# Linux Privilege Escalation
## Basic Linux Privilege Escalation
## Automated Enumeration
```
git clone https://github.com/rebootuser/LinEnum.git
./LinEnum.sh
```
```
git clone https://github.com/diego-treitos/linux-smart-enumeration
```
```
git clone https://github.com/pentestmonkey/unix-privesc-check.git
./unix-privesc-check
./unix-privesc-check standard > output.txt
```
## Information Gathering
1. What's the OS? What version? What architecture?
```bash
cat /etc/issue
cat /etc/*-release
uname -i
lsb_release -a (Debian based OSs)
```
2. Who are we? Where are we?
```bash
id
whoami
pwd
```
3. Who uses the box? What users? (And which ones have a valid shell)
```bash
cat /etc/passwd
grep -vE "nologin|false" /etc/passwd
```
4. What's currently running on the box? What active network services are there?
```bash
ps aux
netstat -antup
```
5. What's installed? What kernel is being used?
```bash
dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a
```
## Check sudo access
[https://gtfobins.github.io](https://gtfobins.github.io/)
```
$ sudo -l
[sudo] password for Hades:
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
(victim) /bin/bash
```
#### Mix cp/chown and chmod
```
sudo -l
Matching Defaults entries for Hades:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
(victim) /bin/chmod, /bin/cp
```
## Check Scheduled Tasks
```
ls -lah /etc/cron*
cat /etc/crontab
```
## Readable/Writable Files and Directories
```
find / -writable -type d 2>/dev/null
```
## Check history, bashrc, backup
```
find / -name *history* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null
```
## Binaries That AutoElevate
```
find / -perm -u=s -type f 2>/dev/null
```
## Unmounted Disks
```
cat /etc/fstab
/bin/lsblk
mount
```
## cat /etc/fstab /bin/lsblk mount
```
lsmod
/sbin/modinfo libata
```