Enumeration for Linux Privilege Escalation https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959 So, you have a shell on a Linux machine. But what now? Privilege Escalation! (Unless you spawned a root shell of course! Then its time for some lateral movement I suppose). But before you can escalate your privileges, you will have to figure out how you are going to do it. So that brings us to enumeration, which is hands down the most important part of compromising a target. So this post is not intended to be a definitive guide to Linux priv-esc or anything, but merely a simple collection of things that I have personally found helpful during enumeration. I am totally open to suggestions or any ideas. This post is also heavily inspired by g0tmi1k's amazing post, Basic Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ I recommend bookmarking that ^ **_Get Your Bearings_** First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you're looking at: ``` cat /etc/issue ``` or ``` cat /etc/*-release ``` What is the kernel version? Are there known exploits for that version? ``` cat /proc/version ``` ``` uname -a ``` ``` rpm -q kernel ``` Where are you on the network? What connections are established? ``` ifconfig -a ``` ``` netstat -antup ``` ``` iptables -L ``` ``` arp -e ``` _**What is running?**_ There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits? Which services are being run with root privileges? ``` ps -ef | grep root ``` or ``` ps aux | grep root ``` ``` cat /etc/services ``` Any vulnerable applications? ``` ls -alh /usr/bin/ ``` ``` ls -alh /sbin/ ``` Any files with SUID/SGID permissions? ``` find / -perm -g=s -o -perm -u=s -type f 2>/dev/null ``` or, for a faster search in "bin" directories ``` for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done ``` **_Uploading and running exploit code_** If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target? What languages are supported on the machine? ``` find / -name 'language' ``` ex: find / -name python* Is GCC present? ``` find / -name gcc ``` How can you upload the exploit code? Use ```find``` to look for things like: wget, nc, netcat, tftp, ftp, fetch etc. **_Where can you write and execute files?_** You will need to find a place to compile and execute your exploit code This will locate world writeable and world executable folders ``` find /\(-perm -o w -perm -o x\) -type d 2>/dev/null ``` **_Cracking password hashes_** Can you view /etc/passwd and /etc/shadow ? ``` cat /etc/passwd ``` ``` cat /etc/shadow ``` If you can, try to crack the hashes you find. You never know! **_Limited Shell?_** Give these a shot. ``` python -c 'import pty;pty.spawn("/bin/bash") ``` ``` echo os.system('/bin/bash') ``` **_The simplest things are often overlooked_** If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you're getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked: Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers? ``` cat /etc/sudoers ``` ``` sudo -l ``` Always check for password reuse. Unless of course you don't want to be noisy and risk a failed authentication. Sometimes people don't think straight and put plain text passwords in .txt files and spreadsheets and all kinds of terribly insecure places, so don't disregard the idea. Enumeration scripts To make life easier, you can write your own bash script to run whatever commands you want, although sometimes it is not plausible to do so. For example if you do not have the ability to upload files or execute shell scripts. Anyways, those are my usual go-to commands when I start enumerating for priv-esc. It is not an exhaustive list by any means, there is a whole world of possibilities out there for getting root and hopefully this will help! I'm sure I will add things as I think of them, seeing as I wrote this on my lunch at work and probably forgot a bunch of stuff. Happy Hunting. Thank you to g0tmi1k for your awesome post on the subject. I have used it more than any other blog I can think of! Wed, 05 Dec 2018 17:01:15 +0000 Linux Enumeration for Linux Privilege Escalation This topic was automatically closed after 39 days. New replies are no longer allowed.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/23 Wed, 02 Jan 2019 00:00:01 +0000 d.clarkee.co.uk-post-1959-23 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation
EternalEclipse:

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

I don’t know why, but this blew my mind. Nice!

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/22 Wed, 05 Dec 2018 17:01:15 +0000 d.clarkee.co.uk-post-1959-22 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Some more stuff to check for

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

Check for open tmux sessions (possibly logged into root shells)

tmux ls

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Check home directories of other users for readable files:

find /home | grep -Ev "^/home/user"

Find files that were modified in the last 10min (useful to spot funky stuff going on)

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
  • Check mounts
  • Grab banners for local ports (using nc or other methods)
  • Read crontab job files and look for crappy backup scripts
  • Read service configuration (Especially httpd)
  • Scroll over ps -ef output and check for passwords passed as command-line arguments

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/21 Wed, 05 Dec 2018 00:17:04 +0000 d.clarkee.co.uk-post-1959-21 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Yo! Nice tut (?), but just curious if there’s a possibility for another one except for windows? Just a thought.

Also, I might put some of these commands in a bash script for automation of prosperity. :stuck_out_tongue:

Again, awesome tut! This will be helpful for HTB. ~Cheers!

–Techno Forg–

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/20 Tue, 04 Dec 2018 12:46:25 +0000 d.clarkee.co.uk-post-1959-20 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation pspy does this in a more efficient way for not really-hardened boxes

for CTF/boot2root, i also check file time using “user.txt” as a reference

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/19 Tue, 04 Dec 2018 12:16:14 +0000 d.clarkee.co.uk-post-1959-19 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Yes, this is also very detailed. Thank you

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/18 Tue, 27 Nov 2018 07:48:29 +0000 d.clarkee.co.uk-post-1959-18 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Just found this, too:

If you’re looking for WIndows privesc, this is nice.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/17 Mon, 26 Nov 2018 14:04:12 +0000 d.clarkee.co.uk-post-1959-17 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Thanks, great info !

Jake William’s Wild West Hacking Fest 2018 talk “Privilege Escalation FTW” was relased a week ago, it has some good stuff too (Linux and Windows) :

Privilege Escalation FTW

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/16 Mon, 26 Nov 2018 12:01:48 +0000 d.clarkee.co.uk-post-1959-16 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation That’s fucking awesome. Thanks man

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/15 Mon, 26 Nov 2018 10:09:17 +0000 d.clarkee.co.uk-post-1959-15 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Linuxprivchecker could also be a good alternative to traditionnal tools. I revamped the original one to make it works with all python versions.

Hope it helps,
Best,
Nitrax

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/14 Mon, 26 Nov 2018 09:12:55 +0000 d.clarkee.co.uk-post-1959-14 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation A while back I stumbled across a great enumeration script that hits most of the points brought up here. Take a look at https://github.com/rebootuser/LinEnum. This is the first thing I try to run on a fresh low-priv shell.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/13 Sun, 25 Nov 2018 23:44:34 +0000 d.clarkee.co.uk-post-1959-13 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Neat! I am new to the thinking methodology, and your article sounded like “Information Gathering” is a serious topic for concern. Gotta save this for now, thanks John!

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/12 Sun, 25 Nov 2018 18:38:21 +0000 d.clarkee.co.uk-post-1959-12 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation PwnWiki have a goodcommand list too… i always refer to it…

pwnwiki.io Linux Privesc

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/11 Sun, 25 Nov 2018 17:02:10 +0000 d.clarkee.co.uk-post-1959-11 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation This can be good if cronjobs are presents, checking for new processes

#!/bin/bash

IFS=$'\n'
old=$(ps -eo command)

while true; do
        new=$(ps -eo command)
        diff <(echo "$old") <(echo "$new")
        sleep 1
        old=$new
done

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/10 Fri, 23 Nov 2018 14:10:03 +0000 d.clarkee.co.uk-post-1959-10 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/9 Fri, 23 Nov 2018 12:13:14 +0000 d.clarkee.co.uk-post-1959-9 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Necrobumping this because it’s a really good article.

Anybody got any more thoughts on this? Do we have any new methods?

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/8 Fri, 23 Nov 2018 12:13:07 +0000 d.clarkee.co.uk-post-1959-8 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation This topic was automatically closed after 30 days. New replies are no longer allowed.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/7 Sun, 21 Jan 2018 00:36:44 +0000 d.clarkee.co.uk-post-1959-7 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Hey guys,
I have created this tool: https://github.com/operatorequals/gatheros
just to cope with Info Gathering in team environments (CTFs, etc).
There is also a blog post that describes its usage.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/6 Tue, 09 May 2017 16:30:37 +0000 d.clarkee.co.uk-post-1959-6 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation That one is pretty amazing too. I used it for the OSCP labs a couple times.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/5 Tue, 02 May 2017 20:07:22 +0000 d.clarkee.co.uk-post-1959-5 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Gotcha, just realized that. Ill fix it

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/4 Tue, 02 May 2017 19:57:41 +0000 d.clarkee.co.uk-post-1959-4 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation Hi,

Nice checklist you got here… on this site, though, we format code this way:

code

Not like

this

Put ```language on top of the code and then ``` on the line under.

Thank you.

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/3 Tue, 02 May 2017 19:56:42 +0000 d.clarkee.co.uk-post-1959-3 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation g0tmi1k’s blog is dope, for window’s privesc I usually use this as reference.
http://www.fuzzysecurity.com/tutorials/16.html

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/2 Tue, 02 May 2017 19:56:31 +0000 d.clarkee.co.uk-post-1959-2 Enumeration for Linux Privilege Escalation Enumeration for Linux Privilege Escalation So, you have a shell on a Linux machine. But what now? Privilege Escalation! (Unless you spawned a root shell of course! Then its time for some lateral movement I suppose). But before you can escalate your privileges, you will have to figure out how you are going to do it. So that brings us to enumeration, which is hands down the most important part of compromising a target.

So this post is not intended to be a definitive guide to Linux priv-esc or anything, but merely a simple collection of things that I have personally found helpful during enumeration. I am totally open to suggestions or any ideas. This post is also heavily inspired by g0tmi1k’s amazing post, Basic Linux Privilege Escalation:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

I recommend bookmarking that ^

Get Your Bearings

First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you’re looking at:

cat /etc/issue

or

cat /etc/*-release

What is the kernel version? Are there known exploits for that version?

cat /proc/version

uname -a

rpm -q kernel

Where are you on the network? What connections are established?

ifconfig -a

netstat -antup

iptables -L

arp -e

What is running?

There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits?

Which services are being run with root privileges?

ps -ef | grep root

or

ps aux | grep root

cat /etc/services

Any vulnerable applications?

ls -alh /usr/bin/

ls -alh /sbin/

Any files with SUID/SGID permissions?

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

or, for a faster search in “bin” directories

for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done

Uploading and running exploit code

If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target?

What languages are supported on the machine?

find / -name 'language'

ex: find / -name python*

Is GCC present?

find / -name gcc

How can you upload the exploit code? Use find to look for things like:

wget, nc, netcat, tftp, ftp, fetch etc.

Where can you write and execute files?

You will need to find a place to compile and execute your exploit code

This will locate world writeable and world executable folders

find /\(-perm -o w -perm -o x\) -type d 2>/dev/null

Cracking password hashes

Can you view /etc/passwd and /etc/shadow ?

cat /etc/passwd

cat /etc/shadow

If you can, try to crack the hashes you find. You never know!

Limited Shell?

Give these a shot.

python -c 'import pty;pty.spawn("/bin/bash")

echo os.system('/bin/bash')

The simplest things are often overlooked

If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you’re getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked:

Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers?

cat /etc/sudoers

sudo -l

Always check for password reuse. Unless of course you don’t want to be noisy and risk a failed authentication.

Sometimes people don’t think straight and put plain text passwords in .txt files and spreadsheets and all kinds of terribly insecure places, so don’t disregard the idea.

Enumeration scripts

To make life easier, you can write your own bash script to run whatever commands you want, although sometimes it is not plausible to do so. For example if you do not have the ability to upload files or execute shell scripts.

Anyways, those are my usual go-to commands when I start enumerating for priv-esc. It is not an exhaustive list by any means, there is a whole world of possibilities out there for getting root and hopefully this will help! I’m sure I will add things as I think of them, seeing as I wrote this on my lunch at work and probably forgot a bunch of stuff. Happy Hunting.

Thank you to g0tmi1k for your awesome post on the subject. I have used it more than any other blog I can think of!

Read full topic

]]> https://d.clarkee.co.uk/t/enumeration-for-linux-privilege-escalation/1959/1 Tue, 02 May 2017 19:51:41 +0000 d.clarkee.co.uk-post-1959-1 Enumeration for Linux Privilege Escalation