High Level Linux Priv Esc - CraigDonkin/Infrastructure GitHub Wiki

High Level Linux Priv Esc

  • Kernel Exploit
    • Download, compile, run
  • Missing Patches
    • Download exploit, compile, run
  • Contab
    • Can you modify a script that is being run?
    • Replace a binary that is being executed?
    • Closely related to file permissions
  • Weak Sudoers Configuration
    • sudo -l
    • NO PASSWD?
    • ALL ALL?
    • Command escaping
      • find -exec
      • vi :!
      • more
      • less
      • awk
  • Weak File Permissions
    • Can you write to the file
    • Execute a script/file
    • Trick a user into executing a file
    • SUIG/SGID
  • Configuration Files
    • Passwords
    • Modifications
  • Misconfigured Services
    • Can you modify anything
    • Execute something you shouldn't be able to
    • Read something you shouldn't be able to?
  • Running Process
    • Can you modify anything a process is using?
    • Passwords/Information on the process list
  • Path Poisoning
    • What is on the path?
    • Can you modify any of the binaries?
    • Write to a location a binary doesn't exist?
  • IFS
    • IFS="/ \t\n"; export IFS
    • PATH=".:$PATH"; export PATH
    • /bin/blah/blah2 becomes bin blah blah2
      • Bin then run from CWD which could result in escalation
⚠️ **GitHub.com Fallback** ⚠️