Pentesting

Checklist - Linux Privilege Escalation

Checklist for privilege escalation in Linux

Best tool to look for Linux local privilege escalation vectors: LinPEAS

Drives

  • List mounted drives

  • Any unmounted drive?

  • Any creds in fstab?

  1. Check for useful software installed

  2. Check for vulnerable software installed

Processes

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you modify the binary of any running process?

  • Monitor processes and check if any interesting process is running frequently

  • Can you read some interesting process memory (where passwords could be saved)?

Services

  • Any writable .service file?

  • Any writable binary executed by a service?

  • Any writable folder in systemd PATH?

Timers

  • Any writable timer?

Sockets

  • Any writable .socket file?

  • Can you communicate with any socket?

  • HTTP sockets with interesting info?

D-Bus

  • Can you communicate with any D-Bus?

Network

  • Enumerate the network to know where you are

  • Open ports you couldn't access before getting a shell inside the machine?

  • Can you sniff traffic using tcpdump?

Users

  • Generic users/groups enumeration

  • Do you have a very big UID? Is the machine vulnerable?

  • Clipboard data?

  • Password Policy?

  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

  • If you have write privileges over some folder in PATH you may be able to escalate privileges

  • Has any binary any unexpected capability?

ACLs

  • Has any file any unexpected ACL?

  • screen?

  • tmux?

SSH

  • Profile files - Read sensitive data? Write to privesc?

  • passwd/shadow files - Read sensitive data? Write to privesc?

  • Check commonly interesting folders for sensitive data

  • Weird Localtion/Owned files, you may have access or alter executable files

  • Modified in last mins

  • Sqlite DB files

  • Hidden files

  • Script/Binaries in PATH

  • Web files (passwords?)

  • Backups?

  • Known files that contains passwords: Use Linpeas and LaZagne

  • Generic search

  • Modify python library to execute arbitrary commands?

  • Can you modify log files? Logtotten exploit

  • Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬 PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book. Don't forget to give ⭐ on the github to motivate me to continue developing this book.

Buy me a coffee here