Posts Linux Snippets
Post
Cancel

Linux Snippets

Small collection of Linux privilege escalation scripts, references and commands.

Scripts

LinEnum.sh
Private-i.sh
LinPeas.sh
pspy
LinuxPrivChecker.py
Linux-Exploit-Suggester.sh

References

GTFOBins
Linux - Privilege Escalation
Basic Linux Privilege Escalation

General

OS


1
2
3
4
5
cat /etc/issue
cat cat /etc/*-release

cat /proc/version
uname -a


Files


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
find / -readable 2>/dev/null           //find all readable files
find / -user <username>                //find all files of username
find / -group <groupname> 2>/dev/null  //find all files of groupname
find / -name <filename>                //find filename

find / -type f -name "*.conf"       //find all .conf files
find /etc -type f -name "*.conf"   //find all .conf files in /etc

find / -newermt <start-date> ! -newermt <end-date> 2>/dev/null   //find all modified files

find targetdir/ -name '*.<extension>' -exec cat {} \; > out.txt  // find all files with <extension> and cat into out.txt
  cat out.txt | grep <keyword>

find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev'    // startup scripts

find / -writable -type d 2>/dev/null   // writable dirs


Cronjobs


1
2
3
4
5
6
crontab -l       //list current crontab
cat /etc/crontab //check system wide crontab

ls -la /etc/cron* 

crontab -e      //edit current crontab


Check capabilities


1
2
3
4
5
6
7
8
9
getcap -r /

+ep - Adding capability
-ep - Removing capability

There are 3 modes:
• e: EffectiveThis means the capability is "activated".
• p: PermittedThis means the capability can be used/is allowed.
• i: InheritedThe capability is kept by child/subprocesses  upon execve() for example.


Running processes/services


1
2
3
4
5
6
7
ps aux 
ps -ef
ps aux | grep root
ps -ef | grep root

top
cat /etc/services


Running daemons


1
ps -eo 'tty,pid,comm' | grep ^?  //all


Listening ports


1
2
3
4
netstat -an | grep 'LISTEN'
lsof -i -P -n | grep LISTEN
ss -tulw
grep -v "rem_address" /proc/net/tcp  | awk  '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'


Firewall rules


1
2
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6


Sudo configuration


1
2
sudo -l
cat /etc/sudoers


Vulnerable binaries


1
2
find / -perm -u=s -type f 2>/dev/null //SUID
find / -perm -g=s -type f 2>/dev/null //GUID


Ping sweep


1
 for i in {1..254} ;do (ping -c 1 x.x.x.$i | grep "bytes from" &) ;done


Port scan


1
for p in {1..1024}; do(echo >/dev/tcp/<ip>/$p) >/dev/null 2>&1 && echo "$p open"; done


rootshell.c


1
2
3
4
5
6
7
8
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
This post is licensed under CC BY 4.0 by the author.