87 lines
3.1 KiB
Markdown
87 lines
3.1 KiB
Markdown
|
# Linux - Privilege Escalation
|
|||
|
|
|||
|
## Tools
|
|||
|
|
|||
|
- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
|
|||
|
```powershell
|
|||
|
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
|
|||
|
```
|
|||
|
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
|||
|
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
|
|||
|
|
|||
|
## Checklists
|
|||
|
|
|||
|
* Kernel and distribution release details
|
|||
|
* System Information:
|
|||
|
* Hostname
|
|||
|
* Networking details:
|
|||
|
* Current IP
|
|||
|
* Default route details
|
|||
|
* DNS server information
|
|||
|
* User Information:
|
|||
|
* Current user details
|
|||
|
* Last logged on users
|
|||
|
* Shows users logged onto the host
|
|||
|
* List all users including uid/gid information
|
|||
|
* List root accounts
|
|||
|
* Extracts password policies and hash storage method information
|
|||
|
* Checks umask value
|
|||
|
* Checks if password hashes are stored in /etc/passwd
|
|||
|
* Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
|
|||
|
* Attempt to read restricted files i.e. /etc/shadow
|
|||
|
* List current users history files (i.e .bash_history, .nano_history etc.)
|
|||
|
* Basic SSH checks
|
|||
|
* Privileged access:
|
|||
|
* Which users have recently used sudo
|
|||
|
* Determine if /etc/sudoers is accessible
|
|||
|
* Determine if the current user has Sudo access without a password
|
|||
|
* Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
|
|||
|
* Is root’s home directory accessible
|
|||
|
* List permissions for /home/
|
|||
|
* Environmental:
|
|||
|
* Display current $PATH
|
|||
|
* Displays env information
|
|||
|
* Jobs/Tasks:
|
|||
|
* List all cron jobs
|
|||
|
* Locate all world-writable cron jobs
|
|||
|
* Locate cron jobs owned by other users of the system
|
|||
|
* List the active and inactive systemd timers
|
|||
|
* Services:
|
|||
|
* List network connections (TCP & UDP)
|
|||
|
* List running processes
|
|||
|
* Lookup and list process binaries and associated permissions
|
|||
|
* List inetd.conf/xined.conf contents and associated binary file permissions
|
|||
|
* List init.d binary permissions
|
|||
|
* Version Information (of the following):
|
|||
|
* Sudo
|
|||
|
* MYSQL
|
|||
|
* Postgres
|
|||
|
* Apache
|
|||
|
* Checks user config
|
|||
|
* Shows enabled modules
|
|||
|
* Checks for htpasswd files
|
|||
|
* View www directories
|
|||
|
* Default/Weak Credentials:
|
|||
|
* Checks for default/weak Postgres accounts
|
|||
|
* Checks for default/weak MYSQL accounts
|
|||
|
* Searches:
|
|||
|
* Locate all SUID/GUID files
|
|||
|
* Locate all world-writable SUID/GUID files
|
|||
|
* Locate all SUID/GUID files owned by root
|
|||
|
* Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
|
|||
|
* Locate files with POSIX capabilities
|
|||
|
* List all world-writable files
|
|||
|
* Find/list all accessible *.plan files and display contents
|
|||
|
* Find/list all accessible *.rhosts files and display contents
|
|||
|
* Show NFS server details
|
|||
|
* Locate *.conf and *.log files containing keyword supplied at script runtime
|
|||
|
* List all *.conf files located in /etc
|
|||
|
* Locate mail
|
|||
|
* Platform/software specific tests:
|
|||
|
* Checks to determine if we're in a Docker container
|
|||
|
* Checks to see if the host has Docker installed
|
|||
|
* Checks to determine if we're in an LXC container
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
- []()
|