Linux Privilege Escalation Techniques

1. // Determine linux distribution and version
2. cat /etc/issue
3. cat /etc/*-release
4. cat /etc/lsb-release
5. cat /etc/redhat-release
6.  
7. // Determine kernel version - 32 or 64-bit?
8. cat /proc/version
9. uname -a
10. uname -mrs
11. rpm -q kernel
12. dmesg | grep Linux
13. ls /boot | grep vmlinuz-
14.  
15. // List environment variables
16. cat /etc/profile
17. cat /etc/bashrc
18. cat ~/.bash_profile
19. cat ~/.bashrc
20. cat ~/.bash_logout
21. env
22.  
23. // Determine if there is a printer
24. lpstat -a
25.  
26. // Determine which services are running
27. ps aux
28. ps -ef
29. top
30. cat /etc/service
31.  
32. // Determine which services are running as root
33. ps aux | grep root
34. ps -ef | grep root
35.  
36. // Determine installed applications
37. ls -alh /usr/bin/
38. ls -alh /sbin/
39. dpkg -l
40. rpm -qa
41. ls -alh /var/cache/apt/archivesO
42. ls -alh /var/cache/yum/
43.  
44. // Syslog Configuration
45. cat /etc/syslog.conf
46. cat /var/log/syslog.conf
47. (or just: locate syslog.conf)
48.  
49. // Web Server Configurations
50. cat /etc/chttp.conf
51. cat /etc/lighttpd.conf
52. cat /etc/apache2/apache2.conf
53. cat /etc/httpd/conf/httpd.conf
54. cat /opt/lampp/etc/httpd.conf
55.  
56. // PHP Configuration
57. /etc/php5/apache2/php.ini
58.  
59. // Printer (cupsd) Configuration
60. cat /etc/cups/cupsd.conf
61.  
62. // MySql
63. cat /etc/my.conf
64.  
65. // Inetd Configuration
66. cat /etc/inetd.conf
67.  
68. // List All
69. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
70.  
71. // Determine scheduled jobs
72. crontab -l
73. ls -alh /var/spool/cron
74. ls -al /etc/ | grep cron
75. ls -al /etc/cron*
76. cat /etc/cron*
77. cat /etc/at.allow
78. cat /etc/at.deny
79. cat /etc/cron.allow
80. cat /etc/cron.deny
81. cat /etc/crontab
82. cat /etc/anacrontab
83. cat /var/spool/cron/crontabs/root
84.  
85. // Locate any plaintext usernames and passwords
86. grep -i user [filename]
87. grep -i pass [filename]
88. grep -C 5 "password" [filename]
89. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
90.  
91. // Identify connected NICs and other networks
92. /sbin/ifconfig -a
93. cat /etc/network/interfaces
94. cat /etc/sysconfig/network
95.  
96. // Identify connected users and hosts
97. lsof -i
98. lsof -i :80
99. grep 80 /etc/services
100. netstat -antup
101. netstat -antpx
102. netstat -tulpn
103. chkconfig --list
104. chkconfig --list | grep 3:on
105. last
106. w
107.  
108. // Identify cached IP or MAC addresses
109. arp -a
110. route
111. /sbin/route -nee
112.  
113. // Identify network configuration Settings (DHCP, DNS, Gateway)
114. cat /etc/resolv.conf
115. cat /etc/sysconfig/network
116. cat /etc/networks
117. iptables -L
118. hostname
119. dnsdomainname
120.  
121. // Is packet sniffing possible
122. # tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
123. tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
124.  
125. // Check for ports open for local only connections
126. netstat -tupan
127.  
128. // Is tunnelling possible?
129. ssh -D 127.0.0.1:9050 -N [username]@[ip]
130. proxychains ifconfig
131.  
132. // Identify the current user and users in the system
133. id
134. who
135. w
136. last
137. cat /etc/passwd | cut -d : -f 1 # List users
138. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
139. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
140.  
141. // List Sudoers
142. cat /etc/sudoers
143.  
144. // Show which commands sudo allows you to run
145. sudo -l
146.  
147. // Attempt to display sensitive files
148. cat /etc/passwd
149. cat /etc/group
150. cat /etc/shadow
151. ls -alh /var/mail/
152.  
153. // Check for anything interesting in home directories
154. ls -ahlR /root/
155. ls -ahlR /home/
156.  
157. // Are there any hardcoded passwords in scripts, databases or configuration files
158. cat /var/apache2/config.inc
159. cat /var/lib/mysql/mysql/user.MYD
160. cat /root/anaconda-ks.cfg
161.  
162. // Check user history for credentials and activity
163. cat ~/.bash_history
164. cat ~/.nano_history
165. cat ~/.atftp_history
166. cat ~/.mysql_history
167. cat ~/.php_history
168.  
169. // Check user profile and mail
170. cat ~/.bashrc
171. cat ~/.profile
172. cat /var/mail/root
173. cat /var/spool/mail/root
174.  
175. // Check for accessible private keys
176. cat ~/.ssh/authorized_keys
177. cat ~/.ssh/identity.pub
178. cat ~/.ssh/identity
179. cat ~/.ssh/id_rsa.pub
180. cat ~/.ssh/id_rsa
181. cat ~/.ssh/id_dsa.pub
182. cat ~/.ssh/id_dsa
183. cat /etc/ssh/ssh_config
184. cat /etc/ssh/sshd_config
185. cat /etc/ssh/ssh_host_dsa_key.pub
186. cat /etc/ssh/ssh_host_dsa_key
187. cat /etc/ssh/ssh_host_rsa_key.pub
188. cat /etc/ssh/ssh_host_rsa_key
189. cat /etc/ssh/ssh_host_key.pub
190. cat /etc/ssh/ssh_host_key
191.  
192. // Find writeable configuration files in /etc
193. ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
194. ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
195. ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
196. ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
197.  
198. find /etc/ -readable -type f 2>/dev/null # Anyone
199. find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
200.  
201. // Examine /var structure (logs, configuration files
202. ls -alh /var/log
203. ls -alh /var/mail
204. ls -alh /var/spool
205. ls -alh /var/spool/lpd
206. ls -alh /var/lib/pgsql
207. ls -alh /var/lib/mysql
208. cat /var/lib/dhcp3/dhclient.leases
209.  
210. // Any hidden files / settings on a hosted website
211. ls -alhR /var/www/
212. ls -alhR /srv/www/htdocs/
213. ls -alhR /usr/local/www/apache22/data/
214. ls -alhR /opt/lampp/htdocs/
215. ls -alhR /var/www/html/
216.  
217. // Check Local Log Files
218. # http://www.thegeekstuff.com/2011/08/linux-var-log-files/
219. cat /etc/httpd/logs/access_log
220. cat /etc/httpd/logs/access.log
221. cat /etc/httpd/logs/error_log
222. cat /etc/httpd/logs/error.log
223. cat /var/log/apache2/access_log
224. cat /var/log/apache2/access.log
225. cat /var/log/apache2/error_log
226. cat /var/log/apache2/error.log
227. cat /var/log/apache/access_log
228. cat /var/log/apache/access.log
229. cat /var/log/auth.log
230. cat /var/log/chttp.log
231. cat /var/log/cups/error_log
232. cat /var/log/dpkg.log
233. cat /var/log/faillog
234. cat /var/log/httpd/access_log
235. cat /var/log/httpd/access.log
236. cat /var/log/httpd/error_log
237. cat /var/log/httpd/error.log
238. cat /var/log/lastlog
239. cat /var/log/lighttpd/access.log
240. cat /var/log/lighttpd/error.log
241. cat /var/log/lighttpd/lighttpd.access.log
242. cat /var/log/lighttpd/lighttpd.error.log
243. cat /var/log/messages
244. cat /var/log/secure
245. cat /var/log/syslog
246. cat /var/log/wtmp
247. cat /var/log/xferlog
248. cat /var/log/yum.log
249. cat /var/run/utmp
250. cat /var/webmin/miniserv.log
251. cat /var/www/logs/access_log
252. cat /var/www/logs/access.log
253. ls -alh /var/lib/dhcp3/
254. ls -alh /var/log/postgresql/
255. ls -alh /var/log/proftpd/
256. ls -alh /var/log/samba/
257. # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
258.  
259. // Is it possible to break out of "jail" shell
260. python -c 'import pty;pty.spawn("/bin/bash")'
261. echo os.system('/bin/bash')
262. /bin/sh -i
263. vi -> :sh or :!UNIX_command
264.  
265. // Check which filesystems are mounted
266. mount
267. df -h
268.  
269. // Check if there are unmounted filesystems
270. cat /etc/fstab
271.  
272. // Finding world writeable directories
273. find / -perm 777
274.  
275. // Find setuid files
276. find / -perm +4000 -type f
277.  
278. // Find root setuid files
279. find / -perm +4000 -uid 0 -type f
280.  
281. // Additional File System Checks? Sticky bits, SUID & GUID
282. find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
283. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
284. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
285.  
286. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
287. for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
288.  
289. # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
290. find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
291.  
292. // Check common directories for write and execute permissions
293. find / -writable -type d 2>/dev/null # world-writeable folders
294. find / -perm -222 -type d 2>/dev/null # world-writeable folders
295. find / -perm -o+w -type d 2>/dev/null # world-writeable folders
296. find / -perm -o+x -type d 2>/dev/null # world-executable folders
297. find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders
298.  
299. // Check for problem files (World Writeable / "Nobody" files)
300. find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
301. find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
302.  
303.  
304. ##### Attacking Vulnerable Kernel and SUID Applications #####
305.  
306. // Finding Exploit Code
307. /pentest/exploits/exploitdb/searchsploit "kernel" |grep -i "root"
308. cat /pentest/exploits/exploitdb/files.csv |grep -i privile
309. grep -i X.X /pentest/exploits/exploitdb/files.csv |grep -i local
310. grep -i application /pentest/exploits/exploitdb/files.csv |grep -i local
311.  
312. // Check Development Environment on Target Hosts
313. find / -name perl*
314. find / -name python*
315. find / -name gcc*
316. find / -name cc
317.  
318. // How can files be uploaded?
319. find / -name wget
320. find / -name nc*
321. find / -name netcat*
322. find / -name tftp*
323. find / -name ftp
324. # If port 22 is open, use srvdir for SSH egress
325.  
326. # Also use unix-privesc-check from pentestmonkey