Checklist - Linux Priv Esc
https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
- Get OS information
- List mounted drives
- Any unmounted drive?
- Any creds in fstab?
- Is any unknown software running?
- Is any software with more privileges that it should have running?
- Search for exploits for running processes (specially if running of versions)
- Can you modify the binary of any running process?
- Monitor processes and check if any interesting process is running frequently
- Can you read some interesting process memory (where passwords could be saved)?
- Have you detected that some script could be being executed very frequently? (every 1, 2 or 5 minutes)
- Any writable .service file?
- Any writable binary executed by a service?
- Any writable folder in systemd PATH?
- Any writable timer?
- Any writable .socket file?
- Can you communicate with any socket?
- HTTP sockets with interesting info?
- Can you communicate with any D-Bus?
- Enumerate the network to know where you are
- Open ports you couldn't access before getting a shell inside the machine?
- Can you sniff traffic using
tcpdump
?
- Generic users/groups enumeration
- Do you have a very big UID? Is the machine vulnerable?
- Clipboard data?
- Password Policy?
- Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.
- If you have write privileges over some folder in PATH you may be able to escalate privileges
- Can you execute any comand with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
- Has any binary any unexpected capability?
- Has any file any unexpected ACL?
- screen?
- tmux?
- Profile files - Read sensitive data? Write to privesc?
- passwd/shadow files - Read sensitive data? Write to privesc?
- Check commonly interesting folders for sensitive data
- Weird Localtion/Owned files, you may have access or alter executable files
- Modified in last mins
- Sqlite DB files
- Hidden files
- Script/Binaries in PATH
- Web files (passwords?)
- Backups?
- Known files that contains passwords: Use Linpeas and LaZagne
- Generic search
- Modify python library to execute arbitrary commands?
- Can you modify log files? Logtotten exploit
- Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit