📝
Basic Penetration Testing
  • About Knowledge
  • Server Enumeration
    • Scanning
    • Common Services
      • FTP - 21
      • SMTP - 25
      • SMB - 139, 445
  • Web Application
    • Enumeration
    • Exploitation
    • Execute Commands
    • Databases
      • MySQL
      • SQLite
      • MSSQL
      • PostgreSQL
  • Remote Code Execution
  • File Transfer
    • HTTP Server
    • SMB Protocol
    • FTP Server on Kali Linux
  • Hash Cracking
  • Privilege Escalation
    • Windows Privilege Escalation
    • Linux Privilege Escalation
  • Buffer Overflow
  • About LeeCyberSec
Powered by GitBook
On this page
  • Basic Linux Privilege Escalation
  • Automated Enumeration
  • Information Gathering
  • Check sudo access
  • Check Scheduled Tasks
  • Readable/Writable Files and Directories
  • Check history, bashrc, backup
  • Binaries That AutoElevate
  • Unmounted Disks
  • cat /etc/fstab /bin/lsblk mount

Was this helpful?

  1. Privilege Escalation

Linux Privilege Escalation

PreviousWindows Privilege EscalationNextBuffer Overflow

Last updated 4 years ago

Was this helpful?

Basic Linux Privilege Escalation

Automated Enumeration

git clone https://github.com/rebootuser/LinEnum.git

./LinEnum.sh
git clone https://github.com/diego-treitos/linux-smart-enumeration
git clone https://github.com/pentestmonkey/unix-privesc-check.git

./unix-privesc-check
./unix-privesc-check standard > output.txt

Information Gathering

  1. What's the OS? What version? What architecture?

    cat /etc/issue
cat /etc/*-release
uname -i
lsb_release -a (Debian based OSs)

  2. Who are we? Where are we?

    id
whoami
pwd

  3. Who uses the box? What users? (And which ones have a valid shell)

    cat /etc/passwd
grep -vE "nologin|false" /etc/passwd

  4. What's currently running on the box? What active network services are there?

    ps aux
netstat -antup

  5. What's installed? What kernel is being used?

    dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a

Check sudo access

$ sudo -l
[sudo] password for Hades: 
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/bash

Mix cp/chown and chmod

sudo -l
Matching Defaults entries for Hades:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/chmod, /bin/cp

Check Scheduled Tasks

ls -lah /etc/cron*
cat /etc/crontab

Readable/Writable Files and Directories

find / -writable -type d 2>/dev/null

Check history, bashrc, backup

find / -name *history* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null

Binaries That AutoElevate

find / -perm -u=s -type f 2>/dev/null

Unmounted Disks

cat /etc/fstab
/bin/lsblk
mount

cat /etc/fstab /bin/lsblk mount

lsmod
/sbin/modinfo libata

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://gtfobins.github.io
https://www.adampalmer.me/iodigitalsec/2009/10/03/linux-c-setuid-setgid-tutorial/
https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
https://github.com/DominicBreuker/pspy