Linux Privilege Escalation
Basic Linux Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Automated Enumeration
git clone https://github.com/rebootuser/LinEnum.git
./LinEnum.sh
git clone https://github.com/diego-treitos/linux-smart-enumeration
git clone https://github.com/pentestmonkey/unix-privesc-check.git
./unix-privesc-check
./unix-privesc-check standard > output.txt
Information Gathering
What's the OS? What version? What architecture?
cat /etc/issue cat /etc/*-release uname -i lsb_release -a (Debian based OSs)
Who are we? Where are we?
id whoami pwd
Who uses the box? What users? (And which ones have a valid shell)
cat /etc/passwd grep -vE "nologin|false" /etc/passwd
What's currently running on the box? What active network services are there?
ps aux netstat -antup
What's installed? What kernel is being used?
dpkg -l (Debian based OSs) rpm -qa (CentOS / openSUSE ) uname -a
Check sudo access
$ sudo -l
[sudo] password for Hades:
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
(victim) /bin/bash
Mix cp/chown and chmod
https://www.adampalmer.me/iodigitalsec/2009/10/03/linux-c-setuid-setgid-tutorial/
https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
sudo -l
Matching Defaults entries for Hades:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
(victim) /bin/chmod, /bin/cp
Check Scheduled Tasks
https://github.com/DominicBreuker/pspy
ls -lah /etc/cron*
cat /etc/crontab
Readable/Writable Files and Directories
find / -writable -type d 2>/dev/null
Check history, bashrc, backup
find / -name *history* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null
Binaries That AutoElevate
find / -perm -u=s -type f 2>/dev/null
Unmounted Disks
cat /etc/fstab
/bin/lsblk
mount
cat /etc/fstab /bin/lsblk mount
lsmod
/sbin/modinfo libata
Last updated
Was this helpful?