Linux Priv-Esc | Sevro Security

Contents

Total OSCP Guide: Linux Priv-Esc

Enumerate All Users:


# Print /etc/passwd
cat /etc/passwd

# Print only users who have shell access
cat /etc/passwd | egrep -e '/bin/(ba)?sh'

# Print /etc/passwd

cat /etc/passwd

# Print only users who have shell access

cat /etc/passwd | egrep -e '/bin/(ba)?sh'

Check for low hanging fruit:


# Duh.
sudo su

# View Permissions on Passwd
ls -l /etc/passed

# View Permissions on Shadow
ls -l /etc/shadow

# Check for Cron Jobs
cat /etc/crontab

# Check for Sudo Privs
sudo -l

# Check for Kernel Priv-Esc Exploits
uname -a
cat /etc/issue

# Check /home persmissions
ls -la /home

# Check /root persmissions
ls -l /root

# SETUID Binaries
## Look for - Nmap,Vim,find,Bash,More,Less,Nano,cp,man
find / -user root -perm -4000 -exec ls -ldb {} \;

# User Writable files
find / -type f ( ! -path "/proc" ) -writable 2>/dev/null | xargs ls -l

# Check for NFS Shares
cat /etc/exports
## If writeable, add /root, restart, and mount

# Duh.

sudo su

# View Permissions on Passwd

ls -l /etc/passed

# View Permissions on Shadow

ls -l /etc/shadow

# Check for Cron Jobs

cat /etc/crontab

# Check for Sudo Privs

sudo -l

# Check for Kernel Priv-Esc Exploits

uname -a

cat /etc/issue

# Check /home persmissions

ls -la /home

# Check /root persmissions

ls -l /root

# SETUID Binaries

## Look for - Nmap,Vim,find,Bash,More,Less,Nano,cp,man

find / -user root -perm -4000 -exec ls -ldb {} \;

# User Writable files

find / -type f ( ! -path "/proc" ) -writable 2>/dev/null | xargs ls -l

# Check for NFS Shares

cat /etc/exports

## If writeable, add /root, restart, and mount

Weak Passwords:


username:username
username:username1
username:root
username:admin
username:qwerty
username:password

username:username

username:username1

username:root

username:admin

username:qwerty

username:password

Look for Interesting files/directories:


# Check for world writeable files
find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

#Check for world writeable directories
find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

#Look for interesint files:
find / -name "*.txt" -ls 2> /dev/null
find / -name "*.log" -ls 2> /dev/null

# Check for world writeable files

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

#Check for world writeable directories

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

#Look for interesint files:

find / -name "*.txt" -ls 2> /dev/null

find / -name "*.log" -ls 2> /dev/null

MySQL:

If you find that mysql is running as root and you know the uname and pass:


select sys_exec('whoami');
select sys_eval('whoami');

select sys_exec('whoami');

select sys_eval('whoami');

Check for Root level Processes:

ps -aux | grep root

You should be looking for possible local VNC sessions, or localhost processes that could possibly be hijacked. Even processes that generate files (i.e., call some program). remember, there may be a program running periodically without a cron job (Python while loop).

Check for Any Processes with open and listening sockets:

netstat -a | grep -i listen

netstat -ano

Check for Boot Processes:

ls /etc/rc*

After setting a setuid bit on a binary such as bash, in order to retain the setuid privs, you must supply the -p flag: