Enumeration for Linux Privilege Escalation


(oaktree) #3

Hi,

Nice checklist you got here… on this site, though, we format code this way:

code

Not like

this

Put ```language on top of the code and then ``` on the line under.

Thank you.


(gojirasan) #4

Gotcha, just realized that. Ill fix it


(gojirasan) #5

That one is pretty amazing too. I used it for the OSCP labs a couple times.


(John) #6

Hey guys,
I have created this tool: https://github.com/operatorequals/gatheros
just to cope with Info Gathering in team environments (CTFs, etc).
There is also a blog post that describes its usage.


(system) #7

This topic was automatically closed after 30 days. New replies are no longer allowed.


(Security Architect & Founder) #8

Necrobumping this because it’s a really good article.

Anybody got any more thoughts on this? Do we have any new methods?


(Security Architect & Founder) #9

#10

This can be good if cronjobs are presents, checking for new processes

#!/bin/bash

IFS=$'\n'
old=$(ps -eo command)

while true; do
        new=$(ps -eo command)
        diff <(echo "$old") <(echo "$new")
        sleep 1
        old=$new
done

(zief four) #11

PwnWiki have a goodcommand list too… i always refer to it…

pwnwiki.io Linux Privesc


#12

Neat! I am new to the thinking methodology, and your article sounded like “Information Gathering” is a serious topic for concern. Gotta save this for now, thanks John!


(Matt) #13

A while back I stumbled across a great enumeration script that hits most of the points brought up here. Take a look at https://github.com/rebootuser/LinEnum. This is the first thing I try to run on a fresh low-priv shell.


#14

Linuxprivchecker could also be a good alternative to traditionnal tools. I revamped the original one to make it works with all python versions.

Hope it helps,
Best,
Nitrax


#15

That’s fucking awesome. Thanks man


(IDdbH) #16

Thanks, great info !

Jake William’s Wild West Hacking Fest 2018 talk “Privilege Escalation FTW” was relased a week ago, it has some good stuff too (Linux and Windows) :


(Security Architect & Founder) #17

Just found this, too:

If you’re looking for WIndows privesc, this is nice.


#18

Yes, this is also very detailed. Thank you


The Ultimate Privilege Escalation Reference - [Wiki]
(guly) #19

pspy does this in a more efficient way for not really-hardened boxes

for CTF/boot2root, i also check file time using “user.txt” as a reference


(Zain) #20

Yo! Nice tut (?), but just curious if there’s a possibility for another one except for windows? Just a thought.

Also, I might put some of these commands in a bash script for automation of prosperity. :stuck_out_tongue:

Again, awesome tut! This will be helpful for HTB. ~Cheers!

–Techno Forg–


(EternalEclipse) #21

Some more stuff to check for

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

Check for open tmux sessions (possibly logged into root shells)

tmux ls

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Check home directories of other users for readable files:

find /home | grep -Ev "^/home/user"

Find files that were modified in the last 10min (useful to spot funky stuff going on)

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
  • Check mounts
  • Grab banners for local ports (using nc or other methods)
  • Read crontab job files and look for crappy backup scripts
  • Read service configuration (Especially httpd)
  • Scroll over ps -ef output and check for passwords passed as command-line arguments

#22

I don’t know why, but this blew my mind. Nice!