Linux Privesc Checklist
Last updated
Was this helpful?
Last updated
Was this helpful?
Check DNS: /etc/hosts
ifconfig
or ip a
if it is dual homed, etc.
/etc/resolv.conf
if the host is configured to use internal DNS it can be starting point to query Active Directory.
To see which other hosts the target has been communicating with we can use arp -a
When creating a Docker container if -h or -hostname is not specified then hostname is container name.
Example hostname of docker container: efaa6f5097ed
.dockerenv
in root directory
If sudo access on docker execsudo docker exec --privileged --user 0 -it container_name /bin/sh
To mount c drive in WSL
Check for unmounted drives with lsblk
or fdisk -l
lsblk
to enumerate information about block devices (hard disks, USB drives, optical drives).
lpstat
to check for printers
Check for NFS with showmount -e <ip>
Then cat /etc/exports
. If (rw,no_root_squash) then we can create setuid binary on bash:
shell.c
Compile and copy to nfs:
Run it after switching to low privileged session: ./shell
To find .conf files:
To find setuid(SUID) binaries:
To get all hidden files:
To find scripts:
To check for writable directories:
or writable files:
If wordpress then it is quite common to have passwords in the config file:
Check running processes:
ps aux
--> only root ps aux | grep root
watch -n 1 "ps -aux | grep pass"
- to get entries with password
ps fauxww
ps -ewwo pid,user,cmd --forest
If doas is present then check config file which can be found with
dpkg -l
to list packages
To add current path to $PATH:
To check cron jobs try ALL THESE:
crontab -l
(Run with sudo too)
ls -lah /etc/cron*
grep "CRON" /var/log/syslog
- To check cron logs
To check binaries: ls -l /bin /usr/bin/ /usr/sbin/
To check installed packages:
To check gtfo bins against installed packages (run the previous command before this):
Strace can be used to trace the system calls and signal processing of any command
Check /etc/krb5.conf
If root user then use KeyTabExtract
Check for hashes:
In /var/lib/sss/db
:
Check for cache
To evaluate use Refer: Forgotten-vulnlab
If no sudo access: : ./pspy64 -pf -i 1000