Checklist - Linux Privilege Escalation

Best tool to look for Linux local privilege escalation vectors: LinPEAS​

​Vulnerable Kernel?​

• Search for kernel exploits using scripts (linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py)

• Use Google to search for kernel exploits

• Use searchsploit to search for kernel exploits

• Check if the sudo version is vulnerable​

​Vulnerable Processes?​

• Is any unknown software running?

• Is any software with more privileges that it should have running?

• Search for exploits for running processes (specially if running of versions)

• Can you read some interesting process memory (where passwords could be saved)?

​Known users/passwords?​

• Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.

​Interesting Groups?​

• Check if you belong to any group that can grant you root rights.

​Weird scheduled jobs?​

• Is the PATH being modified by some cron and you can write in it?

• Some modifiable script is being executed or is inside modifiable folder?

• Is some cron script calling other script that is modifiable by you? or using wildcards?

• Have you detected that some script could be being executed very frequently? (every 1, 2 or 5 minutes)

​Any sudo command?​

• Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root?

• Is some wildcard used?

• Is the binary specified without path?

• Is env_keep+=LD_PRELOAD?

​Any weird suid command?​

• SUID any interesting command? Can you use it to READ, WRITE or EXECUTE anything as root?

• Is some wildcard used?

• Is the SUID binary executing some other binary without specifying the path? or specifying it?

• Is it trying to load .so from writable folders?

​Weird capabilities?​

• Has any binary any uncommon capability?

​Open Shell sessions?​

• screen?

• tmux?

​Can you read some sensitive data?​

• Can you read some interesting files? (files with passwords, *_history, backups...)

​Can you write important files?​

• Are you able to write files that could grant you more privileges? (service conf files, shadow,a script that is executed by other users, libraries...)

​Internal open ports?​

• You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.

​Can you sniff some passwords in the network?​

• Can you sniff and get passwords from the network?

​Any service missconfigurated? NFS? belongs to docker or lxd?​

1. Any well known missconfiguration? (NFS no_root_squash)

​Any weird executable in path?​

​

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.

​Buy me a coffee here​