Linux
Last updated
Last updated
./LinEnum.sh -e <OUTPUT_FILE>
Security auditing tool for Linux, macOS and UNIX-based systems. Test security defenses.
./lynis audit system
GTFOBins shows how to exploit SUID, Capabilities, and SUDO vulnerabilities on known programs.
The sudo utility (Superuser-Do) can be used to run a command with elevated privileges. Must be a member of the sudo group.
See NOPASSWD entries.
Also remember abuse of relative paths and Wildcard.
Programs with the SUID flag will run with owner privileges. Analyze these programs.
Programs with the SGID flag run binaries as if we were part of the group that created them. Analyze these programs.
Capabilities are additional attributes that can be applied to processes, binaries, and services to assign specific privileges (ex., administrative). Analyze the presence of misconfigurations.
If the user is part of some privileged groups then he can perform privileged and particularly harmful actions.
See versions of various executable programs to check for Privilege Escalation exploits.
screen 4.5.0
sudo 1.8.21 | 1.8.31 | 1.8.27 | 1.9.2 | other
sudo < 1.8.28
polkit < 0.105-26
(pkexec --version)
logrotate 3.8.6 | 3.11.0 | 3.15.0 | 3.18.0
Look through the Cron Jobs if they are called editable files to be exploited.
Also remember abuse via Wildcard.
Command-line tool designed to snoop around linux processes without needing root permissions. It allows you to see commands executed by other users, cron jobs, etc. while they are running.
Search for sensitive information in different files, such as system password files, files in the home profile, text files saved on Desktop/Documents, temporary files, etc.
Note: In /etc/passwd and /etc/shadow you can remove the x or insert instead the output of: openssl passwd <PASS>
Look for ssh keys which may also be located elsewhere in the file system.
Search for sensitive information in configuration files.
Check if there are any backup files that may contain sensitive information.
Also check the bash scripts.
Check if there are any interesting writable files and folders.
Check if there are any interesting hidden files and folders with sensitive information.
It searches for passwords.
laZagne.py all
A tool to download the current Linux user's login password.
Extract sensitive data, including passwords, from browsers.
./hack-browser-data[.exe] (check the results directory)
Search the command history.
Check environment variables for sensitive information such as passwords or misconfiguration.
For ELFs see if you can manipulate the LD_PRELOAD variable or the RUNPATH setting of the binaries. In Python see if you can manipulate the PYTHONPATH variable or if there are writable directories in the module import.
Capture sensitive information from live network traffic, with tcpdump
Certain users may be assigned shells with limited functionality, such as rbash, rksh, rzsh
Check executable commands and look for them in GTFOBins
Also try
Command injection with `
Command Chaining with ; & |
Variable changes (export -p)
Shell functions
Exploit Kernel Level. Depends on Kernel Version and Operating System. Better to compile the exploit on the target if it has gcc. May cause crashes!
It allows you to detect kernel-level security weaknesses.
Kernel from 5.8 to 5.17
. In .
(Baron Samedit)
You have to find log files on which logrotate is run and on which you have write permissions on the writable log file.
