👾Linux Privilege Escalation

System Enumeration

uname -a
cat /proc/version
cat /etc/issue
lscpu
ps aux

User Enumeration

whoami
id
sudo -l
cat /etc/passwd | grep sh | cut -d : -f 1
cat /etc/shadow
cat /etc/group
history

Network Enumeration

ifconfig / ip a
ip route / route
arp -a
netstat -ano / netstat -antp

Password Hunting

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
# This one only searches in current working directory.
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
locate password | more
find / -name id_rsa 2> /dev/null

Escalation via SSH Keys

We can escalate privileges wish other users SSH keys if they have weak permissions or badly managed.

find / -name authorized_keys 2> /dev/nulll
find / -name id_rsa 2> /dev/nulll

SUID

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null

PreviousLdapsearch & Windapsearch NextPath Variable Hijacking

Last updated 6 months ago