permissions
author: your-pentester-alias
severity: critical
description: Checks if /etc/sudoers or files in /etc/sudoers.d/ have insecure world-writable permissions.
tags: privesc, linux, sudoers, permissions, misconfiguration
ssh: # Or 'exec' if running locally
- host: "{{Hostname}}"
port: 22
username: "pentestuser"
password: "SecurePassword123!"
inputs:
- command: "ls -la /etc/sudoers /etc/sudoers.d/ 2>/dev/null"
matchers:
- type: regex
part: body
regex:
- '^-rwx[rwx-]{2}[rwx-]{2}x' # Matches files with world-writable permissions (e.g., -rwx-wx-wx)
- '^-rw-[rwx-]{2}w' # Matches files with world-writable permissions (e.g., -rw-rw-rw-)
name: "world-writable-sudoers"
description: "/etc/sudoers or a file in /etc/sudoers.d/ has world-writable permissions. This is a critical misconfiguration."
tags: [critical, exploit, file-permission]
condition: or
- type: regex
part: body
regex:
- '(?:ALL|NOPASSWD): ALL' # Matches common NOPASSWD or ALL directives for all users
name: "dangerous-sudoers-entry"
description: "Potentially dangerous NOPASSWD or ALL directive found in sudoers file output."
tags: [high, misconfiguration, rule-based]
condition: or
This template combines a permission check with a rudimentary content check, looking for `NOPASSWD` or `ALL` directives if the output of `ls -la` also includes file content (which it typically wouldn't, requiring a separate `cat` or `grep` for content analysis). For more detailed content analysis, a separate template executing cat /etc/sudoers or grep -r 'NOPASSWD' /etc/sudoers.d/ would be necessary, followed by specific regex matchers on the command output.
Automating Cron Job Permission Checks
Weak permissions on cron job scripts can allow an unprivileged user to modify a script that is later executed by a more privileged user (e.g., root). Detecting such misconfigurations is a critical step in identifying privilege escalation paths.
id: insecure-cron-job-permissions
info:
name: Insecure Cron Job File Permissions
author: your-pentester-alias
severity: high
description: Checks for world-writable cron job files in common directories, which can lead to privilege escalation.
tags: privesc, linux, cron, permissions, misconfiguration
ssh: # Or 'exec' if running locally
- host: "{{Hostname}}"
port: 22
# username: "pentestuser"
# password: "SecurePassword123!"
inputs:
- command: "find /etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/cron -type f -perm -o+w -exec ls -ld {} \\; 2>/dev/null"
# This command finds world-writable files in common cron directories
matchers:
- type: regex
part: body
regex:
- '^-rwx[rwx-]{2}[rwx-]{2}w' # Matches world-writable files (e.g., -rwxrwxrwx)
- '^-rw-[rwx-]{2}w' # Matches world-writable files (e.g., -rw-rw-rw-)
name: "world-writable-cron-script"
description: "A world-writable cron job script was found. This could be exploited for privilege escalation."
tags: [critical, exploit, file-permission, cron]
condition: or
This template executes a find command to locate all world-writable files within common cron directories. The output is then analyzed for specific permission patterns. This approach helps identify scripts that could be modified by a low-privileged user to execute arbitrary commands as the cron job owner, often root.
By extending Nuclei's capabilities with custom templates targeting specific Linux privilege escalation vectors, pentesters gain a significant advantage in automating what would otherwise be a time-consuming manual enumeration process. These templates serve as modular field notes, encapsulating detection logic for rapid deployment across various engagements.