Privilege Escalation Check List - Linux

From RCATs


Shell Stabilization

python -c 'import pty;pty.spawn("/bin/bash")'   OR
python3 -c 'import pty;pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; 
reset
stty columns 200 rows 200

System Information[1]

* Get OS information # uname -a
* Check the PATH for any writable folders # find . -writable
* Check the env variables for any sensitive details # env
* Search for Kernel Exploits (i.e. PwnKit, DirtyCow etc) # linpeas
* Check the sudo version to see if it's vulnerable # sudo sudo -V
  
# System enumeration Commands
  
ls /etc/*-release # -> looks for version numbers
cat /etc/os-release # -> cat out the file with the version numbers
hostname # -> return hostname of target
cat /etc/passwd # -> read passwd file for possible users
cat /etc/group # -> read groups for possible users
sudo cat /etc/shadow # -> read out shadow file for password hashes
ls -lh /var/mail # -> checks mail directories
ls /usr/bin/ & /sbin # -> for applications 
rpm -qa # -> list installed packages on RPM linux distro
dpkg -l # -> list installed packages on Debian linux distro
who # -> shows logged in users
whoami # -> shows what user you are logged in as
w # -> shows who is logged in and what they are doing
id # -> gives you your current UID and Group
last # -> displays login and logout info for users
sudo -l # -> what commands we can run sudo as

Enumeration Tools:

PEAS | LSE

Drives

* List mounted drives
* Any unmounted drives
* Any credentials in fstab

Installed Software

* Check for useful software installed
* Check for vulnerable software installed

dpkg -l # List all programs installed
dpkg -l | grep "program" # Search for a specific program
rpm -qa | grep "program # Search for a specific program

Processes

* Is any unknown software running
* Is any software running with more privileges than it should have
* Can you modify the binary of any running process
* Monitor processes and check if any interesting process is running frequently
* Can you read some interesting process memory

# Commands
ps aux # Lists all the processes currently running on the machine
ps aux | grep "root" # Shows all process that belong to root
ps axjf #Lists all the processes in a tree format
ps 
 	-e -> all processes
	-f -> full-format listing
	-j -> jobs format
	-l -> long format
	-u -> user-oriented format
pspy can also be uploaded and ran to see if there are any repeating processes

Process Tools:

PSPY[2]

Scheduled Task/Cron Jobs

* Is the PATH being modified by some cron job and you can write to it
* Any wildcard in a cron job
* Some modifiable script is being executed or is inside a modifiable folder
* A script that is being executed very frequently

Services

* Any writeable .service file
* Any writeable binary executed by a service
* Any writeable folder in systemd PATH

Timers

* Any writeable timers

Sockets

* Any writeable .socket file
* Can you communicate with any socket
* HTTP sockets with interesting info

D-BUS

* Can you communicate with any D-Bus

Network

* Enumerate the network to know where you are
* Open ports you couldn't access before getting a shell inside the machine
* Can you sniff traffic using tcpdump

ip a s # -> shows current ip

cat /etc/resolv.conf # -> shows the DNS servers

netstat #-> shows info about network connections
	-a #-> show both listening and non-listening sockets
	-l #-> show only listening sockets
	-n #-> show numeric output instead of resolving the IP address and port number
	-t #-> TCP
	-u #-> UDP
	-x #-> UNIX
	-p #-> show the PID and name of the program to which the socket belongs

sudo netstat -atupn #-> show all TCP / UDP listening and established conn with ports

sudo lsof -i #-> List of open files

sudo lsof - :port number #-> Checks for open files on a specific port

Users

* Generic users/groups enumeration
* Do you have a very big UID? Is the machine vulnerable?
* Can you escalate privileges thanks to a group you belong to?
* Clipboard data?
* Password Policy?
* Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writeable Path

* If you have write privileges over some folder in PATH you may be able to escalate privileges

Sudo and SUID Commands

* Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
* Is any exploitable SUID binary? (GTFOBins)
* Are sudo commands limited by path? can you bypass the restrictions?
* Sudo/SUID binary without path indicated?
* SUID binary specifying path? Bypass
* LD_PRELOAD vuln
* Lack of .so library in SUID binary from a writable folder?
* SUDO tokens available? Can you create a SUDO token?
* Can you read or modify sudoers files?
* Can you modify /etc/ld.so.conf.d/?
* OpenBSD DOAS command

# commands
find / -perm -4000 2>/dev/null 
find / -perm -u=s -type f 2>/dev/null
find / -name user.txt 2>/dev/null
find / -perm -u=s -type f 2>/dev/null | xarg ls -la

SUID Tools:[3]

GTFOBINS

Capabilities

* Has any binary unexpected capability

# Commands
getcap -r / 2>/dev/null # -> get capapbilities

ACL's

* Does any file have unexpected ACL

Open Shell Sessions

* Screen
* Tmux

SSH

* Debian OpenSSL Predictable PRNG - CVE-2008-0166
* SSH Interesting configuration values

Interesting Files

* Profile files - Read sensitive data? Write to privesc?
* passwd/shadow files - Read sensitive data? Write to privesc?
* Check commonly interesting folders for sensitive data
* Weird Location/Owned files, you may have access to or alter executable files
* Modified in last mins
* Sqlite DB files
* Hidden files
* Script/Binaries in PATH
* Web files (passwords?)
* Backups?
* Known files that contains passwords: Use Linpeas and LaZagne
* Generic search

Writeable Files

* Modify python library to execute arbitrary commands?
* Can you modify log files? Logtotten exploit
* Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
* Can you write in ini, int.d, systemd or rc.d files?

Other Tricks

* Can you abuse NFS to escalate privileges?
* Do you need to escape from a restrictive shell?