During an assessment, you may gain a low-privileged shell on a Linux host and need to perform privilege escalation to the root account.
Fully compromising the host would allow us to capture traffic and access sensitive files, which may be used to further access within the environment.
Additionally, if the Linux machine is domain joined, we can gain the NTLM hash and begin enumerating and attacking Active Directory.
Enum
LinEnum - https://github.com/rebootuser/LinEnum
OS Version
know the distro (Ubuntu, Debian, FreeBSD, Fedora) , its versions to see any possible public exploits
Kernel Version
find any possible exploits for a kernel version. these could cause crashes so run carefully in prod environments
Running Services
know what services are running
keep an eye for services running as root - EASY target
Flaws have been discovered in many common services such as Nagios, Exim, Samba, ProFTPd, etc. Public exploit PoCs exist for many of them, such as CVE-2016-9566, a local privilege escalation flaw in Nagios Core < 4.2.4.
List current processes
ps aux | grep root
Installed Packages and Versions
check for out-of-date or vulnerable packages that can be used for privesc
eg: Screen v4.05.000 like tmux
Logged in users
knowing the logged in users and what they are doing can help
ps au
User Home Directories
are other users home directories accessible?
user home folders can contain ssh keys (/.ssh/id_rsa) that might be reused and can help us access other systems.
if there are SSH keys under a user, these can be used to open a stable, interactive SSH shell given SSH is exposed externally.
it can contain scripts or config files with credentials
we can look for .bash_history to see any interesting commands
passing passwords as an argument on the command line, working with git repositories, setting up cron jobs, and more.
check the ARP cache to see what other hosts are being accessed and cross-reference these against any useable SSH private keys
Sudo Privileges
can our user run any commands either as another user or as root?
if you dont have the password, you might not be able to do it.
but, sometimes, sudoer entries have NOPASSSWD meaning that the user can run a file without needing a permission
sudo su
sudo -l
give commands you can run as another user
Configuration Files
search for files ending in .conf and .config for usernames, passwords, and other secrets
Readable Shadow File
if the shadow file is readable, we can gather the password hashes for the users that have a password
run a brute-force on these hashes
Password Hashes in /etc/passwd
sometimes, password hashes are directly present in /etc/passwd files
usually on embedded devices or routers
Cron Jobs:
similar to windows scheduled tasks
maintenance and backup tasks.
ls -la /etc/cron.daily/
Unmounted File Systems and Additional Drives:
lsblk
if we find something that we can mount, these may contain sensitive data
SETUID and SETGID Permissions:
binaries set with these can be exploited to get root
Writeable Directories
to download tools on the target, we must know what directories we can write to.
eg: You may discover a writeable directory where a cron job places files, which provides an idea of how often the cron job runs and could be used to elevate privileges if the script that the cron job runs is also writeable.