Checklist - Linux Privilege Escalation

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬telegram group, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Melhor ferramenta para encontrar vetores de escalação de privilégio em Linux: LinPEAS****

Informação do Sistema

• Pegar informações do sistema

• Checar o PATH, algum diretório gravável?

• Checar variáveis de ambiente, alguma informação sensível?

• Procure por exploits de kernel usando scripts (DirtyCow?)

• Cheque se a versão do sudo é vulneravel

• ****Dmesg signature verification failed error?

• Enumerar mais o sistema (date, system stats, cpu info, printers)

• Enumerar as possiveis defesas

Dispositivos

• Listar dispositovos montados

• Algum dispositivo não montado?

• Alguma credencial no fstab?

****Programas instalados****

• Checar por programas uteis instalados

• Checar por programas vulneraveis instalados

****Processos

• Tem algum programa desconhecido rodando?

• Tem algum programa rodando com maior privilégio do que deveria?

• Procure por exploits para os processos rodando (especialmente as versões)

• Você pode modificar o binário de algum processo rodando?

• Monitorar processos e checar se tem algum processo interessante rodando frequentemente

• Você pode ler algo interessante na memória do processo (Onde senhas podem ser salvas)?

Agendamento/Cron jobs?

• Is the PATH being modified by some cron and you can write in it?

• Any wildcard in a cron job?

• Some modifiable script is being executed or is inside modifiable folder?

• Have you detected that some script could be being executed very frequently? (every 1, 2 or 5 minutes)

Services

• Algum arquivo .service com permissão de esrita?

• Any writable binary executed by a service?

• Any writable folder in systemd PATH?

Timers

• Any writable timer?

Sockets

• Any writable .socket file?

• Can you communicate with any socket?

• HTTP sockets with interesting info?

D-Bus

• Can you communicate with any D-Bus?

Network

• Enumerate the network to know where you are

• Open ports you couldn't access before getting a shell inside the machine?

• Can you sniff traffic using tcpdump?

Users

• Generic users/groups enumeration

• Do you have a very big UID? Is the machine vulnerable?

• Can you escalate privileges thanks to a group you belong to?

• Clipboard data?

• Password Policy?

• Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

Writable PATH

• If you have write privileges over some folder in PATH you may be able to escalate privileges

SUDO and SUID commands

• Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)

• Is any exploitable suid binary? (GTFOBins)

• Are sudo commands limited by path? can you bypass the restrictions?

• ****Sudo/SUID binary without path indicated?

• ****SUID binary specifying path? Bypass

• ****LD_PRELOAD vuln****

• ****Lack of .so library in SUID binary ****from a writable folder?

• ****SUDO tokens available? Can you create a SUDO token?

• Can you read or modify sudoers files?

• Can you modify /etc/ld.so.conf.d/?

• OpenBSD DOAS ****command

Capabilities

• Tem algum binário com alguma capability não esperada?

ACLs

• Has any file any unexpected ACL?

Sessões de shell abertas

• screen?

• tmux?

SSH

• Debian OpenSSL Predictable PRNG - CVE-2008-0166****

• ****SSH Interesting configuration values****

Interesting Files

• Profile files - Read sensitive data? Write to privesc?

• passwd/shadow files - Read sensitive data? Write to privesc?

• Check commonly interesting folders for sensitive data

• Weird Localtion/Owned files, you may have access or alter executable files

• Modified in last mins

• Sqlite DB files

• Hidden files

• Script/Binaries in PATH

• Web files (passwords?)

• Backups?

• Known files that contains passwords: Use Linpeas and LaZagne

• Generic search

****Writable Files****

• Modify python library to execute arbitrary commands?

• Can you modify log files? Logtotten exploit

• Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit

• Can you write in ini, int.d, systemd or rc.d files?

****Other tricks****

• Can you abuse NFS to escalate privileges?

• Do you need to escape from a restrictive shell?

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book. Don't forget to give ⭐ on the github to motivate me to continue developing this book.

​Buy me a coffee here****