TCM linux Privilege Escalation

My summary for TCM Linux Privilege Escalation course

Important Sources

• https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

• Privilege Escalation - Linux · Total OSCP Guide

• GitHub - TCM-Course-Resources/Linux-Privilege-Escalation-Resources: Compilation of Resources for TCM's Linux Privilege Escalation course

• Checklist - Linux Privilege Escalation - HackTricks

• PayloadsAllTheThings/Methodology and Resources/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

System Enum

• `lscpu

• `ps aux

• `ps aux | grep root

• `uname -a OR cat /proc/version OR cat /etc/issue

System Enum

• `sudo -l

• `cat /etc/passwd

• `cat /etc/passed | cut -d : -f 1 (for only users)

• `cat /etc/shadow

• `cat /etc/group

• `history

• `sudo su -

• id

Network Enum

• `ip route

• `ip neigh

• `netstat -ano

• ip a

Password Hunting

• ` locate password | more

• `locate passwd | more

• ` find / - name id_rsa 2>/dev/null

• `grep --color=auto -rnw '' -ie "PASSWORD" (or "PASSWORD=" "PASSWD=") --color=always 2> /dev/null

Automated Tools

• GitHub - The-Z-Labs/linux-exploit-suggester: Linux privilege escalation auditing tool

• GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks

• GitHub - sleventyeleven/linuxprivchecker: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

• PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub

Kernal exploit

• GitHub - lucyoa/kernel-exploits

Password And File Permission

• `ls -la /etc/shadow

• `cat /etc/passwd

• `Detect the hash

• `unshadow tool (passwd file ) (shadow file)

• `detremine the hash code from https://hashcat.net/wiki/doku.php?

• `id=example_hashes

SSH Keys

• ```find / -name authorized_keys 2> /dev/null

• `find / -name id_rsa 2> /dev/null

• `id_rsa in authorized_keys folder is private key after gain it firsly change permissions chmod 600

• `ssh -i (the private key gained ) root@ip

SUDO

Shell escaping

• https://gtfobins.github.io/

• https://tryhackme.com/room/privescplayground

• `sudo -l

• `after shown what the root can use directly open gtfobin by the name of service the root uses to abuse to access to root and this is the shell escaping

Intended Functionality***

• https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/

• `using wget

LD_PRELOAD

• `Using milcious shell

• `writing shell in C compile with gcc -fPIC -shared -o shell.co shell.c -nostartfiles

• `sudo LD_PRELOAD=(full path of the shell) (a service by the sudo )

SUID

• `chmod 777 alow the user to read and write and exute btw

• `find / -perm -u=s -type f 2>/devnull

Shared Object Injection

`Strace tool

Binary Symlinks

• Nginx exploit Binary Symlinks

• `If there S(uid ) in sudo so it is vurneable

• `Create a log file with nginx scrip

Environmental Variables

• `env

• `find / -type f -perm -04000 -ls 2>/dev/null

• `Make a melicous script for a service and chang its path by export PATH =the root path to escilate

• 

  

  

  

  

  

  

  

Capabilities

• Linux Privilege Escalation using Capabilities Capabilities

• SUID vs Capabilities Capabilities

• Linux Capabilities Privilege Escalation Capabilities

• `getcap -r / 2>/dev/null

Cron jops

• `cat /etc/crontab

• `check the jobs runs every day and month

• `******* astrick all the cross meaning running in every time

• `cat the all astrick and analyze it

• `Check always the permissions

• `check the PATH

NFS Root Squashing

• `cat /etc/exports

• `no_root_squash means this folder is sherable and can be mounted so we can mount

• `showmount -e (ip)