Overview
Guides
GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. GTFOBins
Automated
LinPEAS
Linux Privilege Escalation Awesome Script PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub
LinEnum
Scripted Local Linux Enumeration & Privilege Escalation Checks GitHub - rebootuser/LinEnum
Linux Smart Enumeration (LSE)
Linux enumeration tool for pentesting and CTFs with verbosity levels GitHub - diego-treitos/linux-smart-enumeration
Linux Exploit Suggester (LES)
Linux privilege escalation auditing tool GitHub - mzet-/linux-exploit-suggester
linuxprivchecker.py
A Linux Privilege Escalation Check Script GitHub - sleventyeleven/linuxprivchecker
Unix-privesc-check
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). unix-privesc-check | Kali Linux Tools
Manual
Kernel exploits
Get linux/kernel version
E.g. Linux kali 5.14.0-kali2-arm64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) aarch64 GNU/Linux
Get "marketing" name of distribution
E.g. Ubuntu 20.04.1 LTS
Get stuff like gcc
E.g. Linux version 5.14.0-kali2-arm64 (devel@kali.org) (gcc-10 (Debian 10.3.0-11) 10.3.0, GNU ld (GNU Binutils for Debian) 2.37) #1 SMP Debian 5.14.9-2kali1 (2021-10-04)
-> Use searchsploit (exploit-db.com), Google, GitHub, etc. to check for public available kernel exploits.
Manual information gathering
Operating system
Users
Info about current user
Check for other users (non-service users normally start at id 1000)
Filter users with a login shell
Groups
Interesting unix groups
44(video)<- has access to video output (weird stuff)6(disk)<- has raw access to the file system, read disk using e.g.debugfs
Sudo
Check current privilege status
Todo: LD_PRELOAD
https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/
SUID
Find files that have SUID or SGID bit set
Capabilities
List enabled capabilities
Cron Jobs
NFS
Check for no_root_squash option in
Mount share
Create SUID binary
Compile it, set SUID bit
Run it on target
Processing running
See also: PSPY
-> Is there something special, maybe related to the users found?
Network
-> Is any service running, we missed in the port scan (firewall?)
Packages
Debian
CentOS, OpenSuse, Fedora, RHEL
OpenBSD, FreeBSD
Check for manually installed stuff
Weak services
Look for files that have root privileges but are writeable for everyone -> replace file with exploit
Check tools potentially vulnerable to priv esc
setuid
Check if available
mount -> must not have nosuid
setuid.c
Alternative setuid.c
TODO: This doesn't seem to be working.. Did it ever? Where did I get this from? PWK? 😬
Writable /etc/passwd
Change root, remove the x (password flag)
root:x:0:0:root:/root:/bin/bash -> root::0:0:root:/root:/bin/bash
su
-> root
linux - Privilege escalation using passwd file - Information Security Stack Exchange
Public exploits
Dirty COW
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel
Rational Love
glibc - 'getcwd()' Local Privilege Escalation 2018 local root exploit local-root-exploits/linux/CVE-2018-1000001 at master · 5H311-1NJ3C706/local-root-exploits · GitHub
Last updated