๐Ÿฒ
OSCP Notes
  • ๐ŸฒOSCP Notes
  • ๐ŸฒOSCP Methodology
  • ๐Ÿ’กMisc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • ๐Ÿง Mindmap
    • ๐ŸฅMimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Basic Enumeration
  • Attack Vectors
  • Scheduled tasks
  • Password Authentication
  • Monitor Process
  • SetUID Binaries and Capabilities
  • Sudoers
  • Kernel Exploits
  • References
  1. Linux

Local Privileges Escalation

PreviousLocal EnumerationNextScheduled tasks

Last updated 7 months ago

Basic Enumeration

Attack Vectors

Scheduled tasks

Password Authentication

The /etc/passwd file can contain password hashes directly instead of an x, indicating that the password hash is stored in /etc/shadow. If /etc/passwd is writable, it allows the creation of arbitrary users with root privileges.

Monitor Process

It possible that the administrative user used command line with sensitive information exposed.

In this situation monitoring the process can reveal this sensitive information

#processes

SetUID Binaries and Capabilities

Sudoers

it's possible to restrict a user's sudo permissions to specific commands or binaries. This is done by configuring the /etc/sudoers file, where certain users can be allowed to run only a defined set of commands with sudo.

Kernel Exploits

References

Local Enumeration
Scheduled tasks
Password Authentication
SetUID Binaries and Capabilities
Sudoers
Kernel Exploits
Understanding /etc/passwd File FormatnixCraft
/etc/passwd format blog
Basic Linux Privilege Escalation - g0tmi1k
Basic Linux Privilege Escalation
Linux permissions: SUID, SGID, and sticky bitEnable Sysadmin
Red Hat - Linux permissions
GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub
pspy tool
PEASS-ng/linPEAS at master ยท peass-ng/PEASS-ngGitHub
LinPEAS
Logo
GitHub - pentestmonkey/unix-privesc-check: Automatically exported from code.google.com/p/unix-privesc-checkGitHub
Logo
Logo
Logo
Logo
Logo