Linux PrivEsc Compiled Recipe
π This is a compilation of command to copy-paste to find an easy priv. esc. vector without using a script π
First, find who you are, and if you are in interesting groups:
$ id # sudo? docker? adm?
If you're in sudo, try running sudo without/with password.
$ sudo -l -n
Look for interesting files "relatively" to your current user:
$ find / -user $(whoami) -type f 2>/dev/null | grep -v /proc | grep -v /sys
$ find / -type f -writable 2>/dev/null | grep -v /proc | grep -v /sys
$ find /home/* -type f -name "*.txt" -o ! -name "*.*"
$ ls /opt # why not
$ find /opt/ \( -amin -5 -o -mmin -5 \) 2> /dev/null # recently modified/edited?
Look for suspicious permissions:
$ find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -g=s -type f -ls 2>/dev/null
$ getcap -r / 2>/dev/null
Look for interesting (internal or not) network services:
$ netstat -antp | grep -i list
As a reminder, you may use tunneling tools to access internal local websites such as chisel or ssh to access them.
Finally, look for users and services in /etc/passwd. Also, go look in /home for user homes, and try to see if you can access them.
Remember to test for password reuse and default credentials.
Try to run automated tools. They will return a large output, but the output if often cleaner than if when we ran commands manually.
- Interesting configuration files
- Interesting files that may contain a password
- Interesting sockets
- Interesting kernel exploits
- ...
π» To-do π»
Stuff that I found, but never read/used yet.
- Check if the host is connected to AD