2022-05-01 13:25:53 +00:00
# Checklist - Linux Privilege Escalation
2022-04-28 16:01:33 +00:00
< details >
2024-01-05 11:06:33 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-05 11:06:33 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-10-27 23:22:18 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-01-05 11:06:33 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-06 14:12:47 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2024-01-05 11:06:33 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
< / details >
2022-04-28 16:01:33 +00:00
2023-12-04 15:45:05 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) server to communicate with experienced hackers and bug bounty hunters!
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2023-07-14 14:20:34 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-07-14 14:20:34 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-07-14 14:20:34 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ) and start collaborating with top hackers today!
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### [System Information](privilege-escalation/#system-information)
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
* [ ] Get **OS information**
2020-08-24 16:34:42 +00:00
* [ ] Check the [**PATH** ](privilege-escalation/#path ), any **writable folder** ?
* [ ] Check [**env variables** ](privilege-escalation/#env-info ), any sensitive detail?
2021-11-30 16:46:07 +00:00
* [ ] Search for [**kernel exploits** ](privilege-escalation/#kernel-exploits ) **using scripts** (DirtyCow?)
* [ ] **Check** if the [**sudo version** is vulnerable ](privilege-escalation/#sudo-version )
2022-02-23 22:01:26 +00:00
* [ ] [**Dmesg** signature verification failed ](privilege-escalation/#dmesg-signature-verification-failed )
2021-10-18 11:21:18 +00:00
* [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
2020-08-24 16:38:31 +00:00
* [ ] [Enumerate more defenses ](privilege-escalation/#enumerate-possible-defenses )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Drives](privilege-escalation/#drives)
2020-08-24 16:38:31 +00:00
2021-11-30 16:46:07 +00:00
* [ ] **List mounted** drives
2020-08-24 16:38:31 +00:00
* [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?**
2022-05-01 13:25:53 +00:00
### [**Installed Software**](privilege-escalation/#installed-software)
2020-08-24 16:41:51 +00:00
2021-11-30 16:46:07 +00:00
* [ ] **Check for** [ **useful software** ](privilege-escalation/#useful-software ) **installed**
* [ ] **Check for** [**vulnerable software** ](privilege-escalation/#vulnerable-software-installed ) **installed**
2020-08-24 16:41:51 +00:00
2022-05-01 13:25:53 +00:00
### [Processes](privilege-escalation/#processes)
2020-07-15 15:43:14 +00:00
2022-02-28 09:13:08 +00:00
* [ ] Is any **unknown software running** ?
2022-09-13 20:59:30 +00:00
* [ ] Is any software running with **more privileges than it should have** ?
* [ ] Search for **exploits of running processes** (especially the version running).
2020-08-24 16:41:51 +00:00
* [ ] Can you **modify the binary** of any running process?
2022-09-13 20:59:30 +00:00
* [ ] **Monitor processes** and check if any interesting process is running frequently.
2021-11-30 16:46:07 +00:00
* [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
* [ ] Is the [**PATH** ](privilege-escalation/#cron-path )being modified by some cron and you can **write** in it?
* [ ] Any [**wildcard** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection )in a cron job?
* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink )is being **executed** or is inside **modifiable folder** ?
2022-09-13 20:59:30 +00:00
* [ ] Have you detected that some **script** could be or are being [**executed** very **frequently** ](privilege-escalation/#frequent-cron-jobs )? (every 1, 2 or 5 minutes)
2020-08-24 16:56:30 +00:00
2022-05-01 13:25:53 +00:00
### [Services](privilege-escalation/#services)
2020-08-24 16:56:30 +00:00
* [ ] Any **writable .service** file?
* [ ] Any **writable binary** executed by a **service** ?
* [ ] Any **writable folder in systemd PATH** ?
2022-05-01 13:25:53 +00:00
### [Timers](privilege-escalation/#timers)
2020-08-24 16:56:30 +00:00
* [ ] Any **writable timer** ?
2022-05-01 13:25:53 +00:00
### [Sockets](privilege-escalation/#sockets)
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
* [ ] Any **writable .socket** file?
2020-08-24 16:56:30 +00:00
* [ ] Can you **communicate with any socket** ?
* [ ] **HTTP sockets** with interesting info?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [D-Bus](privilege-escalation/#d-bus)
2020-08-24 16:56:30 +00:00
* [ ] Can you **communicate with any D-Bus** ?
2022-05-01 13:25:53 +00:00
### [Network](privilege-escalation/#network)
2020-08-24 16:56:30 +00:00
* [ ] Enumerate the network to know where you are
* [ ] **Open ports you couldn't access before** getting a shell inside the machine?
* [ ] Can you **sniff traffic** using `tcpdump` ?
2022-05-01 13:25:53 +00:00
### [Users](privilege-escalation/#users)
2020-08-24 16:56:30 +00:00
* [ ] Generic users/groups **enumeration**
* [ ] Do you have a **very big UID** ? Is the **machine** **vulnerable** ?
2023-01-24 14:43:15 +00:00
* [ ] Can you [**escalate privileges thanks to a group** ](privilege-escalation/interesting-groups-linux-pe/ ) you belong to?
2021-11-30 16:46:07 +00:00
* [ ] **Clipboard** data?
2020-08-24 16:56:30 +00:00
* [ ] Password Policy?
2022-09-13 20:59:30 +00:00
* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user** . Try to login also without a password.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Writable PATH](privilege-escalation/#writable-path-abuses)
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
* [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
2020-07-15 15:43:14 +00:00
2022-09-13 20:59:30 +00:00
* [ ] Can you execute **any command with sudo** ? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Is any **exploitable SUID binary** ? ([**GTFOBins**](https://gtfobins.github.io))
2021-11-30 16:46:07 +00:00
* [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions ](privilege-escalation/#sudo-execution-bypassing-paths )?
2022-02-23 22:01:26 +00:00
* [ ] [**Sudo/SUID binary without path indicated** ](privilege-escalation/#sudo-command-suid-binary-without-command-path )?
* [ ] [**SUID binary specifying path** ](privilege-escalation/#suid-binary-with-command-path )? Bypass
2022-04-05 22:24:52 +00:00
* [ ] [**LD\_PRELOAD vuln** ](privilege-escalation/#ld\_preload )
2022-02-23 22:01:26 +00:00
* [ ] [**Lack of .so library in SUID binary** ](privilege-escalation/#suid-binary-so-injection ) from a writable folder?
* [ ] [**SUDO tokens available** ](privilege-escalation/#reusing-sudo-tokens )? [**Can you create a SUDO token** ](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than )?
2020-08-24 17:35:11 +00:00
* [ ] Can you [**read or modify sudoers files** ](privilege-escalation/#etc-sudoers-etc-sudoers-d )?
* [ ] Can you [**modify /etc/ld.so.conf.d/** ](privilege-escalation/#etc-ld-so-conf-d )?
2022-01-31 14:51:03 +00:00
* [ ] [**OpenBSD DOAS** ](privilege-escalation/#doas ) command
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Capabilities](privilege-escalation/#capabilities)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] Has any binary any **unexpected capability** ?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [ACLs](privilege-escalation/#acls)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] Has any file any **unexpected ACL** ?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Open Shell sessions](privilege-escalation/#open-shell-sessions)
2020-07-15 15:43:14 +00:00
2022-02-23 22:01:26 +00:00
* [ ] **screen**
* [ ] **tmux**
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [SSH](privilege-escalation/#ssh)
2020-07-15 15:43:14 +00:00
2022-02-23 22:01:26 +00:00
* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166** ](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166 )
2022-02-28 09:13:08 +00:00
* [ ] [**SSH Interesting configuration values** ](privilege-escalation/#ssh-interesting-configuration-values )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Interesting Files](privilege-escalation/#interesting-files)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] **Profile files** - Read sensitive data? Write to privesc?
* [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
* [ ] **Check commonly interesting folders** for sensitive data
2022-09-13 20:59:30 +00:00
* [ ] **Weird Location/Owned files,** you may have access to or alter executable files
2021-11-30 16:46:07 +00:00
* [ ] **Modified** in last mins
2020-08-24 17:35:11 +00:00
* [ ] **Sqlite DB files**
* [ ] **Hidden files**
* [ ] **Script/Binaries in PATH**
2021-11-30 16:46:07 +00:00
* [ ] **Web files** (passwords?)
2020-08-24 17:35:11 +00:00
* [ ] **Backups** ?
2021-11-30 16:46:07 +00:00
* [ ] **Known files that contains passwords** : Use **Linpeas** and **LaZagne**
2020-08-24 17:35:11 +00:00
* [ ] **Generic search**
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [**Writable Files**](privilege-escalation/#writable-files)
2020-07-15 15:43:14 +00:00
2020-08-24 17:35:11 +00:00
* [ ] **Modify python library** to execute arbitrary commands?
2021-11-30 16:46:07 +00:00
* [ ] Can you **modify log files** ? **Logtotten** exploit
2020-08-24 17:35:11 +00:00
* [ ] Can you **modify /etc/sysconfig/network-scripts/** ? Centos/Redhat exploit
2020-08-24 17:38:10 +00:00
* [ ] Can you [**write in ini, int.d, systemd or rc.d files** ](privilege-escalation/#init-init-d-systemd-and-rc-d )?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [**Other tricks**](privilege-escalation/#other-tricks)
2020-07-15 15:43:14 +00:00
2020-08-24 17:38:10 +00:00
* [ ] Can you [**abuse NFS to escalate privileges** ](privilege-escalation/#nfs-privilege-escalation )?
* [ ] Do you need to [**escape from a restrictive shell** ](privilege-escalation/#escaping-from-restricted-shells )?
2022-04-28 16:01:33 +00:00
2023-12-04 15:45:05 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-07-14 14:20:34 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) server to communicate with experienced hackers and bug bounty hunters!
2022-10-27 23:22:18 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ) and start collaborating with top hackers today!
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
< details >
2022-04-28 16:01:33 +00:00
2023-12-30 20:49:23 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2023-12-30 20:49:23 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-10-27 23:22:18 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-12-30 20:49:23 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-06 14:12:47 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2023-12-30 20:49:23 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >