Skip to content

NXNJZ

Linux and Security

  • BLOG
  • Cowsay Fortune
  • Contact
  • Gitlab

Linux Privilege Escalation Checklist

Posted on August 24, 2018 - July 7, 2020 by nxnjz

Useful for both pentesters and systems administrators, this checklist is focused on privilege escalation on GNU/Linux operating systems. Many of these will also apply to Unix systems, (FreeBSD, Solaris, etc.) and some may apply to Windows. The following information is based on the assumption that you have CLI access to the system as non-root user.

This list is far from complete, it will be periodically updated.

 

  • Are there any hashes in /etc/passwd? If so, can they be cracked quickly? (JtR, HashCat)
  • Is /etc/shadow readable? If so, are the hashes easily crackable?
  • Is /etc/passwd or /etc/shadow writeable?
  • Any passwords in configuration or other files? Is the root password one of those?
  • Does the current user have sudo rights at all? If so, how can they be abused?
  • Check /home, /root, /etc/ssh for readable private ssh keys.
  • Check /home, /root, /etc/ssh for writeable public ssh keys. (authorized_keys) . If not, can an authorized_keys file be created for another user?
  • Kernel exploits?
  • Check for SUID/SGID files that may give you read/write/execute access to sensitive files.
  • Vulnerable/exploitable SUID/SGID executables.
  • Vulnerable/exploitable files with special capabilities. (This is detailed here)
  • Vulnerable/exploitable services running as another user/root, or that allow shell commands or other system access? (VNC as root for example)
  • Are shell rc files (.bashrc, .zshrc, .profile, etc.) writeable? If so, malicious commands can be added to that file, will run when the user/root logs in.
  • Writeable cron jobs, or other executables/scripts that are run by root.
  • Replaceable/writeable modules/libraries that are used by privileged executables/scripts/processes.
  • Writeable configuration files (*.conf) that are used by privileges executables/scripts/processes.
  • Are there any interesting files in /var/mail/ or /home/*/? Any passwords or useful info in /home/*/.bash_history?
Posted in Privilege EscalationTagged linux, privesc

Post navigation

An Interesting Privilege Escalation vector (getcap/setcap)
UnHashIt : Simple hash lookup tool

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • How to Set Up an Interactive SSH Honeypot on CentOS 8.
  • HackTheBox.eu Jarvis Writeup
  • How to setup a simple proxy server with tinyproxy (Debian 10 Buster)
  • How to Install qdPM 9.1 on Debian 10 LEMP
  • How to Install qdPM 9.1 on CentOS 7.

Tags

802.11 apache asp aspx backdoor capture the flag centos crm ctf debian exploits fingerprinting getcap hashes ifconfig information gathering iw iwconfig linux mariadb md5 nginx nmap password pastebin php practice privatebin privesc project management recon reconnoitre scanning shell sqli ssh txpower ubuntu wallabag web webshells wifi wireless xml xxe

Categories

  • BASH (1)
  • CTF/Labs (2)
  • Information Gathering (1)
  • Linux (25)
  • Password Cracking (1)
  • Privilege Escalation (2)
  • SQL Injection (1)
  • Web-Shells (1)
  • Wifi (2)
  • XXE (1)

Recent Comments

  • Audio streaming ampache ubuntu 18.04 – Education Networking on Installing Ampache on Ubuntu 18.04.
  • Creating your own Postmill installation with Ubuntu 19.10 – Digital 52 on How to Install Postmill on Ubuntu 18.04 LTS with Apache or Nginx
  • Zer00CooL on How to Install PrivateBin on Debian 9.
  • nxnjz on How to Install SuiteCRM on Debian 10 Buster
  • matt ferraro on Installing Ampache on CentOS 7.