Difference between revisions of "Linux Priv Esc Notes"

m (What's available to me immediately)
m
Line 3: Line 3:
 
= What's available to me immediately =
 
= What's available to me immediately =
 
* ''sudo'' roles to run programs as another user? root?  
 
* ''sudo'' roles to run programs as another user? root?  
* ''SUID/GUID'' executables (find ./ -perm 2000 -o -perm 4000 -print 2>/dev/null)
+
* What other users on the system (cat /etc/passwd, cat /etc/shadow, ls /home, ls $HOME/../)
 +
** Try obvious passwords, blank passwords. Try fuzzing
 +
** Have password hash? Google it. Try ''john''
 +
** Look for passwords in command line history (~/{bash,nano,mysql}_history)
 +
** Look for hard coded passwords in config files (/etc/my.conf)
 +
** Look for passwords in database dumps (.sql files) or other text extensions (.txt, .csv)
 +
** Look for hidden private keys
 +
* ''SUID/GUID'' executables (find ./ -perm 2000 -o -perm 4000 -type f -print 2>/dev/null)
 
** Can I escape to a shell? interactive feature? (nmap -i, vim :!sh)
 
** Can I escape to a shell? interactive feature? (nmap -i, vim :!sh)
 
** Can I execute another command
 
** Can I execute another command

Revision as of 13:48, 25 July 2018

A collection of notes on Linux Privilege Escalation. Some will lead to r00t, some will help moving laterally, all depends on the end-goal. Trying to avoid the 'How to do it' steps, focusing on 'What to do' instead. Like most of the content on this site, these are put together for personal use but feel free to grab and share because sharing is caring. I'll try to update this as often as I can as this is my go-to

What's available to me immediately

  • sudo roles to run programs as another user? root?
  • What other users on the system (cat /etc/passwd, cat /etc/shadow, ls /home, ls $HOME/../)
    • Try obvious passwords, blank passwords. Try fuzzing
    • Have password hash? Google it. Try john
    • Look for passwords in command line history (~/{bash,nano,mysql}_history)
    • Look for hard coded passwords in config files (/etc/my.conf)
    • Look for passwords in database dumps (.sql files) or other text extensions (.txt, .csv)
    • Look for hidden private keys
  • SUID/GUID executables (find ./ -perm 2000 -o -perm 4000 -type f -print 2>/dev/null)
    • Can I escape to a shell? interactive feature? (nmap -i, vim :!sh)
    • Can I execute another command
      • As command parameter
      • Modifying PATH (e.g. if command calls 'date', 'cp /bin/bash > $HOME/date' and modifying $PATH)
    • Can I use Buffer Overflow to load arbitrary shell code?