This is a simple checklist to help with the basics of privilege escalation on Linux. If you get stuck with escalating privileges, you may find it helpful to come back to this checklist.
Check the hosts file to see if there are any interesting hosts listed.
Check for files in the home directory that may have sensitive information in them.
.viminfo
This file can show you what files were edited and commands ran in vim
Find executables with SUID and GUID set
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Note: You need to leave the in the command.
Run strace or ltrace on any unique SUID & GUID executables
strace
ltrace
strace <path/to/executable> 2>&1 | grep -iE "wait|open|access|no such file"
Check SUID & GUIDe executables with GTFO Binsarrow-up-right
Look at cron jobs
crontab -l
ls /var/spool/cron/
cat /etc/crontab
Check the version of the shells that are on the system
Check permissions on /etc/passwd
/etc/passwd
Check permissions on /etc/shadow
/etc/shadow
What can the user run with sudo
sudo -l
Check GTFO bins for commands that can be ran as sudo
Run strace or ltrace on commands that can be ran as sudo
Check the shell history
history cat ~/.bash_history
Find and look through config files for passwords and sensitive information
Consider other config files such as CMS config files for databases
grep -R -i password /etc/
Check for readable ssh keys
find / -name -id_rsa- 2>/dev/null
Check mountable and mounted drives
Check for NFS that has no_root_squash
cat /etc/exports
Check for Kernel exploits
uname -a
Use privilege escalation scripts
https://github.com/rebootuser/LinEnumarrow-up-right
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEASarrow-up-right
https://github.com/diego-treitos/linux-smart-enumerationarrow-up-right
Note: When using these scripts make sure that you carefully read the output and that you understand what it is telling you.
Last updated 3 years ago
