Linux Privilege Escalation
Linux privilege escalation Part 0x00: Enumeration
Network and Services Enumeration
Introduction
In Hacking , Enumeration is the most important part. Before Hacking your target system, you need to have Attack surface.
After getting attack Surface, time to test attack vectors on this attack Surface.
So without attack surface, no Hacking!!!! But how to get this attack Surface???
Enumeration is your Friend. Enumeration will help you find all the attack surface of your target and know which attack vector to test
Linux Enumeration is about to know:
- What is your target operating system
- Which user exist on this system
- Which network service and process are running
- Which permission you have
- Which file you can read / modify
- And so one
System Enumeration
know the taget system to search kernel exploit and other trick to test
hostnamectl # very clean . a lot of info
uname -a # system kernel
/etc/os-release
cat /proc/version # system kernel
inxi -FxZ # devices(GPU, bluetooth, memory...), ... info
lscpi # cpu info
User Enumeration
Enumerate all user from your target machine. Baybe you can make lateral and vertical movement
# list all user on the machine
ls /home/
cat /etc/passwd | grep /bin/bash | sed 's/:.*//'
# know who you are
whoami
id
groups
groups username
Network Enumeration
Maybe you can get network services / port that contain some vulnerability
ifconfig
ip link show
ss -ltn
netstat -ltn # listen service an port
arp # arp entry
ip route
Process Enumetation
If you manage to exploit the process that has most priv than you, you elevate your priv and can use it to perform action that you are not allow to do normaly
ps -aux
ps -u username # to list all process to username
ps -aux | grep root
ps -aux | grep other_username
pstree
top
htop
# cronjob
cat /etc/crontab
crontab -l
crontab -u user -l
pspy # process snooping https://github.com/DominicBreuker/pspy.git
Files Enumeration
#other user file with write permission
find / -user username -perm -u=w -type f 2>/dev/null
# SUID . more explaination in the next session
find / -user username -perm -u=s -type f 2>/dev/null
# newwers file
find -L / -type f -newermt 2019-08-24 ! -newermt 2019-08-27 2>&1 > /tmp/foundfiles.txt
Automation
LinPeas # https://github.com/peass-ng/PEASS-ng.git
linEnum # https://github.com/rebootuser/LinEnum.git
https://github.com/CiscoCXSecurity/enum4linux.git
https://github.com/InteliSecureLabs/Linux_Exploit_Suggester.git
pspy # https://github.com/DominicBreuker/pspy.git
Other ressources : deep more
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
https://www.hackingarticles.in/category/privilege-escalation/