Enumeration is the Key

(Linux) privilege escalation is all about:

  • Collect — Enumeration, more enumeration and some more enumeration
  • Process — Sort through data, analyse and priorisation.
  • Search — Know what to search for and where to find the exploit code.
  • Adapt — Customize the exploit, so it fits. Not every exploit work for every system “out of the box”.
  • Try — Get ready for (lots of) trial and error

Operating System

What’s the distribution type? What version?

What’s the kernel version? Is it 64-bit?

What can be learnt from the environmental variables?

Is there a printer?

Applications & Services

What services are running? Which service has which user privilege?

Which service(s) are been running by root? Of these services, which are vulnerable — it’s worth a double check!

What applications are installed? What version are they? Are they currently running?

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

What jobs are scheduled?

Any plain text usernames and/or passwords?

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

What other users & hosts are communicating with the system?

Whats cached? IP and/or MAC addresses

Is packet sniffing possible? What can be seen? Listen to live traffic

Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can you interact with the system?

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Is port forwarding possible? Redirect and interact with traffic from another view

Note: http://www.boutell.com/rinetd/

Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

Note: ssh -[L/R] [local port]:[remote IP]:[remote port] [local user]@[local IP]

Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] > backpipe

Is tunnelling possible? Send commands locally, remotely

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

What sensitive files can be found?

Anything “interesting” in the home directorie(s)? If it’s possible to access

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

What has the user being doing? Is there any password in plain text? What have they been editing?

What user information can be found?

Can private-key information be found?

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

What can be found in /var/ ?

Any settings/files (hidden) on website? Any settings file with database information?

Is there anything in the log file(s) (Could help with “Local File Includes”!)

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

If commands are limited, you break out of the “jail” shell?

How are file-systems mounted?

Are there any unmounted file-systems?

What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID

Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm

Any “problem” files? Word-writeable, “nobody” files

Mitigations

Is any of the above information easy to find?

Try doing it! Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched?

Kernel, operating system, all applications, their plugins and web services

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

--

--

--

Linux Privilege Escalation Cheat Sheet

Recommended from Medium

Create a web portal on AWS through terraform also provide internet access to private subnet

Hypersign | Cross-chain Identity Protocol & Whitelisting solution

{UPDATE} Connect to Connect Hack Free Resources Generator

The Evolution of a Magecart Attack Leveraging Recaptcha.tech Domain

{UPDATE} Elite Freecell Solitaire Hack Free Resources Generator

{UPDATE} Baby Karaoke Hack Free Resources Generator

How to Secure your Cryptocurrency Exchange Trading Account on Nominex?

Cybersecurity — Understanding the Fundamentals II (Standards)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Marcos Tolosa

Marcos Tolosa

IT Security Specialist

More from Medium

Network Sniffing

Physical layer attacks

How to Protect Yourself From Camera and Microphone Hacking

How to Protect Yourself From Camera and Microphone Hacking

Rmap: Nmap Scanning in Ruby