Enumeration for Linux Privilege Escalation

Gotcha, just realized that. Ill fix it

That one is pretty amazing too. I used it for the OSCP labs a couple times.

Hey guys,
I have created this tool: https://github.com/operatorequals/gatheros
just to cope with Info Gathering in team environments (CTFs, etc).
There is also a blog post that describes its usage.

6 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.

Necrobumping this because it’s a really good article.

Anybody got any more thoughts on this? Do we have any new methods?

1 Like

This can be good if cronjobs are presents, checking for new processes

#!/bin/bash

IFS=$'\n'
old=$(ps -eo command)

while true; do
        new=$(ps -eo command)
        diff <(echo "$old") <(echo "$new")
        sleep 1
        old=$new
done
3 Likes

PwnWiki have a goodcommand list too… i always refer to it…

pwnwiki.io Linux Privesc

6 Likes

Neat! I am new to the thinking methodology, and your article sounded like “Information Gathering” is a serious topic for concern. Gotta save this for now, thanks John!

1 Like

A while back I stumbled across a great enumeration script that hits most of the points brought up here. Take a look at https://github.com/rebootuser/LinEnum. This is the first thing I try to run on a fresh low-priv shell.

2 Likes

Linuxprivchecker could also be a good alternative to traditionnal tools. I revamped the original one to make it works with all python versions.

Hope it helps,
Best,
Nitrax

7 Likes

That’s fucking awesome. Thanks man

Thanks, great info !

Jake William’s Wild West Hacking Fest 2018 talk “Privilege Escalation FTW” was relased a week ago, it has some good stuff too (Linux and Windows) :

5 Likes

Just found this, too:

If you’re looking for WIndows privesc, this is nice.

5 Likes

Yes, this is also very detailed. Thank you

pspy does this in a more efficient way for not really-hardened boxes

for CTF/boot2root, i also check file time using “user.txt” as a reference

3 Likes

Yo! Nice tut (?), but just curious if there’s a possibility for another one except for windows? Just a thought.

Also, I might put some of these commands in a bash script for automation of prosperity. :stuck_out_tongue:

Again, awesome tut! This will be helpful for HTB. ~Cheers!

–Techno Forg–

Some more stuff to check for

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

Check for open tmux sessions (possibly logged into root shells)

tmux ls

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Check home directories of other users for readable files:

find /home | grep -Ev "^/home/user"

Find files that were modified in the last 10min (useful to spot funky stuff going on)

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
  • Check mounts
  • Grab banners for local ports (using nc or other methods)
  • Read crontab job files and look for crappy backup scripts
  • Read service configuration (Especially httpd)
  • Scroll over ps -ef output and check for passwords passed as command-line arguments
8 Likes

I don’t know why, but this blew my mind. Nice!

3 Likes

This topic was automatically closed after 39 days. New replies are no longer allowed.