Cheatsheet LPE Linux (to be completed)
Linux LPE to-do list #
List Users #
cat /etc/passwd
Check Exploits for the Running Linux Kernel Version #
uname -a # full kernel info
uname -r # just the version
Check Special Groups That May Allow Privileged Command Execution #
groups
For example, if the user is part of the docker
group, it may be possible to mount a Docker container on the root filesystem:
https://www.hackingarticles.in/docker-privilege-escalation/
docker run -it -v /root:/mnt alpine # or another image
Check Environment Variables #
printenv
Find Executables with sudo Privileges #
sudo -l
If you are dealing with a custom script:
-
Exploit password pattern matching: https://mywiki.wooledge.org/BashPitfalls#if_.5B.5B_.24foo_.3D_.24bar_.5D.5D_.28depending_on_intent.29
-
Monitor executed commands (pspy) and look for plaintext credentials in commands: https://github.com/DominicBreuker/pspy
Check Running Services / Timers #
- Check ports exposed only on localhost:
./linpeas
ss -tlnp
ps -aux # process listing
- List active services and timers:
systemctl list-units --type service/timer --state running
- Print detailed information about a specific service or timer (unit):
systemctl cat custom.service
- Get the status of a service:
systemctl status apache2
-
Local port forwarding with SSH
-
Local port forwarding with Chisel
-
Monitor cron jobs / find plaintext credentials in cron commands: https://github.com/DominicBreuker/pspy
Check Suspicious Files #
- Find files owned by the current user (excluding
/run
,/proc
, etc.):
find / -user <USER> 2>/dev/null | grep -v '^/run\|^/proc\|^/sys\'
- Search in common directories:
/opt
/var
/tmp
/mail
(others?)
- Search for files by name:
find / -iname *<PATTERN>* 2>/dev/null
Check Files with SUID Bit Set (Owned by Root) (Reported by linpeas) #
Pay special attention to binary files on the system. Some may be vulnerable to Local Privilege Escalation (LPE) exploits!
Capabilities (Reported by linpeas) #
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities
Non-Exhaustive List of Additional Checks #
■ Check if dangerous binaries have the SUID/SGID attribute (linpeas) ■ List files not owned by me but where I have write permissions ■ Check if critical packages (sudo, polkit, etc.) are outdated
There are no articles to list here yet.