Linux Privilege Escalation Checklist
Introduction
Privilege escalation is a crucial step in the penetration testing lifecycle, through this Checklist I intend to cover all the main vectors used in Linux privilege escalation, and some of my personal notes that I used in previous penetration tests.
Manual Checks
I would first suggest to get familiar with the main commands that are used to perform the various privilege escalation checks, before using automated scripts, this can be very helpful in understanding how these attacks work.
| Command/Action | Description |
|---|---|
| which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null | Any useful applications installed? This might indicate the right path for privilege escalation. |
| sudo -l | Anything that can be abused? If so we can try searching GTFO Bins. Check for environment variables. More info here. |
| sudo su | Can we simply login as root? |
| id;who;whoami;w;last;cat /etc/passwd; cat /etc/sudoers;cat /etc/group | Check information about the users on the machine. Check the groups associated to the current user (groups to check for are Wheel, Shadow, Disk and Screen, video, lxd/lcd, root and Docker). More info here. |
| uname -a ; lsb_release -a; cat /proc/version /etc/issue /etc/*-release | Check kernel version and then searchsploit linux kernel xxx. More info here. |
| ls -la ~/; ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var | Check for files or binaries in common directories, check for clear-text passwords in the bash history. |
| cat /etc/passwd ; cat /etc/shadow; ls -la /etc/passwd /etc/shadow | Can we access the passwd/shadow files? If so, are there any hashes that can be cracked? If either of them are writable, a new root user can be added to the system by creating a password hash with openssl and adding a new line to the file. More info here. |
| ls -la /root/.bashrc or ls -la /home/*/.bashrc; locate .bashrc; find / -name .bashrc -xdev 2>/dev/null | Is the .bashrc file writeable? If so, malicious commands can be written to it and will be executed when the user/root logs in. |
| Check application config files | Any hidden or config files on the system we can loot (for example /var/www/html). Any database passwords in config files? Any writeable configuration (*.conf) files used by privileged executables/scripts/processes. |
| ps aux | grep root | Either running as root or another user, maybe something running we can exploit. Check https://gtfobins.github.io/ |
| find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null | Find all SUIDs on the machine. Search GTFO Bins and check for anything that stands out. More info here. |
| ls -la /home /root /etc/ssh; locate id_rsa; locate id_dsa; cat /home/*/.ssh/id_rsa | Check for readable private ssh keys or writable public keys (authorized_keys file). If not can we create them for another user? More info here. |
| find / -perm -0002 -user root 2>/dev/null | Check for World-Writable files. Can also add grep to search for scripts that may be executed by cron jobs or at boot like .py, .php etc. for example grep “.*\.py$” |
| find / -type f -user stef -xdev 2>/dev/null; find / -type d -user stef -xdev 2>/dev/null | Commands that can be used to find files/directories with read/write access for the stef user and redirects errors to /dev/null. |
| sudo -V | grep “Sudo ver” | Check sudo version and do a searchsploit sudo xxx to see if any exploit is available |
| netstat -antup | Are there any open ports on localhost we didn’tt see with nmap? Might need tunnelling |
| cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout | Is there any useful information in the main bash user files? |
| crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/root | Check for cron jobs – anything we have access to change or that we can exploit? If binaries are used, check if the full path is being specified, if not this can be exploited by creating a malicious binary and modifying the env path. More info here. |
| ./pspy > pspy-out.txt | Use PSPY to to see commands run by other users, cron jobs, etc. in real time as they execute. |
| cat /etc/fstab | Are there any unmounted file-systems? |
| getcap -r / 2>/dev/null | Check for files with capabilities. These may allow us to access restricted files or directories. |
| showmount -e X.X.X.X; mount X.X.X.X:/ /tmp/ | If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem |
| ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/; dpkg -l; rpm -qa | What applications are installed? Are they currently running? What version are they? Are they vulnerable to anything? Is there any application that stands out? |
| Credential re-use | Any credentials found earlier that can be used in other services? |
| tmux ls; tmux attach -t tmuxname; screen -ls; screen-dr sessionname; byobu list-session; | Any shell sessions we can hijack? |
| gdb -p SERVICE; gdb PROCID | Some services might save clear text credentials in memory. Run ps aux, grab the process ID and run gdb against it |
Automated Checks
Once you are familiar with how the different attacks work and how to execute them, you can start using automated scripts, which will speed your your enumeration and better help you identify weaknesses
| Linux Privilege Escalation checklist | Information |
|---|---|
| ./linpeas.sh | LinPEAS is a script that searches for possible paths to escalate privileges on Unix* hosts. |
| ./linenum.sh > linenum-output.txt | A really powerful bash script that enumerates system information and misconfigurations to escalate privileges. |
| python linuxprivchecker.py > pychecker-out.txt | Executed locally on Linux to enumerate basic system information and search for common privilege escalation vectors. |
| ./linux-exploit-suggester.sh > exploitsuggester-out.txt | This script is extremely useful for quickly finding privilege escalation vulnerabilities in Linux systems. |
| ./lse.sh -l2 -i | This script will show relevant information about the security of a local Linux system, helping to escalate privileges. |
| ./unix-privesc-check > monkey-out.txt | A script for Unix systems that tries to find misconfigurations that could allow local users to escalate privileges. |
| python beroot.py –password super_strong_password | BeRoot is a post exploitation tool that checks common misconfigurations on Linux and Mac OS. |
| ./sudo_killer.sh -c -i /path/sk_offline.txt | Sudo Killer identifies and exploits sudo rules’ misconfigurations and vulnerabilities within sudo. |
| ./jalesc | This is similar to linenum but much cleaner and with better highlighting . |
Conclusion
Privilege escalation is a topic that can often scare beginners, due to the amount of vectors and techniques that you are required to learn. However, with the above check list you should be able to deal with most situations, although don’t fully rely on checklists and automated scripts as these can often fail or miss something, but do your own research as well.
I’ve learn a few just right stuff here. Certainly worth bookmarking
for revisiting. I wonder how so much effort you put to make such a magnificent informative site.
Thank you 🙂