First of all I would like to make a statement that there isn't a universal command of privilege escalation to occur. Privilege Escalation occurs due to a bug or sensitive data leakage or an error, etc. So, to attain an elevated access into a system, one might need to enumerate and analyse everything. This enumeration would require lot of information gathering about the system.
This guide covers the techniques that I have tried in my penetration tests. This will cover some basic Linux commands with explanation.
Let's begin.

Who are you logged in as? What other users exist? What permission has been granted to the users?

id
whoami
cat /etc/passwd

To check if a particular application or service can be run as higher privileged user without their password.

sudo -l
Checking what the user has been doing? Checking for some sensitive information.

cat ~/.bash_history
cat ~/.zsh_history
cat ~/.nano_history
cat ~/*sh_history

List all files using (ls -al)and look for other files for crucial information.
Whenever a user starts a new shell, the .bashrc script is loaded.

cat ~/.bashrc

Other user information?

cat ~/.profile

Check for system distribution, version and kernel version.

uname
uname -a
uname -mrs
cat /etc/issue
cat /etc/*-release
cat /proc/version

Check for environmental variables.

env

Check for application & services.

ps aux
ps -edf
top
cat /etc/services

Check for networking & communications. What connection has been established? Is the current system connected to other network?

/sbin/ifconfig -a
cat /etc/network/interfaces

Check for cron.daily for important tasks.

cat /etc/crontab
crontab -l

Some other methods to speed up your privilege escalation process.
  1. locate - find files by name.
  2. find - search for files in a directory hierarchy.
    There is a lot you can do with the find command.
    find /home -name <filename> #searches for a file in the home directory
    find . -name <filename> #here dot denotes current directory
    find /home -name <filename> -exec grep {}/;
    -exec grep is an argument of find command to check for certain keywords in the searched file.
  3. Check for private keys. Look for the contents of directories ~/.ssh and /etc/ssh.
  4. Check for any information in the /temp directory.
  5. Look for files with sticky bit set. A user who created a file in a particular directory can modify that file only.
  6. Check for services through which data or files can be transferred. Generally, some services exist in the system like wget, or other services. If you need an alternative, you can simply create a server using python on your local system and use wget on the target system to transfer files on.
  7. python2 -m SimpleHTTPServer          #for python2
    python3 -m http.server                        #for python3
  8. Upgrade your current shell into fully interactive shell. Sometimes when you gain a shell, the shell might have less functionality. For example, some times the information being printed out shows up in non-formatted text.
    python -c ‘import pty;pty spawn(“/bin/bash”)’
    • Click CTRL + Z to get this to background.
    • Enter the command stty raw -echo,click Enter.
    • Typed fg to foreground the listener shell and clicked Enter twice.
    • Get an upgraded shell.
  9. Check for the services running in the processes. Look for certain processes that run at a particular time. Look for services and their purpose of execution. Check what happens when these process executes. Is their something that you leverage? Google for such terms if you don't understand, look for their functionality.
  10. cat command displays the result in non-formatted string. So, use strings.
  11. Use LinEnum.sh script to enumerate the complete target system.


Tags

Post a Comment

Post a Comment

Previous Post Next Post