Updates privilege_escalation_-_linux.md

- Weak/reused/plaintext passwords

- Inside service

- Suid misconfiguration

- Abusing sudo-rights

- World writable scripts invoked by root

- Unmounted filesystems

- Private ssh keys

```

`ht`  

The text/binary-editor HT.

`less`

From less you can go into vi, and then into a shell

From less you can go into vi, and then into a shell.

```

sudo less /etc/shadow

```

`mv`

Overwrite `/etc/shadow` or `/etc/sudoers`

`man`

[How I got root with sudo/](https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/)

### World writable scripts invoked as root

## Communication

### Mail

```

/var/spool/mail

```

## Logs

## References

[http://www.rebootuser.com/?p=1758](http://www.rebootuser.com/?p=1758)

If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root. It might be part of a cronjob, or otherwise automatized, or it might be run by hand by a sysadmin. You can also check scripts that are called by these scripts.

[http://netsec.ws/?p=309](http://netsec.ws/?p=309)

```bash

#World writable files directories

find / -writable -type d 2>/dev/null

find / -perm -222 -type d 2>/dev/null

find / -perm -o w -type d 2>/dev/null

# Privilege Escalation - Linux

# World executable folder

find / -perm -o x -type d 2>/dev/null

# World writable and executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

```

### Configuration mistakes

#### Bad path configuration

Putting . in the path  

If you put a dot in your path you won't have to write `./binary to be able to execute it. You will be able to execute any script or binary that is in the current directory.`

Putting `.` in the path  

If you put a dot in your path you won't have to write `./binary` to be able to execute it. You will be able to execute any script or binary that is in the current directory.

Why do people/sysadmins do this? Because they are lazy and won't want to write `./.`

And here  

[http://www.dankalia.com/tutor/01005/0100501004.htm](http://www.dankalia.com/tutor/01005/0100501004.htm)

#### **Cronjob**

With privileges running script that are editable for other users.

#### World writable scripts invoked as root

World/user writable scripts that are invoked by root can me rewritten to escalate privileges.

## Communication

Also check scripts that are called by these scripts.

### Mail

```

#World writable files directories

find / -writable -type d 2>/dev/null

find / -perm -222 -type d 2>/dev/null

find / -perm -o w -type d 2>/dev/null

# World executable folder

find / -perm -o x -type d 2>/dev/null

# World writable and executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

/var/spool/mail

```

#### World/user writable binaries

#### Weak permissions on LD\_preload

[https://blog.maleadt.net/2015/02/25/sudo-escalation/](https://blog.maleadt.net/2015/02/25/sudo-escalation/)

## Logs

## References

### Software vulnerabilites

[http://www.rebootuser.com/?p=1758](http://www.rebootuser.com/?p=1758)

Software vulnerabilites can lead to priv-esc, like vulnerabiliteis in:

[http://netsec.ws/?p=309](http://netsec.ws/?p=309)

* Kernel

  `uname -a`

  `uname -r`

  `/etc/issue*`

  `/etc/release`

  `cat /proc/version`

#### **Cronjob**

# RHEL/CentOS/Suse/Fedora

With privileges running script that are editable for other users.

rpm -q kernel

# Debian

#### World/user writable binaries

dpkg --list \| grep linux-image

#### Weak permissions on LD\_preload

```

**Tools**

```

[https://blog.maleadt.net/2015/02/25/sudo-escalation/](https://blog.maleadt.net/2015/02/25/sudo-escalation/)

# Programming tools

find / -name perl_  

find / -name python_  

find / -name gcc\*  

find / -name cc

# Upload tools

```

find / -name wget  

find / -name nc  

find / -name netcat  

find / -name tftp*  

find / -name ftp  

```

### Other useful stuff related to privesc

# Writetable Directories

**World writable directories**

``` 

/tmp