hacktricks/linux-hardening/linux-privilege-escalation-checklist.md
2022-12-05 23:29:21 +01:00

11 KiB
Raw Blame History

Checklist - Linux Privilege Escalation

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Did you know that crypto projects pay more bounty rewards than their web2 counterparts?
****This crypto bounty alone is worth $1.000.000!
Check out the top-paying bounties among crypto projects.
Sign up on HackenProof to get rewarded without delays and become the web3 hacker legend.

{% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}

Best tool to look for Linux local privilege escalation vectors: LinPEAS

System Information

Drives

  • List mounted drives
  • Any unmounted drive?
  • Any creds in fstab?

Installed Software

Processes

  • Is any unknown software running?
  • Is any software running with more privileges than it should have?
  • Search for exploits of running processes (especially the version running).
  • Can you modify the binary of any running process?
  • Monitor processes and check if any interesting process is running frequently.
  • Can you read some interesting process memory (where passwords could be saved)?

Scheduled/Cron jobs?

Services

  • Any writable .service file?
  • Any writable binary executed by a service?
  • Any writable folder in systemd PATH?

Timers

  • Any writable timer?

Sockets

  • Any writable .socket file?
  • Can you communicate with any socket?
  • HTTP sockets with interesting info?

D-Bus

  • Can you communicate with any D-Bus?

Network

  • Enumerate the network to know where you are
  • Open ports you couldn't access before getting a shell inside the machine?
  • Can you sniff traffic using tcpdump?

Users

  • Generic users/groups enumeration
  • Do you have a very big UID? Is the machine vulnerable?
  • Can you escalate privileges thanks to a group you belong to?
  • Clipboard data?
  • Password Policy?
  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writable PATH

  • If you have write privileges over some folder in PATH you may be able to escalate privileges

SUDO and SUID commands

Capabilities

  • Has any binary any unexpected capability?

ACLs

  • Has any file any unexpected ACL?

Open Shell sessions

  • screen
  • tmux

SSH

Interesting Files

  • Profile files - Read sensitive data? Write to privesc?
  • passwd/shadow files - Read sensitive data? Write to privesc?
  • Check commonly interesting folders for sensitive data
  • Weird Location/Owned files, you may have access to or alter executable files
  • Modified in last mins
  • Sqlite DB files
  • Hidden files
  • Script/Binaries in PATH
  • Web files (passwords?)
  • Backups?
  • Known files that contains passwords: Use Linpeas and LaZagne
  • Generic search

Writable Files

  • Modify python library to execute arbitrary commands?
  • Can you modify log files? Logtotten exploit
  • Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
  • Can you write in ini, int.d, systemd or rc.d files?

Other tricks

Did you know that crypto projects pay more bounty rewards than their web2 counterparts?
****This crypto bounty alone is worth $1.000.000!
Check out the top-paying bounties among crypto projects.
Sign up on HackenProof to get rewarded without delays and become the web3 hacker legend.

{% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥