🐧Linux

Linpeas, Winpeas, etc

https://github.com/carlospolop/PEASS-ngarrow-up-right https://github.com/rebootuser/LinEnumarrow-up-right https://github.com/mzet-/linux-exploit-suggesterarrow-up-right https://github.com/diego-treitos/linux-smart-enumerationarrow-up-right https://github.com/linted/linuxprivcheckerarrow-up-right

GTFO Bins

https://gtfobins.github.io/gtfobinsarrow-up-right

Sudo perms

sudo -l # View sudo perms.

If you see that you have sudo perms to run something as another user.
Use sudo *otheruser* command.

Stickies

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null

If /bin/bash has a sticky bit set you can use /bin/bash -p for a privileged shell.

Source : https://medium.com/go-cyber/linux-privilege-escalation-with-suid-files-6119d73bc620arrow-up-right

Find writable files

Config files with possible stored credentials

Weak File Permissions

SSH Keys

Abusing Intended Functionality

Sudoer Example

Sudo(LD_PRELOAD)

Compile with gcc gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

Run sudo LD_PRELOAD=/tmp/x.so *Whatever bin is stickied*

Environment Variables - SUID

Capabilities - similar to SUID

Cron Jobs

NFS Root Squashing

Writeable /etc/passwd

Last updated