Priviledge escalation commands

Privilege Escalation: What It Is and How to Use Commands for PrivSec

Table Of Contents :

What Is Privilege Escalation?

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications.

Horizontal privilege escalation (or account takeover) :- An attacker gains privileged access to a standard user account with lower-level privileges. The intruder might steal an employee’s username and password, gaining access to email, files and any web applications or subnetworks to which they belong. Having obtained this foothold, the attacker can move horizontally through the network, expanding their sphere of privileged access among similarly privileged accounts.

Vertical privilege escalation (or privilege elevation) :- It begins similarly, with an attacker using a foothold to try to escalate vertically, gaining access to accounts with higher privilege. For example, they might target accounts with administrator privileges or root access permissions, such as an IT helpdesk worker or a system administrator. A privileged account can be used to invade other accounts.

 
 
 
 

Priviledge escalation commands

Priviledge escalation commands

Operating system

Distro & Version

cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release

Kernal Verison

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

Environmental variables

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc cat ~/.bash_logout
env
set

Interesting in the home directorie(s)?

ls -ahlR /root/
ls -ahlR /home/

What user information can be found?

cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

User being doing? Is there any password in plain text? What have they been edting?

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

Installed Application & Version

Service running by root

ps aux
ps -ef
top
cat/etc/services

Running Services with User Stat

ps aux | grep root
ps -ef | grep root

Installed Application & Version

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum

Service(s) settings misconfigured & Check if Vulnerability Occurs

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

Sheduled Jobs

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Communications & Networking

What NIC(s) System have is it Connected to Another Network

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What Network configuration settings ? What about Network ? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

Other users & hosts communicating with the system?

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses

arp -e
route
/sbin/route -nee

Packet sniffing possible? What can be seen? Listen to live traffic

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

What sensitive files can be found?

cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

What sensitive files can be found?

id
who
w
last
cat /etc/passwd | cut -d: -f1

# List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'

# List of super users
awk -F: '($3 == "0") {print}' /etc/passwd

# List of super users
cat /etc/sudoers sudo -l

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
Spread the love
Scroll to Top
www.thecyberblogs.com