Table Of Contents :
What Is Privilege Escalation?
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications.
Horizontal privilege escalation (or account takeover) :- An attacker gains privileged access to a standard user account with lower-level privileges. The intruder might steal an employee’s username and password, gaining access to email, files and any web applications or subnetworks to which they belong. Having obtained this foothold, the attacker can move horizontally through the network, expanding their sphere of privileged access among similarly privileged accounts.
Vertical privilege escalation (or privilege elevation) :- It begins similarly, with an attacker using a foothold to try to escalate vertically, gaining access to accounts with higher privilege. For example, they might target accounts with administrator privileges or root access permissions, such as an IT helpdesk worker or a system administrator. A privileged account can be used to invade other accounts.
Priviledge escalation commands
Priviledge escalation commands
Operating system
Distro & Version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-releaseKernal Verison
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-Environmental variables
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc cat ~/.bash_logout
env
setInteresting in the home directorie(s)?
ls -ahlR /root/
ls -ahlR /home/What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/rootUser being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_historyInstalled Application & Version
Service running by root
ps aux
ps -ef
top
cat/etc/servicesRunning Services with User Stat
ps aux | grep root
ps -ef | grep rootInstalled Application & Version
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yumService(s) settings misconfigured & Check if Vulnerability Occurs
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/Sheduled Jobs
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/rootCommunications & Networking
What NIC(s) System have is it Connected to Another Network
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/networkWhat Network configuration settings ? What about Network ? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainnameOther users & hosts communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
wWhats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -neePacket sniffing possible? What can be seen? Listen to live traffic
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/What sensitive files can be found?
id
who
w
last
cat /etc/passwd | cut -d: -f1
# List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
# List of super users
awk -F: '($3 == "0") {print}' /etc/passwd
# List of super users
cat /etc/sudoers sudo -lAre there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
