OSCP
Search…
Linux Priv Escalation
1
# priv esc enumeration scripts
2
https://github.com/rebootuser/LinEnum
3
https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py
4
http://pentestmonkey.net/tools/audit/unix-privesc-check
5
6
# Kernel and OS
7
uname -a
8
uname -mrs
9
cat /etc/issue
10
cat /etc/lsb-release # Debian based
11
cat /etc/redhat-release # Redhat based
12
13
# running services and find services run boy root
14
ps aux
15
ps aux | grep root
16
17
# which applications are installed
18
dpkg -l
19
ls -alh /usr/bin/
20
ls -alh /sbin/
21
22
# scheduled tasks
23
crontab -l
24
25
# port forwarding
26
ssh -L 8080:127.0.0.1:80 [email protected] # Local Port
27
ssh -R 8080:127.0.0.1:80 [email protected] # Remote Port
28
29
# tunneling
30
ssh -D 127.0.0.1:9050 -N [username]@[ip]
31
proxychains ifconfig
32
33
# sensitive files
34
cat /etc/passwd
35
cat /etc/group
36
cat /etc/shadow
37
ls -alh /var/mail/
38
39
# check home dirs
40
ls -ahlR /root/
41
ls -ahlR /home
42
43
# private key search
44
cat ~/.ssh/authorized_keys
45
cat ~/.ssh/identity.pub
46
cat ~/.ssh/identity
47
cat ~/.ssh/id_rsa.pub
48
cat ~/.ssh/id_rsa
49
cat ~/.ssh/id_dsa.pub
50
cat ~/.ssh/id_dsa
51
cat /etc/ssh/ssh_config
52
cat /etc/ssh/sshd_config
53
cat /etc/ssh/ssh_host_dsa_key.pub
54
cat /etc/ssh/ssh_host_dsa_key
55
cat /etc/ssh/ssh_host_rsa_key.pub
56
cat /etc/ssh/ssh_host_rsa_key
57
cat /etc/ssh/ssh_host_key.pub
58
cat /etc/ssh/ssh_host_key
59
60
61
# Sticky Bits & SUID & GUID
62
63
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
64
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
65
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
66
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
67
68
69
70
Copied!

Linux Privilege Escalation Checklist

Binaries/Programs Privilege Escalation

Automated Script

Last modified 1yr ago