methodology

This is a simple checklist to help with the basics of privilege escalation on Linux. If you get stuck with escalating privileges, you may find it helpful to come back to this checklist.

• Check the hosts file to see if there are any interesting hosts listed.

• Check for files in the home directory that may have sensitive information in them.

  • .viminfo

    • This file can show you what files were edited and commands ran in vim

• Find executables with SUID and GUID set

  Copy

  find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

  Note: You need to leave the in the command.

• Run strace or ltrace on any unique SUID & GUID executables

  Copy

  strace <path/to/executable> 2>&1 | grep -iE "wait|open|access|no such file"

• Check SUID & GUIDe executables with

• Look at cron jobs

  • crontab -l

  • ls /var/spool/cron/

  • cat /etc/crontab

• Check the version of the shells that are on the system

• Check permissions on /etc/passwd

• Check permissions on /etc/shadow

• What can the user run with sudo

  Copy

  sudo -l

• Check GTFO bins for commands that can be ran as sudo

• Run strace or ltrace on commands that can be ran as sudo

• Check the shell history

  Copy

  history
  cat ~/.bash_history

• Find and look through config files for passwords and sensitive information

  • Consider other config files such as CMS config files for databases

    Copy

    grep -R -i password /etc/

• Check for readable ssh keys

  Copy

  find / -name -id_rsa- 2>/dev/null

• Check mountable and mounted drives

• Check for NFS that has no_root_squash

  Copy

  cat /etc/exports

• Check for Kernel exploits

  Copy

  uname -a

• Use privilege escalation scripts

  • Note: When using these scripts make sure that you carefully read the output and that you understand what it is telling you.