Linux Privilege Escalation

Basic Linux Privilege Escalation

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Automated Enumeration

git clone https://github.com/rebootuser/LinEnum.git

./LinEnum.sh
git clone https://github.com/diego-treitos/linux-smart-enumeration
git clone https://github.com/pentestmonkey/unix-privesc-check.git

./unix-privesc-check
./unix-privesc-check standard > output.txt

Information Gathering

  1. What's the OS? What version? What architecture?

    cat /etc/issue
cat /etc/*-release
uname -i
lsb_release -a (Debian based OSs)

  2. Who are we? Where are we?

    id
whoami
pwd

  3. Who uses the box? What users? (And which ones have a valid shell)

    cat /etc/passwd
grep -vE "nologin|false" /etc/passwd

  4. What's currently running on the box? What active network services are there?

    ps aux
netstat -antup

  5. What's installed? What kernel is being used?

    dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a

Check sudo access

https://gtfobins.github.io

$ sudo -l
[sudo] password for Hades: 
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/bash

Mix cp/chown and chmod

https://www.adampalmer.me/iodigitalsec/2009/10/03/linux-c-setuid-setgid-tutorial/

https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

sudo -l
Matching Defaults entries for Hades:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/chmod, /bin/cp

Check Scheduled Tasks

https://github.com/DominicBreuker/pspy

ls -lah /etc/cron*
cat /etc/crontab

Readable/Writable Files and Directories

find / -writable -type d 2>/dev/null

Check history, bashrc, backup

find / -name *history* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null

Binaries That AutoElevate

find / -perm -u=s -type f 2>/dev/null

Unmounted Disks

cat /etc/fstab
/bin/lsblk
mount

cat /etc/fstab /bin/lsblk mount

lsmod
/sbin/modinfo libata
PreviousWindows Privilege EscalationNextBuffer Overflow

Last updated