OSCP Notes – Privilege Escalation (Linux)

Lynis

https://cisofy.com/lynis/

Linux Exploit Suggestor

https://github.com/PenturaLabs/Linux_Exploit_Suggester

Shell Escape Sequences

nmap–> –interactive
vi–> :!bash
vi–> :set shell=/bin/bash:shell
awk–> awk ‘BEGIN {system(“/bin/bash”)}’
find–> find / -exec /usr/bin/awk ‘BEGIN {system(“/bin/bash”)}’ \;
perl–> perl -e ‘exec “/bin/bash”;’

Commands useful for gaining information :

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Basics of Privilege Escalation Methods :

http://www.doomedraven.com/2013/04/hacking-linux-part-i-privilege.html
http://www.rebootuser.com/?p=1623#.V0W5Pbp95JP

Linux Priv Checker

https://www.securitysift.com/download/linuxprivchecker.py

Here’s an overview of this Linux privilege escalation script identified:

Basic system info (OS/Kernel/System name, etc)
Networking Info (ifconfig, route, netstat, etc)
Miscellaneous filesystem info (mount, fstab, cron jobs, etc)
User info (current user, all users, super users, command history, etc)
File and Directory permissions (world-writeable files/dirs, suid files, root home directory)
Files containing plaintext passwords
Interesting files, processes and applications (all processes and packages, all processes run by root and the associated packages, sudo version, apache config file, etc)
All installed languages and tools (gcc, perl, python, nmap, netcat, wget, ftp, etc)
All relevant privilege escalation exploits (using a comprehensive dictionary of exploits with applicable kernel versions, software packages/processes, etc)

Unix Priv Esc

./unix-priv-esc detailed > unix_priv_esc

Linux Local Exploit – UDEV

http://www.madirish.net/370
https://www.exploit-db.com/exploits/8572/