coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2f50738a64
hacktricks/linux-unix/linux-privilege-escalation-checklist.md

93 lines
4.8 KiB
Markdown
Raw Normal View History

GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
---
description: Checklist for privilege escalation in Linux
---
# Checklist - Linux Privilege Escalation
### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)\*\*\*\*
### [Vulnerable Kernel?](privilege-escalation/#kernel-exploits)
* [ ] Search for kernel **exploits using scripts** \(linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py\)
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] **Check** if the [**sudo version** is vulnerable](privilege-escalation/#sudo-version)
### [Vulnerable Processes?](privilege-escalation/#processes)
* [ ] Is any **unknown software running**?
* [ ] Is any software with **more privileges that it should have running**?
* [ ] Search for **exploits for running processes** \(specially if running of versions\)
* [ ] Can you **read** some interesting **process memory** \(where passwords could be saved\)?
### [Known users/passwords?](privilege-escalation/#users)
* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without password.
### [Interesting Groups?](privilege-escalation/#groups)
GitBook: [master] 362 pages modified
2020-08-20 11:59:57 +00:00
* [ ] Check **if** you [**belong** to any **group** that can grant you **root rights**](privilege-escalation/interesting-groups-linux-pe/).
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
### [Weird scheduled jobs?](privilege-escalation/#scheduled-jobs)
* [ ] Is the **PATH** being modified by some cron and you can **write** in it?
* [ ] Some **modifiable script** is being **executed** or is inside **modifiable folder**?
* [ ] Is some cron **script calling other** script that is **modifiable** by you? or using **wildcards**?
* [ ] Have you detected that some **script** could be being **executed** very **frequently**? \(every 1, 2 or 5 minutes\)
### [Any sudo command?](privilege-escalation/#commands-with-sudo-and-suid-commands)
* [ ] Can you execute **any comand with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root?
* [ ] Is some **wildcard used**?
* [ ] Is the binary specified **without path**?
* [ ] Is _**env\_keep+=LD\_PRELOAD**_?
### [Any weird suid command?](privilege-escalation/#commands-with-sudo-and-suid-commands)
* [ ] **SUID** any **interesting command**? Can you use it to READ, WRITE or EXECUTE anything as root?
* [ ] Is some **wildcard used**?
* [ ] Is the SUID binary **executing some other binary without specifying the path**? or specifying it?
* [ ] Is it trying to **load .so from writable folders**?
### [Weird capabilities?](privilege-escalation/#capabilities)
* [ ] Has any binary any **uncommon capability**?
### [Open Shell sessions?](privilege-escalation/#open-shell-sessions)
* [ ] screen?
* [ ] tmux?
### [Can you read some sensitive data?](privilege-escalation/#read-sensitive-data)
* [ ] Can you **read** some **interesting files**? \(files with passwords, \*\_history, backups...\)
### [Can you write important files?](privilege-escalation/#writable-files)
* [ ] Are you able to **write files that could grant you more privileges**? \(service conf files, shadow,a script that is executed by other users, libraries...\)
### [Internal open ports?](privilege-escalation/#internal-open-ports)
* [ ] You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.
### [Can you sniff some passwords in the network?](privilege-escalation/#sniffing)
* [ ] Can you **sniff** and get **passwords** from the **network**?
### [Any service missconfigurated? NFS? belongs to docker or lxd?](privilege-escalation/#privesc-exploiting-service-misconfigurations)
1. [ ] Any well known missconfiguration? \([**NFS no\_root\_squash**](privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)\)
### [Any weird executable in path?](privilege-escalation/#check-for-weird-executables)
GitBook: [master] 11 pages modified
2020-08-17 08:33:42 +00:00
If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%284%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
Reference in New Issue Copy Permalink