CtrlK

methodology

This is a simple checklist to help with the basics of privilege escalation on Linux. If you get stuck with escalating privileges, you may find it helpful to come back to this checklist.

Check the hosts file to see if there are any interesting hosts listed.
Check for files in the home directory that may have sensitive information in them.
- .viminfo
  This file can show you what files were edited and commands ran in vim

Find executables with SUID and GUID set

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Note: You need to leave the in the command.

Run strace or ltrace on any unique SUID & GUID executables

strace <path/to/executable> 2>&1 | grep -iE "wait|open|access|no such file"

Check SUID & GUIDe executables with GTFO Bins
Look at cron jobs
- crontab -l
- ls /var/spool/cron/
- cat /etc/crontab
Check the version of the shells that are on the system
Check permissions on /etc/passwd
Check permissions on /etc/shadow
What can the user run with sudo
```
sudo -l
```
Check GTFO bins for commands that can be ran as sudo
Run strace or ltrace on commands that can be ran as sudo
Check the shell history
```
history
cat ~/.bash_history
```
Find and look through config files for passwords and sensitive information
- Consider other config files such as CMS config files for databases
  grep -R -i password /etc/
Check for readable ssh keys
```
find / -name -id_rsa- 2>/dev/null
```
Check mountable and mounted drives
Check for NFS that has no_root_squash
```
cat /etc/exports
```
Check for Kernel exploits
```
uname -a
```
Use privilege escalation scripts
- https://github.com/rebootuser/LinEnum
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- https://github.com/diego-treitos/linux-smart-enumeration
  Note: When using these scripts make sure that you carefully read the output and that you understand what it is telling you.

PreviousLinux PrivEsc NextPrivilege Escalation Scripts

Last updated 2 years ago

Was this helpful?