🧗 Privilege escalation

📚 Resources

• HackTricks
• GTFOBins
• Bypass restricted shell

Scripts Enumeration

• linpeas.sh
• lse.sh (Linux Smart Enumeration)
• les.sh (Linux Exploit Suggester)
• Search for Kernel exploits
• pspy
• sudo-killer

⭐ Basic

Stable shell

• pwncat
• penelope

python3 -c 'import pty;pty.spawn("/bin/bash")'

(ctrl + z)
stty raw -echo; fg

🔍 Recon

Basics

# OS
uname -a
cat /etc/os-release

# Network
ss -tulnp
netstat -tulnp

# Process
ps fauxwww

# capabilities
getcap -r / 2>/dev/null
capsh --print

# SUID
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

# user & group
find / -type f -user "user" -exec ls -l {} + 2>/dev/null
find / -group <group> 2>/dev/null

# Search for specific symbol link
find / -type l -exec readlink -f {} \; 2>/dev/null  | grep "/path/to/folder"

sudo

sudo -l

# sudo -u to exec command with specific user
sudo -u <user> <command> [option]

# use many command with sudo -u
echo '<COMMAND>' | sudo -u <user> tee -a file

📌 Tips

last # display last auth
lastb # display bad attempts auth with <user>:<password>

ln -s / link
cd link/etc # its like /etc, can be used for privesc (like bypass "../")

Unshare

To use chroot or mount with unprivileged user, used unshare.

unshare -r
unshare -r -n -m /bin/sh

Searching Pass / Creds

# To Check
- logfile
- command history : # .mysql_history, .bash_history ....
- db file
- crontab file # /proc/contrab
- /backup /var/backup /var/log /var/mail

grep -R /path -iE 'api|key|pass|user|DB_USER|DB_PASS|DB_NAME'

Restriction

# TOCTOU check
find / -type d -perm -0002 -perm -1000 2>/dev/null

Vulnerability research

Vulnerable Binary

Search vulnerable version of binary in python repository.

pip freeze