Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/linux-unix/linux-privilege-escalation-checklist.md

4.5 KiB
Raw Blame History

description
Checklist for privilege escalation in Linux

Checklist - Linux Privilege Escalation

Best tool to look for Linux local privilege escalation vectors: LinPEAS****

Vulnerable Kernel?

  • Search for kernel exploits using scripts linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py
  • Use Google to search for kernel exploits
  • Use searchsploit to search for kernel exploits
  • Check if the sudo version is vulnerable

Vulnerable Processes?

  • Is any unknown software running?
  • Is any software with more privileges that it should have running?
  • Search for exploits for running processes specially if running of versions
  • Can you read some interesting process memory where passwords could be saved?

Known users/passwords?

  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

Interesting Groups?

Weird scheduled jobs?

  • Is the PATH being modified by some cron and you can write in it?
  • Some modifiable script is being executed or is inside modifiable folder?
  • Is some cron script calling other script that is modifiable by you? or using wildcards?
  • Have you detected that some script could be being executed very frequently? every 1, 2 or 5 minutes

Any sudo command?

  • Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root?
  • Is some wildcard used?
  • Is the binary specified without path?
  • Is env_keep+=LD_PRELOAD?

Any weird suid command?

  • SUID any interesting command? Can you use it to READ, WRITE or EXECUTE anything as root?
  • Is some wildcard used?
  • Is the SUID binary executing some other binary without specifying the path? or specifying it?
  • Is it trying to load .so from writable folders?

Weird capabilities?

  • Has any binary any uncommon capability?

Open Shell sessions?

  • screen?
  • tmux?

Can you read some sensitive data?

  • Can you read some interesting files? files with passwords, \*\_history, backups...

Can you write important files?

  • Are you able to write files that could grant you more privileges? service conf files, shadow,a script that is executed by other users, libraries...

Internal open ports?

  • You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.

Can you sniff some passwords in the network?

  • Can you sniff and get passwords from the network?

Any service missconfigurated? NFS? belongs to docker or lxd?

  1. Any well known missconfiguration? [**NFS no\_root\_squash**](privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)

Any weird executable in path?

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.

Buy me a coffee here****