Linux Privilege Escalation

Manual Checks

A list of useful commands to perform manual privilege escalation on Linux operating system.

System Information

OS info

(cat /proc/version || uname -a ) 2>/dev/null

cat /etc/os-release 2>/dev/null

Path

echo $PATH

Env info

(env || set) 2>/dev/null

CPU info

lscpu

System stats

(df -h || lsblk)

Kernel Exploit

cat /proc/version

uname -a

searchsploit "Linux Kernel"

Drives

Check what is mounted and unmounted

ls /dev 2>/dev/null | grep -i "sd"

cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null

Check if credentials are in fstab

grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null

Processes

ps aux

ps -ef

top -n 1

Network

Hostname, hosts

cat /etc/hostname /etc/hosts /etc/resolv.conf

Interfaces

cat /etc/networks

(ifconfig || ip a)

Neighbours

(arp -e || arp -a)

(route || ip n)

IPtables rules

(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null)

Files used by network services

lsof -i

SUDO and SUID

Check commands you can execute with sudo

sudo -l

Find all SUID binaries

find / -perm -4000 2>/dev/null

Open Ports

(netstat -punta || ss --ntpu)

(netstat -punta || ss --ntpu) | grep "127.0"

Users

Info about me

id || (whoami && groups) 2>/dev/null

List all users

cat /etc/passwd | cut -d: -f1

List users with console

cat /etc/passwd | grep "sh$"

List superusers

awk -F: '($3 == "0") {print}' /etc/passwd

Currently logged users

w

Login history

last | tail

Last log of each user

lastlog

List all users and their groups

for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort

Password Policy

grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs