2020-07-15 15:43:14 +00:00
---
description: Checklist for privilege escalation in Linux
---
# Checklist - Linux Privilege Escalation
2021-05-31 09:39:02 +00:00
{% hint style="danger" %}
2021-10-18 11:21:18 +00:00
Do you use **Hacktricks every day** ? Did you find the book **very** **useful** ? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks** ?\
2021-11-30 13:55:54 +00:00
[**Support Hacktricks through github sponsors** ](https://github.com/sponsors/carlospolop )** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
2021-05-31 09:39:02 +00:00
{% endhint %}
2021-11-30 13:55:54 +00:00
If you want to know about my **latest modifications** /**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬** ](https://emojipedia.org/speech-balloon/ )[**telegram group** ](https://t.me/peass ), or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks** ](https://github.com/carlospolop/hacktricks ) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
2021-05-31 09:39:02 +00:00
2021-11-30 13:55:54 +00:00
### **Best tool to look for Linux local privilege escalation vectors: **[**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)****
2020-07-15 15:43:14 +00:00
2020-08-24 16:34:42 +00:00
### [System Information](privilege-escalation/#system-information)
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
* [ ] Get** OS information**
2020-08-24 16:34:42 +00:00
* [ ] Check the [**PATH** ](privilege-escalation/#path ), any **writable folder** ?
* [ ] Check [**env variables** ](privilege-escalation/#env-info ), any sensitive detail?
2021-11-30 13:55:54 +00:00
* [ ] Search for [**kernel exploits** ](privilege-escalation/#kernel-exploits )** using scripts ** (DirtyCow?)
* [ ] **Check **if the [**sudo version **is vulnerable ](privilege-escalation/#sudo-version )
2021-10-18 11:21:18 +00:00
* [ ] ** **[**Dmesg** signature verification failed](privilege-escalation/#dmesg-signature-verification-failed) error?
* [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
2020-08-24 16:38:31 +00:00
* [ ] [Enumerate more defenses ](privilege-escalation/#enumerate-possible-defenses )
2020-07-15 15:43:14 +00:00
2020-08-24 16:38:31 +00:00
### [Drives](privilege-escalation/#drives)
2021-11-30 13:55:54 +00:00
* [ ] **List mounted **drives
2020-08-24 16:38:31 +00:00
* [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?**
2021-10-18 11:21:18 +00:00
### ****[**Installed Software**](privilege-escalation/#installed-software)****
2020-08-24 16:41:51 +00:00
2021-11-30 13:55:54 +00:00
* [ ] **Check for** [** useful software** ](privilege-escalation/#useful-software )** installed**
* [ ] **Check for ** [**vulnerable software** ](privilege-escalation/#vulnerable-software-installed )** installed**
2020-08-24 16:41:51 +00:00
2021-10-18 11:21:18 +00:00
### ****[Processes](privilege-escalation/#processes)
2020-07-15 15:43:14 +00:00
* [ ] Is any **unknown software running** ?
* [ ] Is any software with **more privileges that it should have running** ?
2021-11-30 13:55:54 +00:00
* [ ] Search for** exploits for running processes** (specially if running of versions)
2020-08-24 16:41:51 +00:00
* [ ] Can you **modify the binary** of any running process?
* [ ] **Monitor processes** and check if any interesting process is running frequently
2021-11-30 13:55:54 +00:00
* [ ] Can you **read **some interesting **process memory ** (where passwords could be saved)?
2020-07-15 15:43:14 +00:00
2020-08-24 16:56:30 +00:00
### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
* [ ] Is the [**PATH ** ](privilege-escalation/#cron-path )being modified by some cron and you can **write **in it?
* [ ] Any [**wildcard ** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection )in a cron job?
* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink )is being **executed **or is inside **modifiable folder** ?
* [ ] Have you detected that some **script **could be being [**executed **very **frequently** ](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
2020-08-24 16:56:30 +00:00
### [Services](privilege-escalation/#services)
* [ ] Any **writable .service** file?
* [ ] Any **writable binary** executed by a **service** ?
* [ ] Any **writable folder in systemd PATH** ?
### [Timers](privilege-escalation/#timers)
* [ ] Any **writable timer** ?
### [Sockets](privilege-escalation/#sockets)
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
* [ ] Any** writable .socket **file?
2020-08-24 16:56:30 +00:00
* [ ] Can you **communicate with any socket** ?
* [ ] **HTTP sockets** with interesting info?
2020-07-15 15:43:14 +00:00
2020-08-24 16:56:30 +00:00
### [D-Bus](privilege-escalation/#d-bus)
* [ ] Can you **communicate with any D-Bus** ?
### [Network](privilege-escalation/#network)
* [ ] Enumerate the network to know where you are
* [ ] **Open ports you couldn't access before** getting a shell inside the machine?
* [ ] Can you **sniff traffic** using `tcpdump` ?
### [Users](privilege-escalation/#users)
* [ ] Generic users/groups **enumeration**
* [ ] Do you have a **very big UID** ? Is the **machine** **vulnerable** ?
* [ ] Can you [**escalate privileges thanks to a group** ](privilege-escalation/interesting-groups-linux-pe/ ) you belong to?
2021-11-30 13:55:54 +00:00
* [ ] **Clipboard **data?
2020-08-24 16:56:30 +00:00
* [ ] Password Policy?
2021-11-30 13:55:54 +00:00
* [ ] Try to **use **every **known password **that you have discovered previously to login **with each **possible **user** . Try to login also without password.
2020-07-15 15:43:14 +00:00
2020-08-24 16:56:30 +00:00
### [Writable PATH](privilege-escalation/#writable-path-abuses)
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
* [ ] If you have** write privileges over some folder in PATH** you may be able to escalate privileges
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
* [ ] Can you execute **any comand with sudo** ? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Is any **exploitable suid binary** ? ([**GTFOBins**](https://gtfobins.github.io))
2021-11-30 13:55:54 +00:00
* [ ] Are [**sudo **commands **limited **by **path**? can you **bypass **the restrictions ](privilege-escalation/#sudo-execution-bypassing-paths )?
2021-10-18 11:21:18 +00:00
* [ ] ** **[**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
* [ ] ** **[**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
2021-11-30 13:55:54 +00:00
* [ ] ** **[**LD_PRELOAD vuln**](privilege-escalation/#ld_preload)****
* [ ] ** **[**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection)** **from a writable folder?
2021-10-18 11:21:18 +00:00
* [ ] ** **[**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token** ](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than )?
2020-08-24 17:35:11 +00:00
* [ ] Can you [**read or modify sudoers files** ](privilege-escalation/#etc-sudoers-etc-sudoers-d )?
* [ ] Can you [**modify /etc/ld.so.conf.d/** ](privilege-escalation/#etc-ld-so-conf-d )?
2021-11-30 13:55:54 +00:00
* [ ] [**OpenBSD DOAS** ](privilege-escalation/#doas )** **command
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [Capabilities](privilege-escalation/#capabilities)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] Has any binary any **unexpected capability** ?
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [ACLs](privilege-escalation/#acls)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] Has any file any **unexpected ACL** ?
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [Open Shell sessions](privilege-escalation/#open-shell-sessions)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] **screen** ?
* [ ] **tmux** ?
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [SSH](privilege-escalation/#ssh)
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
* [ ] **Debian ** [**OpenSSL Predictable PRNG - CVE-2008-0166** ](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166 )****
2021-10-18 11:21:18 +00:00
* [ ] ** **[**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)****
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
### [Interesting Files](privilege-escalation/#interesting-files)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] **Profile files** - Read sensitive data? Write to privesc?
* [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
* [ ] **Check commonly interesting folders** for sensitive data
2021-11-30 13:55:54 +00:00
* [ ] **Weird Localtion/Owned files, **you may have access or alter executable files
* [ ] **Modified **in last mins
2020-08-24 17:35:11 +00:00
* [ ] **Sqlite DB files**
* [ ] **Hidden files**
* [ ] **Script/Binaries in PATH**
2021-11-30 13:55:54 +00:00
* [ ] **Web files ** (passwords?)
2020-08-24 17:35:11 +00:00
* [ ] **Backups** ?
2021-11-30 13:55:54 +00:00
* [ ] **Known files that contains passwords** : Use **Linpeas **and **LaZagne**
2020-08-24 17:35:11 +00:00
* [ ] **Generic search**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
### ****[**Writable Files**](privilege-escalation/#writable-files)****
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] **Modify python library** to execute arbitrary commands?
2021-11-30 13:55:54 +00:00
* [ ] Can you **modify log files** ? **Logtotten **exploit
2020-08-24 17:35:11 +00:00
* [ ] Can you **modify /etc/sysconfig/network-scripts/** ? Centos/Redhat exploit
2020-08-24 17:38:10 +00:00
* [ ] Can you [**write in ini, int.d, systemd or rc.d files** ](privilege-escalation/#init-init-d-systemd-and-rc-d )?
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
### ****[**Other tricks**](privilege-escalation/#other-tricks)****
2020-07-15 15:43:14 +00:00
2020-08-24 17:38:10 +00:00
* [ ] Can you [**abuse NFS to escalate privileges** ](privilege-escalation/#nfs-privilege-escalation )?
* [ ] Do you need to [**escape from a restrictive shell** ](privilege-escalation/#escaping-from-restricted-shells )?
2020-07-15 15:43:14 +00:00
2021-11-30 13:55:54 +00:00
If you want to **know **about my **latest modifications** /**additions** or you have **any suggestion for HackTricks or PEASS** ,** **join the [💬](https://emojipedia.org/speech-balloon/)** ** [**PEASS & HackTricks telegram group here** ](https://t.me/peass ), or** follow me on Twitter ** [🐦 ](https://emojipedia.org/bird/ )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**\
****If you want to** share some tricks with the community **you can also submit **pull requests **to** ** [**https://github.com/carlospolop/hacktricks** ](https://github.com/carlospolop/hacktricks )** **that will be reflected in this book.\
2020-08-17 08:33:42 +00:00
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 ( 6 ) ( 4 ) ( 3 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)****