# Linux Prevesc

A checklist for linux privesc. Might be missing lots of things. Is mostly taken from <https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>

Do you have a decent shell?

```
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")' 
echo os.system('/bin/bash') 
/bin/sh -i
```

To get tab completion working

```
ctrl+z
echo $TERM && tput lines && tput cols

stty raw -echo
fg

reset
export SHELL=bash 
export TERM=xterm-256color (screen when running tmux)
stty rows <num> columns <cols>
```

Or use Socat for a full reverse tty

```
socat file:`tty`,raw,echo=0 tcp-listen:12345
```

## Initial Recon

Start by checking the version and distro of the machine for possible kernel exploits, and also the sudo permissions of whatever account you have if possible.

```
lsb_release -a && uname -a 
cat /etc/issue
cat /etc/*-release
cat /proc/version
sudo -l
```

To do things quick, run the LinEnum script from Rebootuser.

<https://github.com/rebootuser/LinEnum>

Check for plaintext passwords with it

```
./LinEnum.sh -t -k password
```

What users have shells on the box?

```
grep -vE "nologin|false" /etc/passwd
```

Anything in users home directories or mail?

```
ls -ahlR /root/
ls -ahlR /home/
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
```

Anything else in the environmental variables? symlinks?

```
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bash_logout
env
set
find / -type l -ls
```

Anything going on with the network? hidden services? logged in users?

```
/sbin/ifconfig -a 
cat /etc/network/interfaces 
cat /etc/sysconfig/network
lsof -i 
lsof -i :80 
grep 80 /etc/services 
netstat -antup 
netstat -antpx 
netstat -tulpn 
chkconfig --list 
chkconfig --list | grep 3:on 
last 
w
arp -a
```

Can you sniff traffic?

```
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
```

## SUID Files, Root Services, and Other Files

Check for things running as root

```
ps aux | grep root
ps -ef | grep root
```

Check the version of something that's installed

```
dpkg -l | grep -i PAM
```

Any file-systems mounted or unmounted?

```
mount
df -h
cat /etc/fstab
```

Then do suid/guid and other interesting files.

```
find / -perm -4000 -exec ls -al -print 2>/dev/null {} \;
find / -uid 0 -perm -4000 2>/dev/null
```

To create our own SUID binary

```
print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
gcc -o /tmp/suid /tmp/suid.c  
sudo chmod +x /tmp/suid 
sudo chmod +s /tmp/suid
```

SGID (chmod 2000) - run as the group, not the user who started it.

```
find / -perm -g=s -type f 2>/dev/null
```

SUID (chmod 4000) - run as the owner, not the user who started it.

```
find / -perm -u=s -type f 2>/dev/null
```

Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.

```
find / -perm -1000 -type d 2>/dev/null
```

Are any folders or files world writeable and executable?

```
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
```

Anything modified recently? To check for executables updated in August

```
find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug
```

To find anything modified in the last 10 minutes

```
find / -mmin -10 -type f 2>/dev/null
```

Any writeable configuration files?

```
find /etc/ -writable -type f 2>/dev/null
```

Or any files containing 'config'

```
find . -iname '*config*'
```

To find a specific file

```
find /. -name suid\*
```

Files with passwords?

```
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
```

Find .conf files(recursive 4 levels) and output line number where the word 'password' is located

```
find / -maxdepth 7 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null
```

Or other sensitive files

```
$ locate password | more           
/boot/grub/i386-pc/password.mod
/etc/pam.d/common-password
/etc/pam.d/gdm-password
/etc/pam.d/gdm-password.original
/lib/live/config/0031-root-password
```

Find all perl files ownd by rootme in /var/www

```
find /var/www -user rootme -name "*.pl"
```

Scan for string in all files in a directory

```
du . | awk '{print $2}'| grep -rnw "string" --color
```

Find password strings in memory

```
strings /dev/mem -n10 | grep -i PASS
```

## Cron

Look through these

```
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
```

This might not work but the for loop will list crontabs for a user.

```
for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done
```

This is a nice script from ihack4falafel to monitor cron and echo new processes

<https://github.com/ihack4falafel/OSCP/blob/master/BASH/CronJobChecker.sh>

## Keys and Database Passwords

Quick check for current user private keys

```
ls    –al    ~/.ssh/id_rsa    ~/.ssh/id_dsa
```

Any private keys saved elsewhere?

```
cat ~/.ssh/authorized_keys 
cat ~/.ssh/identity.pub 
cat ~/.ssh/identity 
cat ~/.ssh/id_rsa.pub 
cat ~/.ssh/id_rsa 
cat ~/.ssh/id_dsa.pub 
cat ~/.ssh/id_dsa 
cat /etc/ssh/ssh_config 
cat /etc/ssh/sshd_config 
cat /etc/ssh/ssh\_host\_dsa_key.pub 
cat /etc/ssh/ssh\_host\_dsa_key 
cat /etc/ssh/ssh\_host\_rsa_key.pub 
cat /etc/ssh/ssh\_host\_rsa_key 
cat /etc/ssh/ssh\_host\_key.pub 
cat /etc/ssh/ssh\_host\_key
```

Whats in var?

```
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
```

Any files with database information?

```
ls -alhR /var/www/ 
ls -alhR /srv/www/htdocs/ 
ls -alhR /usr/local/www/apache22/data/ 
ls -alhR /opt/lampp/htdocs/ 
ls -alhR /var/www/html/
```

Default locations sometimes for good things

```
cat /var/apache2/config.inc 
cat /var/lib/mysql/mysql/user.MYD 
cat /root/anaconda-ks.cfg
```

## References

<https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>

<https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/>

<https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA>

<https://bitvijays.github.io/LFC-VulnerableMachines.html#linux-privilege-escalation>

<https://github.com/lucyoa/kernel-exploits>

<https://github.com/SecWiki/linux-kernel-exploits>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xdecaf2bad.gitbook.io/red-team-notes/02-information-gathering-enumeration/01-linux-privesc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.