search

Checklist - Linux Privilege Escalation

https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

hashtag
Checklist - Linux Privilege Escalation

Checklist for privilege escalation in Linux

hashtag
Best tool to look for Linux local privilege escalation vectors: LinPEASarrow-up-right

hashtag
Vulnerable Kernel?arrow-up-right

  • Search for kernel exploits using scripts (linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py)

  • Use Google to search for kernel exploits

  • Use searchsploit to search for kernel exploits

  • Check if the sudo version is vulnerablearrow-up-right

hashtag
Vulnerable Processes?arrow-up-right

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you read some interesting process memory (where passwords could be saved)?

hashtag
Known users/passwords?arrow-up-right

  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

hashtag
Interesting Groups?arrow-up-right

hashtag
Weird scheduled jobs?arrow-up-right

  • Is the PATH being modified by some cron and you can write in it?

  • Some modifiable script is being executed or is inside modifiable folder?

  • Is some cron script calling other script that is modifiable by you? or using wildcards?

  • Have you detected that some script could be being executed very frequently? (every 1, 2 or 5 minutes)

hashtag
Any sudo command?arrow-up-right

  • Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root?

  • Is some wildcard used?

  • Is the binary specified without path?

  • Is env_keep+=LD_PRELOAD?

hashtag
Any weird suid command?arrow-up-right

  • SUID any interesting command? Can you use it to READ, WRITE or EXECUTE anything as root?

  • Is some wildcard used?

  • Is the SUID binary executing some other binary without specifying the path? or specifying it?

  • Is it trying to load .so from writable folders?

hashtag
Weird capabilities?arrow-up-right

  • Has any binary any uncommon capability?

hashtag
Open Shell sessions?arrow-up-right

  • screen?

  • tmux?

hashtag
Can you read some sensitive data?arrow-up-right

  • Can you read some interesting files? (files with passwords, *_history, backups...)

hashtag
Can you write important files?arrow-up-right

  • Are you able to write files that could grant you more privileges? (service conf files, shadow,a script that is executed by other users, libraries...)

hashtag
Internal open ports?arrow-up-right

  • You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.

hashtag
Can you sniff some passwords in the network?arrow-up-right

  • Can you sniff and get passwords from the network?

hashtag
Any service missconfigurated? NFS? belongs to docker or lxd?arrow-up-right

  1. Any well known missconfiguration? (NFS no_root_squasharrow-up-right)

hashtag
Any weird executable in path?arrow-up-right

PreviousPrivilege Escalation - LinuxNextWindows Priv Escalation

Last updated

Was this helpful?