KARIM ASHRAF SPACE.

Who Am I ?
WRITEUPS
The Ultimate Active Directory CheatSheet
COURSES SUMMARY
TIPS&TRICKS

Powered by GitBook

On this page

Important Sources
System Enum
System Enum
Network Enum
Password Hunting
Automated Tools
Kernal exploit
Password And File Permission
SSH Keys
SUDO
SUID
Shared Object Injection
Binary Symlinks
Environmental Variables
Capabilities
Cron jops
NFS Root Squashing

Page cover

COURSES SUMMARY

TCM SEC

TCM linux Privilege Escalation

My summary for TCM Linux Privilege Escalation course

Important Sources

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Privilege Escalation - Linux · Total OSCP Guide
GitHub - TCM-Course-Resources/Linux-Privilege-Escalation-Resources: Compilation of Resources for TCM's Linux Privilege Escalation course
Checklist - Linux Privilege Escalation - HackTricks
PayloadsAllTheThings/Methodology and Resources/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

System Enum

`lscpu
`ps aux
`ps aux | grep root
`uname -a OR cat /proc/version OR cat /etc/issue

System Enum

`sudo -l
`cat /etc/passwd
`cat /etc/passed | cut -d : -f 1 (for only users)
`cat /etc/shadow
`cat /etc/group
`history
`sudo su -
id

Network Enum

`ip route
`ip neigh
`netstat -ano
ip a

Password Hunting

` locate password | more
`locate passwd | more
` find / - name id_rsa 2>/dev/null
`grep --color=auto -rnw '' -ie "PASSWORD" (or "PASSWORD=" "PASSWD=") --color=always 2> /dev/null

Automated Tools

GitHub - The-Z-Labs/linux-exploit-suggester: Linux privilege escalation auditing tool
GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
GitHub - sleventyeleven/linuxprivchecker: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub

Kernal exploit

GitHub - lucyoa/kernel-exploits

Password And File Permission

`ls -la /etc/shadow
`cat /etc/passwd
`Detect the hash
`unshadow tool (passwd file ) (shadow file)
`detremine the hash code from https://hashcat.net/wiki/doku.php?
`id=example_hashes

SSH Keys

```find / -name authorized_keys 2> /dev/null
`find / -name id_rsa 2> /dev/null
`id_rsa in authorized_keys folder is private key after gain it firsly change permissions chmod 600
`ssh -i (the private key gained ) root@ip

SUDO

Shell escaping

https://gtfobins.github.io/
https://tryhackme.com/room/privescplayground

`sudo -l
`after shown what the root can use directly open gtfobin by the name of service the root uses to abuse to access to root and this is the shell escaping

Intended Functionality***

https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/
`using wget

LD_PRELOAD

`Using milcious shell
`writing shell in C compile with gcc -fPIC -shared -o shell.co shell.c -nostartfiles
`sudo LD_PRELOAD=(full path of the shell) (a service by the sudo )

SUID

`chmod 777 alow the user to read and write and exute btw
`find / -perm -u=s -type f 2>/devnull

Shared Object Injection

Binary Symlinks

Nginx exploit Binary Symlinks
`If there S(uid ) in sudo so it is vurneable
`Create a log file with nginx scrip

Environmental Variables

`env
`find / -type f -perm -04000 -ls 2>/dev/null
`Make a melicous script for a service and chang its path by export PATH =the root path to escilate

Capabilities

Linux Privilege Escalation using Capabilities Capabilities
SUID vs Capabilities Capabilities
Linux Capabilities Privilege Escalation Capabilities
`getcap -r / 2>/dev/null

Cron jops

`cat /etc/crontab
`check the jobs runs every day and month
`******* astrick all the cross meaning running in every time

`cat the all astrick and analyze it
`Check always the permissions
`check the PATH

NFS Root Squashing

`cat /etc/exports
`no_root_squash means this folder is sherable and can be mounted so we can mount
`showmount -e (ip)

PreviousTCM SEC NextTCM OSINT

Last updated 10 months ago