OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page
  • Checklist - Linux Privilege Escalation
  • Best tool to look for Linux local privilege escalation vectors: LinPEAS​
  • ​Vulnerable Kernel?​
  • ​Vulnerable Processes?​
  • ​Known users/passwords?​
  • ​Interesting Groups?​
  • ​Weird scheduled jobs?​
  • ​Any sudo command?​
  • ​Any weird suid command?​
  • ​Weird capabilities?​
  • ​Open Shell sessions?​
  • ​Can you read some sensitive data?​
  • ​Can you write important files?​
  • ​Internal open ports?​
  • ​Can you sniff some passwords in the network?​
  • ​Any service missconfigurated? NFS? belongs to docker or lxd?​
  • ​Any weird executable in path?​

Was this helpful?

  1. Priv Escalation
  2. Linux Priv Escalation

Checklist - Linux Privilege Escalation

https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

PreviousPrivilege Escalation - LinuxNextWindows Priv Escalation

Last updated 5 years ago

Was this helpful?

Checklist - Linux Privilege Escalation

Checklist for privilege escalation in Linux

Best tool to look for Linux local privilege escalation vectors: ​

​​

  • Search for kernel exploits using scripts (linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py)

  • Use Google to search for kernel exploits

  • Use searchsploit to search for kernel exploits

  • Check if the ​

​​

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you read some interesting process memory (where passwords could be saved)?

​​

  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

  • Is the PATH being modified by some cron and you can write in it?

  • Some modifiable script is being executed or is inside modifiable folder?

  • Is some cron script calling other script that is modifiable by you? or using wildcards?

  • Have you detected that some script could be being executed very frequently? (every 1, 2 or 5 minutes)

  • Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root?

  • Is some wildcard used?

  • Is the binary specified without path?

  • Is env_keep+=LD_PRELOAD?

  • SUID any interesting command? Can you use it to READ, WRITE or EXECUTE anything as root?

  • Is some wildcard used?

  • Is the SUID binary executing some other binary without specifying the path? or specifying it?

  • Is it trying to load .so from writable folders?

  • Has any binary any uncommon capability?

  • screen?

  • tmux?

  • Can you read some interesting files? (files with passwords, *_history, backups...)

  • Are you able to write files that could grant you more privileges? (service conf files, shadow,a script that is executed by other users, libraries...)

  • You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.

  • Can you sniff and get passwords from the network?

​​

Check if you .

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

Any well known missconfiguration? ()

​​

LinPEAS
Vulnerable Kernel?
sudo version is vulnerable
Vulnerable Processes?
Known users/passwords?
Interesting Groups?
belong to any group that can grant you root rights
Weird scheduled jobs?
Any sudo command?
Any weird suid command?
Weird capabilities?
Open Shell sessions?
Can you read some sensitive data?
Can you write important files?
Internal open ports?
Can you sniff some passwords in the network?
Any service missconfigurated? NFS? belongs to docker or lxd?
NFS no_root_squash
Any weird executable in path?