Privilege Escalation Check List - Linux

From RCATs
Revision as of 12:22, 21 February 2023 by Ali3nw3rx (talk | contribs) (→‎Processes)


System Information[1]

* Get OS information
* Check the PATH for any writable folders
* Check the env variables for any sensitive details
* Search for Kernel Exploits (i.e. PwnKit, DirtyCow etc)
* Check the sudo version to see if it's vulnerable
* Dmesg signature verification failed
* System enumeration

Drives

* List mounted drives
* Any unmounted drives
* Any credentials in fstab

Installed Software

* Check for useful software installed
* Check for vulnerable software installed

Processes

* Is any unknown software running
* Is any software running with more privileges than it should have
* Can you modify the binary of any running process
* Monitor processes and check if any interesting process is running frequently
* Can you read some interesting process memory

# Commands
ps aux #Lists all the processes currently running on the machine
ps axjf #Lists all the processes in a tree format
ps 
 	-e -> all processes
	-f -> full-format listing
	-j -> jobs format
	-l -> long format
	-u -> user-oriented format
pspy can also be uploaded and ran to see if there are any repeating processes

Process Tools:

PSPY[2]

Scheduled Task/Cron Jobs

* Is the PATH being modified by some cron job and you can write to it
* Any wildcard in a cron job
* Some modifiable script is being executed or is inside a modifiable folder
* A script that is being executed very frequently

Services

* Any writeable .service file
* Any writeable binary executed by a service
* Any writeable folder in systemd PATH

Timers

* Any writeable timers

Sockets

* Any writeable .socket file
* Can you communicate with any socket
* HTTP sockets with interesting info

D-BUS

* Can you communicate with any D-Bus

Network

* Enumerate the network to know where you are
* Open ports you couldn't access before getting a shell inside the machine
* Can you sniff traffic using tcpdump

Users

* Generic users/groups enumeration
* Do you have a very big UID? Is the machine vulnerable?
* Can you escalate privileges thanks to a group you belong to?
* Clipboard data?
* Password Policy?
* Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writeable Path

* If you have write privileges over some folder in PATH you may be able to escalate privileges

Sudo and SUID Commands

* Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
* Is any exploitable SUID binary? (GTFOBins)
* Are sudo commands limited by path? can you bypass the restrictions?
* Sudo/SUID binary without path indicated?
* SUID binary specifying path? Bypass
* LD_PRELOAD vuln
* Lack of .so library in SUID binary from a writable folder?
* SUDO tokens available? Can you create a SUDO token?
* Can you read or modify sudoers files?
* Can you modify /etc/ld.so.conf.d/?
* OpenBSD DOAS command

Capabilities

* Has any binary unexpected capability

ACL's

* Does any file have unexpected ACL

Open Shell Sessions

* Screen
* Tmux

SSH

* Debian OpenSSL Predictable PRNG - CVE-2008-0166
* SSH Interesting configuration values

Interesting Files

* Profile files - Read sensitive data? Write to privesc?
* passwd/shadow files - Read sensitive data? Write to privesc?
* Check commonly interesting folders for sensitive data
* Weird Location/Owned files, you may have access to or alter executable files
* Modified in last mins
* Sqlite DB files
* Hidden files
* Script/Binaries in PATH
* Web files (passwords?)
* Backups?
* Known files that contains passwords: Use Linpeas and LaZagne
* Generic search

Writeable Files

* Modify python library to execute arbitrary commands?
* Can you modify log files? Logtotten exploit
* Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
* Can you write in ini, int.d, systemd or rc.d files?

Other Tricks

* Can you abuse NFS to escalate privileges?
* Do you need to escape from a restrictive shell?