4.8 KiB
4.8 KiB
| description |
|---|
| Checklist for privilege escalation in Linux |
Checklist - Linux Privilege Escalation
Best tool to look for Linux local privilege escalation vectors: LinPEAS****
Vulnerable Kernel?
- Search for kernel exploits using scripts
linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py - Use Google to search for kernel exploits
- Use searchsploit to search for kernel exploits
- Check if the sudo version is vulnerable
Vulnerable Processes?
- Is any unknown software running?
- Is any software with more privileges that it should have running?
- Search for exploits for running processes
specially if running of versions - Can you read some interesting process memory
where passwords could be saved?
Known users/passwords?
- Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.
Interesting Groups?
- Check if you belong to any group that can grant you root rights.
Weird scheduled jobs?
- Is the PATH being modified by some cron and you can write in it?
- Some modifiable script is being executed or is inside modifiable folder?
- Is some cron script calling other script that is modifiable by you? or using wildcards?
- Have you detected that some script could be being executed very frequently?
every 1, 2 or 5 minutes
Any sudo command?
- Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root?
- Is some wildcard used?
- Is the binary specified without path?
- Is env_keep+=LD_PRELOAD?
Any weird suid command?
- SUID any interesting command? Can you use it to READ, WRITE or EXECUTE anything as root?
- Is some wildcard used?
- Is the SUID binary executing some other binary without specifying the path? or specifying it?
- Is it trying to load .so from writable folders?
Weird capabilities?
- Has any binary any uncommon capability?
Open Shell sessions?
- screen?
- tmux?
Can you read some sensitive data?
- Can you read some interesting files?
files with passwords, \*\_history, backups...
Can you write important files?
- Are you able to write files that could grant you more privileges?
service conf files, shadow,a script that is executed by other users, libraries...
Internal open ports?
- You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.
Can you sniff some passwords in the network?
- Can you sniff and get passwords from the network?
Any service missconfigurated? NFS? belongs to docker or lxd?
- Any well known missconfiguration?
[**NFS no\_root\_squash**](privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
Any weird executable in path?
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.
Buy me a coffee here****