Linux - PrivEsc - First draft

2026-03-01 06:53:04 -08:00 · 2018-12-25 15:51:11 +01:00
parent 38c3bfbd9f
commit b9efdb52d3
3 changed files with 137 additions and 1 deletions
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -0,0 +1,87 @@
+# Linux - Privilege Escalation
+
+## Tools
+
+- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
+    ```powershell
+    ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
+    ```
+- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
+- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
+
+## Checklists
+
+* Kernel and distribution release details
+* System Information:
+  * Hostname
+  * Networking details:
+  * Current IP
+  * Default route details
+  * DNS server information
+* User Information:
+  * Current user details
+  * Last logged on users
+  * Shows users logged onto the host
+  * List all users including uid/gid information
+  * List root accounts
+  * Extracts password policies and hash storage method information
+  * Checks umask value
+  * Checks if password hashes are stored in /etc/passwd
+  * Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
+  * Attempt to read restricted files i.e. /etc/shadow
+  * List current users history files (i.e .bash_history, .nano_history etc.)
+  * Basic SSH checks
+* Privileged access:
+  * Which users have recently used sudo
+  * Determine if /etc/sudoers is accessible
+  * Determine if the current user has Sudo access without a password
+  * Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
+  * Is root’s home directory accessible
+  * List permissions for /home/
+* Environmental:
+  * Display current $PATH
+  * Displays env information
+* Jobs/Tasks:
+  * List all cron jobs
+  * Locate all world-writable cron jobs
+  * Locate cron jobs owned by other users of the system
+  * List the active and inactive systemd timers
+* Services:
+  * List network connections (TCP & UDP)
+  * List running processes
+  * Lookup and list process binaries and associated permissions
+  * List inetd.conf/xined.conf contents and associated binary file permissions
+  * List init.d binary permissions
+* Version Information (of the following):
+  * Sudo
+  * MYSQL
+  * Postgres
+  * Apache
+    * Checks user config
+    * Shows enabled modules
+    * Checks for htpasswd files
+    * View www directories
+* Default/Weak Credentials:
+  * Checks for default/weak Postgres accounts
+  * Checks for default/weak MYSQL accounts
+* Searches:
+  * Locate all SUID/GUID files
+  * Locate all world-writable SUID/GUID files
+  * Locate all SUID/GUID files owned by root
+  * Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
+  * Locate files with POSIX capabilities
+  * List all world-writable files
+  * Find/list all accessible *.plan files and display contents
+  * Find/list all accessible *.rhosts files and display contents
+  * Show NFS server details
+  * Locate *.conf and *.log files containing keyword supplied at script runtime
+  * List all *.conf files located in /etc
+  * Locate mail
+* Platform/software specific tests:
+  * Checks to determine if we're in a Docker container
+  * Checks to see if the host has Docker installed
+  * Checks to determine if we're in an LXC container
+
+## References
+
+- []()