search

Linux PrivEsc

  • Check the sensitive groups you belong to

  • sudo -l

  • Examine each and every SUID - 

    find / -perm -u=s -type f 2>/dev/null

  • Check for other interesting files -

    #World writable files directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

  • Sensitive files in /var/www/html (Found something in sites/default in there once)

  • Look for data revealed in log files #Might contain potential passwords

    For example -> grep -r passw /var/log 2>/dev/null

  • Check netstat for running services using → netstat -ntlp

    Then ⤵️

    Check for services running as ROOT and try exploiting them

    ps -eaf | grep <service> #Provide the service, you want to check privileges for

    OR ps -ef | grep root #To fetch all services running as root

  • Check for docker container → .dockerenv file (one of the indication)

  • Check github repository to understand how a CMS file works (post exploitation)

  • Always check in “id_rsa.pub”, if keys can be used for other user or not

  • wget will sometimes only work without URL scheme →

    wget 192.168.45.5/file #Learned in PG machine "Bratarina"

  • Always try to get reverse shell on port numbers that are open in the target machine

  • GOOGLE EVERY term you see inside files that you find interesting and look for exploits.

  • Privesc scripts aren't always right. Try basic things yourself. (Add them from medium blog)

  • Identify all users. Attempt to brute force auth ssh if /home or /etc/passwd is pulled.

  • Always run echo $PATH to show available commands/locations.

  • Docker - see Proving Grounds' Sirol/Escape box.

  • Check interesting groups to which current user belongs.

  • Fully understand software that's related to a user's group (e.g. fail2ban group).

  • Use pspyarrow-up-right to spy on processes and cronjobs you may not be able to see

  • cat ~/.profile && cat ~/.bashrc.

  • Custom SUIDs won't be highlighted as linpeas and other privesc scripts don't know what they are. Find them manually.

  • Check for browser creds like for mozilla firefox in ~/.mozilla folder!! If you have RDP or VNC then just look for crednentials via browser.

  • Try potential kernel exploits & their different versions from ExploitDB & Github!!

PreviousSSRF to RCENextWindows PrivEsc (short one)

Last updated