Ran into a blog by g0tmi1k with this mind provoking reminder of what to try when mere user rights won't do. I tip my derby to g0tmi1k and copied his blog only for prosperity reasons.
Enumeration is the key.
(Linux) privilege escalation is all about:
Collect - Enumeration, more enumeration and some more enumeration.
Process - Sort through data, analyse and prioritisation.
Search - Know what to search for and where to find the exploit code.
Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box".
Try - Get ready for (lots of) trial and error.
Operating System
What's the distribution type? What version?
1234
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based
What's the kernel version? Is it 64-bit?
123456
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
What can be learnt from the environmental variables?
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
123456789
id
who
w
last
cat /etc/passwd | cut -d: -f1 # List of usersgrep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'# List of super usersawk -F: '($3 == "0") {print}' /etc/passwd # List of super userscat /etc/sudoers
sudo -l
What sensitive files can be found?
1234
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
Anything "interesting" in the home directorie(s)? If it's possible to access
12
ls -ahlR /root/
ls -ahlR /home/
Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
Any settings/files (hidden) on website? Any settings file with database information?
12345
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
Is there anything in the log file(s) (Could help with "Local File Includes"!)
What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID
123456789
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUIDfor i in `locate -r "bin$"`;do find $i\( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null;done# Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {}\; 2>/dev/null
Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm
1234567
find / -writable -type d 2>/dev/null # world-writeable foldersfind / -perm -222 -type d 2>/dev/null # world-writeable foldersfind / -perm -o w -type d 2>/dev/null # world-writeable foldersfind / -perm -o x -type d 2>/dev/null # world-executable foldersfind / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
Any "problem" files? Word-writeable, "nobody" files